feat: per module requirements configs to cloud-storage (#410)

Co-authored-by: Zheng Qin <zhengqin@google.com>

Author: qz267

Makefile

@@ -15,7 +15,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.24
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25.4
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 
@@ -86,7 +86,7 @@ docker_generate_docs:
 	    -e ENABLE_BPMETADATA \
 		-v $(CURDIR):/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
-		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
+		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs --per-module-requirements'
 
 # Alias for backwards compatibility
 .PHONY: generate_docs

metadata.yaml

@@ -27,7 +27,7 @@ spec:
     version: 11.0.0
     actuationTool:
       flavor: Terraform
-      version: ">= 0.13"
+      version: ">= 1.3"
     description: {}
   content:
     subBlueprints:
@@ -701,18 +701,18 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/iam.serviceAccountUser
+          - roles/resourcemanager.projectIamAdmin
+          - roles/serviceusage.serviceUsageAdmin
           - roles/storage.admin
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountUser
     services:
-      - cloudkms.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - compute.googleapis.com
       - iam.googleapis.com
       - serviceusage.googleapis.com
-      - storage-api.googleapis.com
+      - storage.googleapis.com
     providerVersions:
       - source: hashicorp/google
-        version: ">= 5.43.0, < 7"
+        version: ">= 6.9.0, < 7"
       - source: hashicorp/random
         version: ">= 2.1"

modules/simple_bucket/metadata.yaml

@@ -28,7 +28,7 @@ spec:
     version: 11.0.0
     actuationTool:
       flavor: Terraform
-      version: ">= 0.13"
+      version: ">= 1.3"
     description: {}
   content:
     examples:
@@ -97,7 +97,7 @@ spec:
         varType: bool
         defaultValue: false
       - name: hierarchical_namespace
-        description: While set to true, hierarchical namespace is enabled for this bucket.
+        description: When set to true, hierarchical namespace is enable for this bucket.
         varType: bool
         defaultValue: false
       - name: retention_policy
@@ -351,16 +351,14 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/iam.serviceAccountUser
           - roles/storage.admin
+          - roles/iam.serviceAccountUser
+          - roles/cloudkms.admin
+          - roles/logging.logWriter
     services:
       - cloudkms.googleapis.com
-      - cloudresourcemanager.googleapis.com
-      - compute.googleapis.com
       - iam.googleapis.com
-      - serviceusage.googleapis.com
-      - storage-api.googleapis.com
+      - storage.googleapis.com
     providerVersions:
       - source: hashicorp/google
-        version: ">= 5.43.0, < 7"
+        version: ">= 6.9.0, < 7"

test/setup/iam.tf

@@ -15,11 +15,27 @@
  */
 
 locals {
-  int_required_roles = [
+  per_module_roles = {
+    simple_bucket = [
+      "roles/storage.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/cloudkms.admin",
+      "roles/logging.logWriter",
+    ]
+    root = [
+      "roles/resourcemanager.projectIamAdmin",
+      "roles/serviceusage.serviceUsageAdmin",
+      "roles/storage.admin",
+      "roles/iam.serviceAccountAdmin",
+      "roles/iam.serviceAccountUser",
+    ]
+  }
+
+  int_required_roles = concat([
     "roles/cloudkms.cryptoKeyEncrypterDecrypter",
     "roles/iam.serviceAccountUser",
     "roles/storage.admin",
-  ]
+  ], flatten(values(local.per_module_roles)))
 }
 
 resource "google_service_account" "int_test" {

test/setup/main.tf

@@ -14,6 +14,22 @@
  * limitations under the License.
  */
 
+locals {
+  per_module_services = {
+    simple_bucket = [
+      "storage.googleapis.com",
+      "cloudkms.googleapis.com",
+      "iam.googleapis.com",
+    ]
+    root = [
+      "storage.googleapis.com",
+      "iam.googleapis.com",
+      "serviceusage.googleapis.com",
+      "cloudresourcemanager.googleapis.com",
+    ]
+  }
+}
+
 module "project" {
   source  = "terraform-google-modules/project-factory/google"
   version = "~> 18.0"
@@ -24,12 +40,10 @@ module "project" {
   folder_id         = var.folder_id
   billing_account   = var.billing_account
 
-  activate_apis = [
-    "cloudkms.googleapis.com",
+  activate_apis = concat([
     "cloudresourcemanager.googleapis.com",
     "compute.googleapis.com",
-    "iam.googleapis.com",
     "serviceusage.googleapis.com",
     "storage-api.googleapis.com",
-  ]
+  ], flatten(values(local.per_module_services)))
 }