feat: Fleet app operator permissions

build/int.cloudbuild.yaml

@@ -535,6 +535,26 @@ steps:
     - verify simple-autopilot-private-non-default-sa
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestSimpleAutopilotPrivateNonDefaultSA --stage teardown --verbose']
+- id: init simple-fleet-app-operator-permissions
+  waitFor:
+    - create-all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleFleetAppOperatorPermissions --stage init --verbose']
+- id: apply simple-fleet-app-operator-permissions
+  waitFor:
+    - init simple-fleet-app-operator-permissions
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleFleetAppOperatorPermissions --stage apply --verbose']
+- id: verify simple-fleet-app-operator-permissions
+  waitFor:
+    - apply simple-fleet-app-operator-permissions
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleFleetAppOperatorPermissions --stage verify --verbose']
+- id: teardown simple-fleet-app-operator-permissions
+  waitFor:
+    - verify simple-fleet-app-operator-permissions
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleFleetAppOperatorPermissions --stage teardown --verbose']
 tags:
 - 'ci'
 - 'integration'

examples/simple_fleet_app_operator_permissions/README.md

@@ -0,0 +1,38 @@
+# Simple App Operator Permissions Setup for a Fleet Scope
+
+This example illustrates how to create a Fleet Scope for a [team](https://cloud.google.com/kubernetes-engine/fleet-management/docs/team-management) and set up permissions for an app operator in the team.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | The project to which the Fleet belongs. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| project\_id | The project to which the Fleet belongs. |
+| wait | An output (Fleet Scope RBAC Role Binding ID) to use when you want to depend on granting permissions finishing. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure
+
+Example:
+
+```
+terraform init
+
+terraform apply \
+    -var project_id="${PROJECT}" \
+    -var app_operator_team="frontend-team" \
+    -var app_operator_email="person@company.com" \
+    -var app_operator_role="EDIT"
+```
+

examples/simple_fleet_app_operator_permissions/main.tf

@@ -0,0 +1,42 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+  project = var.project_id
+}
+
+# Create a Service Account, which can be used as an app operator.
+resource "google_service_account" "service_account" {
+  account_id   = "app-operator-id"
+  display_name = "Test App Operator Service Account"
+}
+
+# Create a Fleet Scope for the app operator's team.
+resource "google_gke_hub_scope" "scope" {
+  scope_id = "app-operator-team"
+}
+
+# Grant permissions to the app operator to work with the Fleet Scope.
+module "permissions" {
+  source = "../../modules/fleet-app-operator-permissions"
+
+  project_id           = var.project_id
+  scope_id             = google_gke_hub_scope.scope.scope_id
+  app_operator_name    = google_service_account.service_account.email
+  is_user_app_operator = true
+  role                 = "VIEW"
+}
+

examples/simple_fleet_app_operator_permissions/outputs.tf

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "project_id" {
+  description = "The project to which the Fleet belongs."
+  value       = var.project_id
+}
+
+output "wait" {
+  description = "An output (Fleet Scope RBAC Role Binding ID) to use when you want to depend on granting permissions finishing."
+  value       = module.permissions.wait
+}
+

examples/simple_fleet_app_operator_permissions/variables.tf

@@ -0,0 +1,21 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project to which the Fleet belongs."
+  type        = string
+}
+

examples/simple_fleet_app_operator_permissions/versions.tf

@@ -0,0 +1,31 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 1.2.0"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 4.81.0"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 4.81.0"
+    }
+  }
+}
+

modules/fleet-app-operator-permissions/README.md

@@ -0,0 +1,40 @@
+# Terrafrom Module for Fleet App Operator Permissions
+
+This module bundles different permissions (IAM and RBAC Role Bindings) required for [Fleet team management](https://cloud.google.com/kubernetes-engine/fleet-management/docs/team-management). A platform admin can use this module to set up permissions for an app operator (user or group) in a team--including usage of Fleet Scopes, Connect Gateway, logging, and metrics--based on predefined roles (VIEW, EDIT, ADMIN).
+
+## Usage
+```tf
+Example:
+module "fleet_app_operator_permissions" {
+  source               = "terraform-google-modules/kubernetes-engine/google//modules/fleet-app-operator-permissions"
+
+  project_id           = "my-project-id"
+  scope_id             = "frontend-team"
+  app_operator_name    = "person@company.com"
+  is_user_app_operator = true
+  role                 = "EDIT"
+}
+```
+
+To deploy this config:
+1. Run `terraform apply`
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| app\_operator\_name | The name of the app operator principal for the Fleet Scope, e.g., `person@google.com` (user), `people@google.com` (group), `principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/person` (user), `principalSet://iam.googleapis.com/locations/global/workforcePools/my-pool/group/people` (group), `serviceAccount:my-service-account@my-project.iam.gserviceaccount.com` (user). | `string` | n/a | yes |
+| is\_user\_app\_operator | Whether the app operator is a user (`true`), or a group (`false`). | `bool` | n/a | yes |
+| project\_id | The project to which the Fleet belongs. | `string` | n/a | yes |
+| role | The principal role for the Fleet Scope (`VIEW`/`EDIT`/`ADMIN`). | `string` | n/a | yes |
+| scope\_id | The scope for which IAM and RBAC role bindings are created. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| project\_id | The project to which the Fleet belongs. |
+| wait | An output to use when you want to depend on Scope RBAC Role Binding creation finishing. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/fleet-app-operator-permissions/main.tf

@@ -0,0 +1,92 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+  project = var.project_id
+}
+
+locals {
+  principal = (
+    startswith(var.app_operator_name, "principal://") || startswith(var.app_operator_name, "principalSet://") ? var.app_operator_name : (
+      endswith(var.app_operator_name, "gserviceaccount.com") ? "serviceAccount:${var.app_operator_name}" : (
+        var.is_user_app_operator ? "user:${var.app_operator_name}" : "group:${var.app_operator_name}"
+  )))
+  project_level_scope_role = {
+    "VIEW"  = "roles/gkehub.scopeViewerProjectLevel"
+    "EDIT"  = "roles/gkehub.scopeEditorProjectLevel"
+    "ADMIN" = "roles/gkehub.scopeEditorProjectLevel" # Same as EDIT
+  }
+  resource_level_scope_role = {
+    "VIEW"  = "roles/gkehub.scopeViewer"
+    "EDIT"  = "roles/gkehub.scopeEditor"
+    "ADMIN" = "roles/gkehub.scopeAdmin"
+  }
+}
+
+resource "google_project_iam_binding" "log_view_permissions" {
+  project = var.project_id
+  role    = "roles/logging.viewAccessor"
+  members = [
+    local.principal,
+  ]
+  condition {
+    title       = "conditional log view access"
+    description = "log view access for scope ${var.scope_id}"
+    expression  = "resource.name == \"projects/${var.project_id}/locations/global/buckets/fleet-o11y-scope-${var.scope_id}/views/fleet-o11y-scope-${var.scope_id}-k8s_container\" || resource.name == \"projects/${var.project_id}/locations/global/buckets/fleet-o11y-scope-${var.scope_id}/views/fleet-o11y-scope-${var.scope_id}-k8s_pod\""
+  }
+}
+
+resource "google_project_iam_binding" "project_level_scope_permissions" {
+  project = var.project_id
+  role    = local.project_level_scope_role[var.role]
+  members = [
+    local.principal,
+  ]
+}
+
+resource "google_gke_hub_scope_iam_binding" "resource_level_scope_permissions" {
+  project  = var.project_id
+  scope_id = var.scope_id
+  role     = local.resource_level_scope_role[var.role]
+  members = [
+    local.principal,
+  ]
+}
+
+resource "random_id" "rand" {
+  byte_length = 8
+}
+
+resource "google_gke_hub_scope_rbac_role_binding" "scope_rbac_user_role_binding" {
+  count                      = var.is_user_app_operator ? 1 : 0
+  scope_rbac_role_binding_id = "tf-${random_id.rand.hex}"
+  scope_id                   = var.scope_id
+  user                       = var.app_operator_name
+  role {
+    predefined_role = var.role
+  }
+}
+
+resource "google_gke_hub_scope_rbac_role_binding" "scope_rbac_group_role_binding" {
+  count                      = var.is_user_app_operator ? 0 : 1
+  scope_rbac_role_binding_id = "tf-${random_id.rand.hex}"
+  scope_id                   = var.scope_id
+  group                      = var.app_operator_name
+  role {
+    predefined_role = var.role
+  }
+}
+

modules/fleet-app-operator-permissions/outputs.tf

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "project_id" {
+  description = "The project to which the Fleet belongs."
+  value       = var.project_id
+}
+
+output "wait" {
+  description = "An output to use when you want to depend on Scope RBAC Role Binding creation finishing."
+  value       = var.is_user_app_operator ? google_gke_hub_scope_rbac_role_binding.scope_rbac_user_role_binding[0].scope_rbac_role_binding_id : google_gke_hub_scope_rbac_role_binding.scope_rbac_group_role_binding[0].scope_rbac_role_binding_id
+}
+

modules/fleet-app-operator-permissions/variables.tf

@@ -0,0 +1,45 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project to which the Fleet belongs."
+  type        = string
+}
+
+variable "scope_id" {
+  description = "The scope for which IAM and RBAC role bindings are created."
+  type        = string
+}
+
+variable "app_operator_name" {
+  description = "The name of the app operator principal for the Fleet Scope, e.g., `person@google.com` (user), `people@google.com` (group), `principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/person` (user), `principalSet://iam.googleapis.com/locations/global/workforcePools/my-pool/group/people` (group), `serviceAccount:my-service-account@my-project.iam.gserviceaccount.com` (user)."
+  type        = string
+}
+
+variable "is_user_app_operator" {
+  description = "Whether the app operator is a user (`true`), or a group (`false`)."
+  type        = bool
+}
+
+variable "role" {
+  description = "The principal role for the Fleet Scope (`VIEW`/`EDIT`/`ADMIN`)."
+  type        = string
+  validation {
+    condition     = var.role == "VIEW" || var.role == "EDIT" || var.role == "ADMIN"
+    error_message = "Allowed values for role are VIEW, EDIT, or ADMIN."
+  }
+}
+