Skip to content

feat(TPG>=6.39)!: Fleet app operator permissions custom roles #2377

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 40 commits into from
Jul 18, 2025
Merged

feat(TPG>=6.39)!: Fleet app operator permissions custom roles #2377

merged 40 commits into from
Jul 18, 2025

Conversation

tonybayvas
Copy link
Contributor

This PR introduces custom roles to the Terraform module that bundles different permissions (IAM and RBAC Role Bindings) required for Fleet team management.

@tonybayvas tonybayvas requested review from apeabody, ericyz and a team as code owners July 7, 2025 13:36
apeabody
apeabody previously requested changes Jul 7, 2025
View reviewed changes
Copy link
Collaborator

@apeabody apeabody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tonybayvas!

I've added a few notes below, also be sure to review the LINT output.

@apeabody
Copy link
Collaborator

apeabody commented Jul 8, 2025

Thanks @tonybayvas!

From the most recent test:

        	Error:      	Received unexpected error:
        	            	FatalError{Underlying: error while running command: exit status 1; 
        	            	Error: Failed to retrieve project, pid: , err: project: required field is not set
        	            	
        	            	  with module.example.google_gke_hub_feature.rbacrolebindingactuation,
        	            	  on ../../../examples/simple_fleet_app_operator_permissions/main.tf line 39, in resource "google_gke_hub_feature" "rbacrolebindingactuation":
        	            	  39: resource "google_gke_hub_feature" "rbacrolebindingactuation" {
        	            	
        	            	
        	            	Error: Invalid combination of arguments
        	            	
        	            	  with module.example.module.permissions.google_gke_hub_scope_rbac_role_binding.scope_rbac_user_role_bindings["app-operator-id@ci-gke-fleet-bb1669a9-a31b.iam.gserviceaccount.com"],
        	            	  on ../../../modules/fleet-app-operator-permissions/main.tf line 82, in resource "google_gke_hub_scope_rbac_role_binding" "scope_rbac_user_role_bindings":
        	            	  82:     custom_role     = (var.custom_role != "" ? var.custom_role : null)
        	            	
        	            	"role.0.custom_role": one of `role.0.custom_role,role.0.predefined_role` must
        	            	be specified
        	            	
        	            	Error: Invalid combination of arguments
        	            	
        	            	  with module.example.module.permissions.google_gke_hub_scope_rbac_role_binding.scope_rbac_user_role_bindings["app-operator-id@ci-gke-fleet-bb1669a9-a31b.iam.gserviceaccount.com"],
        	            	  on ../../../modules/fleet-app-operator-permissions/main.tf line 83, in resource "google_gke_hub_scope_rbac_role_binding" "scope_rbac_user_role_bindings":
        	            	  83:     predefined_role = (var.custom_role != "" ? null : var.role)
        	            	
        	            	"role.0.predefined_role": one of `role.0.custom_role,role.0.predefined_role`
        	            	must be specified}
        	Test:       	TestSimpleFleetAppOperatorPermissions

@tonybayvas
Copy link
Contributor Author

/gcbrun

@tonybayvas
Copy link
Contributor Author

/gcbrun

@apeabody
Copy link
Collaborator

Almost! :)

    simple_fleet_app_operator_permissions_test.go:69: 
        	Error:      	Not equal: 
        	            	expected: false
        	            	actual  : true
        	Test:       	TestSimpleFleetAppOperatorPermissions
        	Messages:   	custom app operator Scope role should be in the project IAM policy

@tonybayvas
Copy link
Contributor Author

/gcbrun

@tonybayvas
Copy link
Contributor Author

/gcbrun

@tonybayvas
Copy link
Contributor Author

/gcbrun

@tonybayvas
Copy link
Contributor Author

The latest test failures don't seem related to the app-operator tests.

@apeabody
Copy link
Collaborator

The latest test failures don't seem related to the app-operator tests.

Could be transitory, or it's possible the API/TPG behavior recently changed.

@apeabody
Copy link
Collaborator

The latest test failures don't seem related to the app-operator tests.

Could be transitory, or it's possible the API/TPG behavior recently changed.

Reproduced in #2368, so it's an API/TPG change:

Step #76 - "verify private-zonal-with-networking":         	Error:      	Not equal: 
Step #76 - "verify private-zonal-with-networking":         	            	expected: map[string]interface {}{"diskSizeGb":100, "diskType":"pd-standard", "effectiveCgroupMode":"EFFECTIVE_CGROUP_MODE_V2", "imageType":"COS_CONTAINERD", "kubeletConfig":map[string]interface {}{"insecureKubeletReadonlyPortEnabled":false}, "labels":map[string]interface {}{"cluster_name":"CLUSTER_NAME", "node_pool":"default-node-pool"}, "loggingConfig":map[string]interface {}{"variantConfig":map[string]interface {}{"variant":"DEFAULT"}}, "machineType":"e2-medium", "metadata":map[string]interface {}{"cluster_name":"CLUSTER_NAME", "disable-legacy-endpoints":"true", "node_pool":"default-node-pool"}, "oauthScopes":[]interface {}{"https://www.googleapis.com/auth/cloud-platform"}, "resourceLabels":map[string]interface {}{"goog-gke-node-pool-provisioning-model":"on-demand"}, "serviceAccount":"SERVICE_ACCOUNT", "shieldedInstanceConfig":map[string]interface {}{"enableIntegrityMonitoring":true}, "tags":[]interface {}{"gke-CLUSTER_NAME", "gke-CLUSTER_NAME-default-node-pool"}, "windowsNodeConfig":map[string]interface {}{}, "workloadMetadataConfig":map[string]interface {}{"mode":"GKE_METADATA"}}
Step #76 - "verify private-zonal-with-networking":         	            	actual  : map[string]interface {}{"bootDisk":map[string]interface {}{"diskType":"pd-standard", "sizeGb":"100"}, "diskSizeGb":100, "diskType":"pd-standard", "effectiveCgroupMode":"EFFECTIVE_CGROUP_MODE_V2", "imageType":"COS_CONTAINERD", "kubeletConfig":map[string]interface {}{"insecureKubeletReadonlyPortEnabled":false}, "labels":map[string]interface {}{"cluster_name":"CLUSTER_NAME", "node_pool":"default-node-pool"}, "loggingConfig":map[string]interface {}{"variantConfig":map[string]interface {}{"variant":"DEFAULT"}}, "machineType":"e2-medium", "metadata":map[string]interface {}{"cluster_name":"CLUSTER_NAME", "disable-legacy-endpoints":"true", "node_pool":"default-node-pool"}, "oauthScopes":[]interface {}{"https://www.googleapis.com/auth/cloud-platform"}, "resourceLabels":map[string]interface {}{"goog-gke-node-pool-provisioning-model":"on-demand"}, "serviceAccount":"SERVICE_ACCOUNT", "shieldedInstanceConfig":map[string]interface {}{"enableIntegrityMonitoring":true}, "tags":[]interface {}{"gke-CLUSTER_NAME", "gke-CLUSTER_NAME-default-node-pool"}, "windowsNodeConfig":map[string]interface {}{}, "workloadMetadataConfig":map[string]interface {}{"mode":"GKE_METADATA"}}

@tonybayvas tonybayvas requested a review from apeabody July 18, 2025 18:03
@tonybayvas tonybayvas dismissed apeabody’s stale review July 18, 2025 18:03

I made the described changes

@apeabody apeabody added the blocked Blocked by some other work label Jul 18, 2025
apeabody
apeabody reviewed Jul 18, 2025
View reviewed changes
Copy link
Collaborator

@apeabody apeabody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tonybayvas!

This will be a breaking change due to the bump in minimum provider version, so we'll merge after v37.1 is released.

@tonybayvas tonybayvas changed the title feat: Fleet app operator permissions custom roles feat(TPG>=6.39)!: Fleet app operator permissions custom roles Jul 18, 2025
@apeabody apeabody removed the blocked Blocked by some other work label Jul 18, 2025
apeabody
apeabody approved these changes Jul 18, 2025
View reviewed changes
Copy link
Collaborator

@apeabody apeabody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tonybayvas!

@apeabody apeabody enabled auto-merge (squash) July 18, 2025 20:47
@apeabody apeabody merged commit c008237 into terraform-google-modules:main Jul 18, 2025
4 checks passed
@release-please release-please bot mentioned this pull request Jul 18, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apeabody apeabody apeabody approved these changes

@ericyz ericyz Awaiting requested review from ericyz ericyz is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tonybayvas @apeabody