Skip to content

Commit 328fcc8

Browse files
aabmassaabmass
committed
Add IAM permissions for Cloud Build service agent and use custom service account in E2E tests
1 parent ea31c7e commit 328fcc8

8 files changed

Lines changed: 40 additions & 17 deletions

cloudbuild-e2e-cloud-functions-gen2.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -75,3 +75,4 @@ substitutions:
7575

7676
options:
7777
pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup
78+
serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com

cloudbuild-e2e-cloud-run.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,3 +51,4 @@ substitutions:
5151

5252
options:
5353
pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup
54+
serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com

cloudbuild-e2e-gae-standard.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,3 +74,4 @@ substitutions:
7474

7575
options:
7676
pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup
77+
serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com

cloudbuild-e2e-gae.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,3 +52,4 @@ substitutions:
5252

5353
options:
5454
pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup
55+
serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com

cloudbuild-e2e-gce.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,3 +51,4 @@ substitutions:
5151

5252
options:
5353
pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup
54+
serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com

cloudbuild-e2e-gke.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,3 +51,4 @@ substitutions:
5151

5252
options:
5353
pubsubTopic: projects/opentelemetry-ops-e2e/topics/e2e-cleanup
54+
serviceAccount: projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com

tf/modules/repo-ci-triggers/main.tf

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ resource "google_cloudbuild_trigger" "build_image" {
3232
"build"
3333
]
3434
include_build_logs = "INCLUDE_BUILD_LOGS_WITH_STATUS"
35+
service_account = var.service_account
3536
}
3637

3738
// Run tests
@@ -55,12 +56,19 @@ resource "google_cloudbuild_trigger" "ci" {
5556
"terraform-resources"
5657
]
5758
include_build_logs = "INCLUDE_BUILD_LOGS_WITH_STATUS"
59+
service_account = var.service_account
5860

5961
substitutions = {
6062
_E2E_ENVIRONMENT = each.key
6163
}
6264
}
6365

66+
variable "service_account" {
67+
type = string
68+
description = "The service account to use for the triggers"
69+
default = null
70+
}
71+
6472
variable "project_id" {
6573
type = string
6674
description = "The GCP project ID"

tf/persistent/repo-ci-triggers.tf

Lines changed: 26 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -13,31 +13,35 @@
1313
# limitations under the License.
1414

1515
module "python" {
16-
source = "../modules/repo-ci-triggers"
17-
project_id = var.project_id
18-
repository = "opentelemetry-operations-python"
19-
run_on = ["local", "gce", "gke", "gae", "gae-standard", "cloud-run", "cloud-functions-gen2"]
16+
source = "../modules/repo-ci-triggers"
17+
project_id = var.project_id
18+
repository = "opentelemetry-operations-python"
19+
run_on = ["local", "gce", "gke", "gae", "gae-standard", "cloud-run", "cloud-functions-gen2"]
20+
service_account = "projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com"
2021
}
2122

2223
module "java" {
23-
source = "../modules/repo-ci-triggers"
24-
project_id = var.project_id
25-
repository = "opentelemetry-operations-java"
26-
run_on = ["local", "gce", "gke", "gae", "cloud-run", "cloud-functions-gen2"]
24+
source = "../modules/repo-ci-triggers"
25+
project_id = var.project_id
26+
repository = "opentelemetry-operations-java"
27+
run_on = ["local", "gce", "gke", "gae", "cloud-run", "cloud-functions-gen2"]
28+
service_account = "projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com"
2729
}
2830

2931
module "js" {
30-
source = "../modules/repo-ci-triggers"
31-
project_id = var.project_id
32-
repository = "opentelemetry-operations-js"
33-
run_on = ["local", "gce", "gke", "gae", "gae-standard", "cloud-run", "cloud-functions-gen2"]
32+
source = "../modules/repo-ci-triggers"
33+
project_id = var.project_id
34+
repository = "opentelemetry-operations-js"
35+
run_on = ["local", "gce", "gke", "gae", "gae-standard", "cloud-run", "cloud-functions-gen2"]
36+
service_account = "projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com"
3437
}
3538

3639
module "go" {
37-
source = "../modules/repo-ci-triggers"
38-
project_id = var.project_id
39-
repository = "opentelemetry-operations-go"
40-
run_on = ["local", "gce", "gke", "gae", "gae-standard", "cloud-run", "cloud-functions-gen2"]
40+
source = "../modules/repo-ci-triggers"
41+
project_id = var.project_id
42+
repository = "opentelemetry-operations-go"
43+
run_on = ["local", "gce", "gke", "gae", "gae-standard", "cloud-run", "cloud-functions-gen2"]
44+
service_account = "projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com"
4145
}
4246

4347
resource "google_pubsub_topic" "e2e_cleanup" {
@@ -53,7 +57,8 @@ resource "google_cloudbuild_trigger" "global_cleanup" {
5357
topic = google_pubsub_topic.e2e_cleanup.id
5458
}
5559

56-
filter = "(_BUILD_TAGS.contains(\"terraform-resources\") || _BUILD_TAGS.contains(\"ops-e2e-testing\")) && (_BUILD_STATUS == \"SUCCESS\" || _BUILD_STATUS == \"FAILURE\")"
60+
# TODO: Add tag filter back once triggers are updated with tags in latchkey
61+
filter = "_BUILD_STATUS == \"SUCCESS\" || _BUILD_STATUS == \"FAILURE\""
5762

5863
git_file_source {
5964
path = "cloudbuild-cleanup.yaml"
@@ -62,6 +67,8 @@ resource "google_cloudbuild_trigger" "global_cleanup" {
6267
repo_type = "GITHUB"
6368
}
6469

70+
service_account = "projects/opentelemetry-ops-e2e/serviceAccounts/e2e-cloudbuild-runner@opentelemetry-ops-e2e.iam.gserviceaccount.com"
71+
6572
substitutions = {
6673
_TEST_RUN_ID = "$(body.message.data.id)"
6774
_E2E_ENVIRONMENT = "$(body.message.data.substitutions._E2E_ENVIRONMENT)"
@@ -70,3 +77,5 @@ resource "google_cloudbuild_trigger" "global_cleanup" {
7077
_BUILD_STATUS = "$(body.message.data.status)"
7178
}
7279
}
80+
81+
# TODO: add to internal permission tooling (latchkey)

0 commit comments

Comments
 (0)