Skip to content

Commit bbce151

Browse files
derhallyderhally
committed
Data Fusion SA also needs networkViewer on the VPCs as well
1 parent 90e21e3 commit bbce151

File tree

1 file changed

+13
-1
lines changed

1 file changed

+13
-1
lines changed

modules/shared_vpc_access/main.tf

+13-1
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,7 @@ locals {
6262
gke_shared_vpc_enabled = contains(var.active_apis, "container.googleapis.com")
6363
composer_shared_vpc_enabled = contains(var.active_apis, "composer.googleapis.com")
6464
datastream_shared_vpc_enabled = contains(var.active_apis, "datastream.googleapis.com")
65+
datafusion_shared_vpc_enabled = contains(var.active_apis, "datafusion.googleapis.com")
6566
active_apis = [for api in keys(local.apis) : api if contains(var.active_apis, api)]
6667
# Can't use setproduct due to https://github.com/terraform-google-modules/terraform-google-project-factory/issues/635
6768
subnetwork_api = length(var.shared_vpc_subnets) != 0 ? flatten([
@@ -136,7 +137,7 @@ resource "google_compute_subnetwork_iam_member" "cloudservices_shared_vpc_subnet
136137
if "networkconnectivity.googleapis.com" compute.networkUser role granted to notebooks service account for Notebooks on shared VPC Project if no subnets defined
137138
*****************************************/
138139
resource "google_project_iam_member" "service_shared_vpc_user" {
139-
for_each = (length(var.shared_vpc_subnets) == 0) && var.enable_shared_vpc_service_project && var.grant_network_role ? toset(local.active_apis) : []
140+
for_each = (length(var.shared_vpc_subnets) == 0) && var.enable_shared_vpc_service_project && grant_network_role ? toset(local.active_apis) : []
140141
project = var.host_project_id
141142
role = local.apis[each.value].role
142143
member = format("serviceAccount:%s", local.apis[each.value].service_account)
@@ -187,3 +188,14 @@ resource "google_project_iam_member" "datastream_network_admin" {
187188
role = "roles/compute.networkAdmin"
188189
member = format("serviceAccount:%s", local.apis["datastream.googleapis.com"].service_account)
189190
}
191+
192+
/******************************************
193+
roles/compute.networkViewer role granted to Data Fusion's service account on shared VPC host project
194+
Service Account: service-[project_number]@gcp-sa-datafusion.iam.gserviceaccount.com
195+
*****************************************/
196+
resource "google_project_iam_member" "datastream_network_admin" {
197+
count = local.datafusion_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_network_role ? 1 : 0
198+
project = var.host_project_id
199+
role = "roles/compute.networkViewer"
200+
member = format("serviceAccount:%s", local.apis["datafusion.googleapis.com"].service_account)
201+
}

0 commit comments

Comments
 (0)