Skip to content

Commit

Permalink
fix: Addressing permission conflicts (#298)
Browse files Browse the repository at this point in the history
  • Loading branch information
@shanecglass
shanecglass authored Dec 20, 2023
1 parent a51b7c1 commit dc3cb5e
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 45 deletions.
68 changes: 25 additions & 43 deletions modules/data_warehouse/bigquery.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,12 +39,12 @@ resource "google_bigquery_connection" "ds_connection" {
}

# # Grant IAM access to the BigQuery Connection account for Cloud Storage
resource "google_storage_bucket_iam_binding" "bq_connection_iam_object_viewer" {
bucket = google_storage_bucket.raw_bucket.name
role = "roles/storage.objectViewer"
members = [
"serviceAccount:${google_bigquery_connection.ds_connection.cloud_resource[0].service_account_id}",
]
resource "google_project_iam_member" "bq_connection_iam_object_viewer" {
project = module.project-services.project_id
role = "roles/storage.objectViewer"
member = "serviceAccount:${google_bigquery_connection.ds_connection.cloud_resource[0].service_account_id}"

depends_on = [google_storage_bucket.raw_bucket, google_bigquery_connection.ds_connection]
}

# # Create a BigQuery connection for Vertex AI to support GenerativeAI use cases
Expand All @@ -68,6 +68,8 @@ resource "google_project_iam_member" "bq_connection_iam_vertex_ai" {
project = module.project-services.project_id
role = each.key
member = "serviceAccount:${google_bigquery_connection.vertex_ai_connection.cloud_resource[0].service_account_id}"

depends_on = [google_bigquery_connection.vertex_ai_connection]
}

# Create data tables in BigQuery
Expand Down Expand Up @@ -253,7 +255,7 @@ resource "google_bigquery_routine" "sp_bigqueryml_model" {
}
)
depends_on = [
google_bigquery_table.tbl_edw_order_items,
google_bigquery_table.tbl_edw_order_items
]
}

Expand All @@ -272,6 +274,11 @@ resource "google_bigquery_routine" "sp_bigqueryml_generate_create" {
region = var.region
}
)

depends_on = [
google_bigquery_routine.sp_bigqueryml_model,
google_bigquery_connection.vertex_ai_connection
]
}

# # Query Bigquery ML Model for describing customer clusters
Expand Down Expand Up @@ -306,35 +313,14 @@ resource "google_bigquery_routine" "sp_sample_translation_queries" {
}
)
depends_on = [
google_bigquery_table.tbl_edw_inventory_items,
google_bigquery_table.tbl_edw_inventory_items
]
}

# Add Scheduled Query
# # Set up DTS permissions
resource "google_project_service_identity" "bigquery_data_transfer_sa" {
provider = google-beta
project = module.project-services.project_id
service = "bigquerydatatransfer.googleapis.com"

depends_on = [time_sleep.wait_after_apis]
}

# # Grant the DTS service account access
resource "google_project_iam_member" "dts_service_account_roles" {
for_each = toset([
"roles/bigquerydatatransfer.serviceAgent",
])

project = module.project-services.project_id
role = each.key
member = "serviceAccount:${google_project_service_identity.bigquery_data_transfer_sa.email}"

depends_on = [time_sleep.wait_after_apis]
}

# Create specific service account for DTS Run
# # Set up the DTA service account
# # Create a DTS specific service account
resource "google_service_account" "dts" {
project = module.project-services.project_id
account_id = "cloud-dts-sa-${random_id.id.hex}"
Expand All @@ -346,25 +332,21 @@ resource "google_project_iam_member" "dts_roles" {
for_each = toset([
"roles/bigquery.user",
"roles/bigquery.dataEditor",
"roles/bigquery.connectionUser"
])

project = module.project-services.project_id
role = each.key
member = "serviceAccount:${google_service_account.dts.email}"
}

# # Grant the DTS specific service account Token Creator to the DTS Service Identity
resource "google_service_account_iam_binding" "dts_token_creator" {
service_account_id = google_service_account.dts.id
role = "roles/iam.serviceAccountTokenCreator"
members = [
"serviceAccount:${google_project_service_identity.bigquery_data_transfer_sa.email}"
]
# # # Grant the DTS service account access
# resource "google_project_iam_member" "dts_service_account_roles" {
# role = "roles/iam.serviceAccountTokenCreator"
# project = module.project-services.project_id
# member = "serviceAccount:${google_project_service_identity.bigquery_data_transfer_sa.email}"

depends_on = [
google_project_iam_member.dts_service_account_roles,
]
}
# depends_on = [ google_project_iam ]
# }

# Set up scheduled query
resource "google_bigquery_data_transfer_config" "dts_config" {
Expand All @@ -382,6 +364,6 @@ resource "google_bigquery_data_transfer_config" "dts_config" {
depends_on = [
google_project_iam_member.dts_roles,
google_bigquery_dataset.ds_edw,
google_service_account_iam_binding.dts_token_creator,
time_sleep.wait_after_workflow_execution
]
}
4 changes: 4 additions & 0 deletions modules/data_warehouse/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,10 @@ module "project-services" {
api = "workflows.googleapis.com"
roles = [
"roles/workflows.viewer"
],
api = "bigquerydatatransfer.googleapis.com"
roles = [
"roles/bigquerydatatransfer.serviceAgent"
]
}
]
Expand Down
10 changes: 8 additions & 2 deletions modules/data_warehouse/workflows.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ resource "google_service_account" "workflow_service_account" {
project = module.project-services.project_id
account_id = "cloud-workflow-sa-${random_id.id.hex}"
display_name = "Service Account for Cloud Workflows"

depends_on = [time_sleep.wait_after_apis]
}

# # Grant the Workflow service account access
Expand All @@ -37,6 +39,8 @@ resource "google_project_iam_member" "workflow_service_account_roles" {
project = module.project-services.project_id
role = each.key
member = "serviceAccount:${google_service_account.workflow_service_account.email}"

depends_on = [google_service_account.workflow_service_account]
}

# # Create the workflow
Expand All @@ -55,7 +59,7 @@ resource "google_workflows_workflow" "workflow" {
labels = var.labels

depends_on = [
google_project_iam_member.workflow_service_account_roles,
google_project_iam_member.workflow_service_account_roles
]
}

Expand All @@ -74,6 +78,8 @@ data "http" "call_workflows_setup" {
google_bigquery_routine.sp_bigqueryml_generate_create,
google_bigquery_routine.sp_bigqueryml_model,
google_bigquery_routine.sproc_sp_demo_lookerstudio_report,
google_bigquery_routine.sp_provision_lookup_tables
google_bigquery_routine.sp_provision_lookup_tables,
google_workflows_workflow.workflow,
google_storage_bucket.raw_bucket
]
}

0 comments on commit dc3cb5e

Please sign in to comment.