fix: use a custom service account for Cloud Build

New projects by default do not give the default compute service account the required roles to run a cloud build. Therefore the cloud functions do not deploy. Update the TF scripts to create a build-sa service account and use that when deploying the Cloud Functions. Also update versions of Terraform modules to the latest
cloudspannerecosystem · Sep 16, 2024 · 43f8895 · 43f8895
1 parent 062992a
commit 43f8895
Show file tree

Hide file tree

Showing 19 changed files with 290 additions and 299 deletions.
diff --git a/.github/workflows/codehealth.yaml b/.github/workflows/codehealth.yaml
@@ -44,3 +44,9 @@ jobs:
 
  - name: Execute "npm run markdown-link-check"
  run: npm run markdown-link-check
+
+ - name: Use terraform
+ uses: hashicorp/setup-terraform@v3
+
+ - name: terraform validate deployments
+ run: npm run terraform-validate
diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -5,4 +5,6 @@ npm run eslint
 npm run markdown-link-check
 npm run mdlint
 npm run typecheck
+npm run terraform-validate
 npm test
+
diff --git a/package.json b/package.json
@@ -24,6 +24,7 @@
  "start-forwarder-function": "functions-framework --target=forwardFromHTTP",
  "start-poller-function": "functions-framework --target=checkSpannerScaleMetricsHTTP",
  "start-scaler-function": "functions-framework --target=scaleSpannerInstanceHTTP --port=8081",
+ "terraform-validate": "set -e ; package_root=\"$(pwd)\"; for x in gke/decoupled gke/unified cloud-functions/distributed/app-project cloud-functions/distributed/autoscaler-project cloud-functions/per-project ; do cd \"$package_root/terraform/$x\" ; echo \"\n\nValidating Terraform in $PWD\n\n\" ; terraform init ; terraform validate; done",
  "test": "NODE_ENV=test nyc --reporter=text mocha --recursive src --extension=.test.js",
  "test-e2e": "pushd terraform/cloud-functions/per-project/test && go test -run . -timeout 60m --tags=e2e && popd",
  "typecheck": "tsc --project jsconfig.json --maxNodeModuleJsDepth 0 --noEmit",

diff --git a/terraform/cloud-functions/distributed/app-project/.terraform.lock.hcl b/terraform/cloud-functions/distributed/app-project/.terraform.lock.hcl
diff --git a/terraform/cloud-functions/distributed/app-project/main.tf b/terraform/cloud-functions/distributed/app-project/main.tf
@@ -18,7 +18,7 @@ terraform {
  required_providers {
  google = {
  source = "hashicorp/google"
- version = "~> 5.43.0"
+ version = ">= 6.2.0"
  }
  }
 }

diff --git a/terraform/cloud-functions/distributed/autoscaler-project/.terraform.lock.hcl b/terraform/cloud-functions/distributed/autoscaler-project/.terraform.lock.hcl
diff --git a/terraform/cloud-functions/distributed/autoscaler-project/main.tf b/terraform/cloud-functions/distributed/autoscaler-project/main.tf
@@ -18,7 +18,7 @@ terraform {
  required_providers {
  google = {
  source = "hashicorp/google"
- version = "~> 5.43.0"
+ version = ">= 6.2.0"
  }
  }
 }
@@ -38,12 +38,18 @@ resource "google_service_account" "scaler_sa" {
  display_name = "Autoscaler - Scaler Function Service Account"
 }
 
+resource "google_service_account" "build_sa" {
+ account_id = "build-sa"
+ display_name = "Autoscaler - Cloud Build Builder Service Account"
+}
+
 module "autoscaler-base" {
  source = "../../../modules/autoscaler-base"
 
  project_id = var.project_id
  poller_sa_email = google_service_account.poller_sa.email
  scaler_sa_email = google_service_account.scaler_sa.email
+ build_sa_email = google_service_account.build_sa.email
 }
 
 module "autoscaler-functions" {
@@ -54,6 +60,7 @@ module "autoscaler-functions" {
  poller_sa_email = google_service_account.poller_sa.email
  scaler_sa_email = google_service_account.scaler_sa.email
  forwarder_sa_emails = var.forwarder_sa_emails
+ build_sa_id = google_service_account.build_sa.id
 }
 
 module "firestore" {