gce: use typed ServiceAccount in IAM tasks

This gives us an automatic dependency in our evaluation,
and lets us write out a dependency to terraform also.

Author: justinsb

pkg/model/gcemodel/service_accounts.go

@@ -82,16 +82,15 @@ func (b *ServiceAccountsBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			role = kops.InstanceGroupRoleControlPlane
 		}
 
-		if err := b.addInstanceGroupServiceAccountPermissions(c, *serviceAccount.Email, role); err != nil {
+		if err := b.addInstanceGroupServiceAccountPermissions(c, serviceAccount, role); err != nil {
 			return err
 		}
 	}
 
 	return nil
 }
 
-func (b *ServiceAccountsBuilder) addInstanceGroupServiceAccountPermissions(c *fi.CloudupModelBuilderContext, serviceAccountEmail string, role kops.InstanceGroupRole) error {
-	member := "serviceAccount:" + serviceAccountEmail
+func (b *ServiceAccountsBuilder) addInstanceGroupServiceAccountPermissions(c *fi.CloudupModelBuilderContext, serviceAccount *gcetasks.ServiceAccount, role kops.InstanceGroupRole) error {
 
 	// Ideally we would use a custom role here, but the deletion of a custom role takes 7 days,
 	// which means we can't easily recycle cluster names.
@@ -104,9 +103,9 @@ func (b *ServiceAccountsBuilder) addInstanceGroupServiceAccountPermissions(c *fi
 			Name:      s("serviceaccount-control-plane"),
 			Lifecycle: b.Lifecycle,
 
-			Project: s(b.ProjectID),
-			Member:  s(member),
-			Role:    s("roles/container.serviceAgent"),
+			Project:              s(b.ProjectID),
+			MemberServiceAccount: serviceAccount,
+			Role:                 s("roles/container.serviceAgent"),
 		})
 
 	case kops.InstanceGroupRoleNode:
@@ -120,9 +119,9 @@ func (b *ServiceAccountsBuilder) addInstanceGroupServiceAccountPermissions(c *fi
 			Name:      s("serviceaccount-nodes"),
 			Lifecycle: b.Lifecycle,
 
-			Project: s(b.ProjectID),
-			Member:  s(member),
-			Role:    s("roles/compute.viewer"),
+			Project:              s(b.ProjectID),
+			MemberServiceAccount: serviceAccount,
+			Role:                 s("roles/compute.viewer"),
 		})
 	}
 	return nil

pkg/model/gcemodel/storageacl.go

@@ -121,16 +121,14 @@ func (b *StorageAclBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 	}
 
 	type serviceAccountRole struct {
-		Email string
-		Role  kops.InstanceGroupRole
+		ServiceAccount *gcetasks.ServiceAccount
+		Role           kops.InstanceGroupRole
 	}
 	serviceAccountRoles := make(map[serviceAccountRole]bool)
 
 	for _, ig := range b.InstanceGroups {
 		serviceAccount := b.LinkToServiceAccount(ig)
-
-		email := *serviceAccount.Email
-		serviceAccountRoles[serviceAccountRole{Email: email, Role: ig.Spec.Role}] = true
+		serviceAccountRoles[serviceAccountRole{ServiceAccount: serviceAccount, Role: ig.Spec.Role}] = true
 	}
 
 	for serviceAccountRole := range serviceAccountRoles {
@@ -165,11 +163,11 @@ func (b *StorageAclBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			klog.Warningf("adding bucket level write IAM for role %q to gs://%s to support etcd backup", role, bucket)
 
 			c.AddTask(&gcetasks.StorageBucketIAM{
-				Name:      s("objectadmin-" + bucket + "-serviceaccount-" + nameForTask),
-				Lifecycle: b.Lifecycle,
-				Bucket:    s(bucket),
-				Member:    s("serviceAccount:" + serviceAccountRole.Email),
-				Role:      s("roles/storage.objectAdmin"),
+				Name:                 s("objectadmin-" + bucket + "-serviceaccount-" + nameForTask),
+				Lifecycle:            b.Lifecycle,
+				Bucket:               s(bucket),
+				MemberServiceAccount: serviceAccountRole.ServiceAccount,
+				Role:                 s("roles/storage.objectAdmin"),
 			})
 		}
 
@@ -201,11 +199,11 @@ func (b *StorageAclBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			klog.Warningf("adding bucket level read IAM to gs://%s for role %q", bucket, role)
 
 			c.AddTask(&gcetasks.StorageBucketIAM{
-				Name:      s("objectviewer-" + bucket + "-serviceaccount-" + nameForTask),
-				Lifecycle: b.Lifecycle,
-				Bucket:    s(bucket),
-				Member:    s("serviceAccount:" + serviceAccountRole.Email),
-				Role:      s("roles/storage.objectViewer"),
+				Name:                 s("objectviewer-" + bucket + "-serviceaccount-" + nameForTask),
+				Lifecycle:            b.Lifecycle,
+				Bucket:               s(bucket),
+				MemberServiceAccount: serviceAccountRole.ServiceAccount,
+				Role:                 s("roles/storage.objectViewer"),
 			})
 		}
 	}

tests/integration/update_cluster/many-addons-gce/kubernetes.tf

@@ -560,13 +560,13 @@ resource "google_compute_subnetwork" "us-test1-minimal-example-com" {
 }
 
 resource "google_project_iam_binding" "serviceaccount-control-plane" {
-  members = ["serviceAccount:control-plane[email protected]"]
+  members = [format("serviceAccount:%s", google_service_account.control-plane.email)]
   project = "testproject"
   role    = "roles/container.serviceAgent"
 }
 
 resource "google_project_iam_binding" "serviceaccount-nodes" {
-  members = ["serviceAccount:node[email protected]"]
+  members = [format("serviceAccount:%s", google_service_account.node.email)]
   project = "testproject"
   role    = "roles/compute.viewer"
 }

tests/integration/update_cluster/minimal_gce_dns-none/kubernetes.tf

@@ -631,13 +631,13 @@ resource "google_compute_subnetwork" "us-test1-minimal-gce-example-com" {
 }
 
 resource "google_project_iam_binding" "serviceaccount-control-plane" {
-  members = ["serviceAccount:control-plane[email protected]"]
+  members = [format("serviceAccount:%s", google_service_account.control-plane.email)]
   project = "testproject"
   role    = "roles/container.serviceAgent"
 }
 
 resource "google_project_iam_binding" "serviceaccount-nodes" {
-  members = ["serviceAccount:node[email protected]"]
+  members = [format("serviceAccount:%s", google_service_account.node.email)]
   project = "testproject"
   role    = "roles/compute.viewer"
 }

upup/pkg/fi/cloudup/gcetasks/instancetemplate.go

@@ -605,7 +605,7 @@ func mapServiceAccountsToTerraform(serviceAccounts []*ServiceAccount, saScopes [
 	var out []*terraformTemplateServiceAccount
 	for _, serviceAccount := range serviceAccounts {
 		tsa := &terraformTemplateServiceAccount{
-			Email:  serviceAccount.TerraformLink(),
+			Email:  serviceAccount.TerraformLink_Email(),
 			Scopes: scopes,
 		}
 		out = append(out, tsa)

upup/pkg/fi/cloudup/gcetasks/projectiambinding.go

@@ -25,6 +25,7 @@ import (
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/gce"
 	"k8s.io/kops/upup/pkg/fi/cloudup/terraform"
+	"k8s.io/kops/upup/pkg/fi/cloudup/terraformWriter"
 )
 
 // ProjectIAMBinding represents an IAM rule on a project
@@ -33,9 +34,9 @@ type ProjectIAMBinding struct {
 	Name      *string
 	Lifecycle fi.Lifecycle
 
-	Project *string
-	Member  *string
-	Role    *string
+	Project              *string
+	MemberServiceAccount *ServiceAccount
+	Role                 *string
 }
 
 var _ fi.CompareWithID = &ProjectIAMBinding{}
@@ -50,7 +51,7 @@ func (e *ProjectIAMBinding) Find(c *fi.CloudupContext) (*ProjectIAMBinding, erro
 	cloud := c.T.Cloud.(gce.GCECloud)
 
 	projectID := fi.ValueOf(e.Project)
-	member := fi.ValueOf(e.Member)
+	member := "serviceAccount:" + fi.ValueOf(e.MemberServiceAccount.Email)
 	role := fi.ValueOf(e.Role)
 
 	klog.V(2).Infof("Checking IAM for project %q", projectID)
@@ -70,7 +71,7 @@ func (e *ProjectIAMBinding) Find(c *fi.CloudupContext) (*ProjectIAMBinding, erro
 
 	actual := &ProjectIAMBinding{}
 	actual.Project = e.Project
-	actual.Member = e.Member
+	actual.MemberServiceAccount = e.MemberServiceAccount
 	actual.Role = e.Role
 
 	// Ignore "system" fields
@@ -88,8 +89,11 @@ func (_ *ProjectIAMBinding) CheckChanges(a, e, changes *ProjectIAMBinding) error
 	if fi.ValueOf(e.Project) == "" {
 		return fi.RequiredField("Project")
 	}
-	if fi.ValueOf(e.Member) == "" {
-		return fi.RequiredField("Member")
+	if e.MemberServiceAccount == nil {
+		return fi.RequiredField("MemberServiceAccount")
+	}
+	if fi.ValueOf(e.MemberServiceAccount.Email) == "" {
+		return fi.RequiredField("MemberServiceAccount.Email")
 	}
 	if fi.ValueOf(e.Role) == "" {
 		return fi.RequiredField("Role")
@@ -101,7 +105,7 @@ func (_ *ProjectIAMBinding) RenderGCE(t *gce.GCEAPITarget, a, e, changes *Projec
 	ctx := context.TODO()
 
 	projectID := fi.ValueOf(e.Project)
-	member := fi.ValueOf(e.Member)
+	member := "serviceAccount:" + fi.ValueOf(e.MemberServiceAccount.Email)
 	role := fi.ValueOf(e.Role)
 
 	// Avoid concurrent operations
@@ -132,16 +136,16 @@ func (_ *ProjectIAMBinding) RenderGCE(t *gce.GCEAPITarget, a, e, changes *Projec
 
 // terraformProjectIAMBinding is the model for a terraform google_project_iam_binding rule
 type terraformProjectIAMBinding struct {
-	Project string   `cty:"project"`
-	Role    string   `cty:"role"`
-	Members []string `cty:"members"`
+	Project string                     `cty:"project"`
+	Role    string                     `cty:"role"`
+	Members []*terraformWriter.Literal `cty:"members"`
 }
 
 func (_ *ProjectIAMBinding) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *ProjectIAMBinding) error {
 	tf := &terraformProjectIAMBinding{
 		Project: fi.ValueOf(e.Project),
 		Role:    fi.ValueOf(e.Role),
-		Members: []string{fi.ValueOf(e.Member)},
+		Members: []*terraformWriter.Literal{e.MemberServiceAccount.TerraformLink_Member()},
 	}
 
 	return t.RenderResource("google_project_iam_binding", *e.Name, tf)

upup/pkg/fi/cloudup/gcetasks/projectiambinding_test.go

@@ -34,16 +34,23 @@ func TestProjectIAMBinding(t *testing.T) {
 
 	// We define a function so we can rebuild the tasks, because we modify in-place when running
 	buildTasks := func() map[string]fi.CloudupTask {
+		serviceAccount := &ServiceAccount{
+			Lifecycle: fi.LifecycleSync,
+
+			Email: fi.PtrTo("[email protected]"),
+		}
+
 		binding := &ProjectIAMBinding{
 			Lifecycle: fi.LifecycleSync,
 
-			Project: fi.PtrTo("testproject"),
-			Member:  fi.PtrTo("serviceAccount:[email protected]"),
-			Role:    fi.PtrTo("roles/owner"),
+			Project:              fi.PtrTo("testproject"),
+			MemberServiceAccount: serviceAccount,
+			Role:                 fi.PtrTo("roles/owner"),
 		}
 
 		return map[string]fi.CloudupTask{
-			"binding": binding,
+			"serviceAccount": serviceAccount,
+			"binding":        binding,
 		}
 	}
 

upup/pkg/fi/cloudup/gcetasks/serviceaccount.go

@@ -194,7 +194,7 @@ func (_ *ServiceAccount) RenderTerraform(t *terraform.TerraformTarget, a, e, cha
 	return t.RenderResource("google_service_account", *e.Name, tf)
 }
 
-func (e *ServiceAccount) TerraformLink() *terraformWriter.Literal {
+func (e *ServiceAccount) TerraformLink_Email() *terraformWriter.Literal {
 	shared := fi.ValueOf(e.Shared)
 	if shared {
 		email := fi.ValueOf(e.Email)
@@ -208,3 +208,22 @@ func (e *ServiceAccount) TerraformLink() *terraformWriter.Literal {
 
 	return terraformWriter.LiteralProperty("google_service_account", *e.Name, "email")
 }
+
+func (e *ServiceAccount) TerraformLink_Member() *terraformWriter.Literal {
+	shared := fi.ValueOf(e.Shared)
+	if shared {
+		email := fi.ValueOf(e.Email)
+		if email == "" {
+			klog.Fatalf("Email must be set, if ServiceAccount is shared: %#v", e)
+		}
+
+		klog.V(4).Infof("reusing existing ServiceAccount %q", email)
+		return terraformWriter.LiteralFromStringValue(email)
+	}
+
+	return terraformWriter.LiteralFunctionExpression(
+		"format",
+		terraformWriter.LiteralFromStringValue("serviceAccount:%s"),
+		terraformWriter.LiteralProperty("google_service_account", *e.Name, "email"),
+	)
+}

upup/pkg/fi/cloudup/gcetasks/storagebucketiam.go

@@ -25,6 +25,7 @@ import (
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/gce"
 	"k8s.io/kops/upup/pkg/fi/cloudup/terraform"
+	"k8s.io/kops/upup/pkg/fi/cloudup/terraformWriter"
 )
 
 // StorageBucketIAM represents an IAM rule on a google cloud storage bucket
@@ -33,9 +34,9 @@ type StorageBucketIAM struct {
 	Name      *string
 	Lifecycle fi.Lifecycle
 
-	Bucket *string
-	Member *string
-	Role   *string
+	Bucket               *string
+	MemberServiceAccount *ServiceAccount
+	Role                 *string
 }
 
 var _ fi.CompareWithID = &StorageBucketIAM{}
@@ -50,7 +51,7 @@ func (e *StorageBucketIAM) Find(c *fi.CloudupContext) (*StorageBucketIAM, error)
 	cloud := c.T.Cloud.(gce.GCECloud)
 
 	bucket := fi.ValueOf(e.Bucket)
-	member := fi.ValueOf(e.Member)
+	member := "serviceAccount:" + fi.ValueOf(e.MemberServiceAccount.Email)
 	role := fi.ValueOf(e.Role)
 
 	klog.V(2).Infof("Checking GCS bucket IAM for gs://%s for %s", bucket, member)
@@ -69,7 +70,7 @@ func (e *StorageBucketIAM) Find(c *fi.CloudupContext) (*StorageBucketIAM, error)
 
 	actual := &StorageBucketIAM{}
 	actual.Bucket = e.Bucket
-	actual.Member = e.Member
+	actual.MemberServiceAccount = e.MemberServiceAccount
 	actual.Role = e.Role
 
 	// Ignore "system" fields
@@ -87,7 +88,10 @@ func (_ *StorageBucketIAM) CheckChanges(a, e, changes *StorageBucketIAM) error {
 	if fi.ValueOf(e.Bucket) == "" {
 		return fi.RequiredField("Bucket")
 	}
-	if fi.ValueOf(e.Member) == "" {
+	if e.MemberServiceAccount == nil {
+		return fi.RequiredField("MemberServiceAccount")
+	}
+	if fi.ValueOf(e.MemberServiceAccount.Email) == "" {
 		return fi.RequiredField("Member")
 	}
 	if fi.ValueOf(e.Role) == "" {
@@ -100,7 +104,7 @@ func (_ *StorageBucketIAM) RenderGCE(t *gce.GCEAPITarget, a, e, changes *Storage
 	ctx := context.TODO()
 
 	bucket := fi.ValueOf(e.Bucket)
-	member := fi.ValueOf(e.Member)
+	member := "serviceAccount:" + fi.ValueOf(e.MemberServiceAccount.Email)
 	role := fi.ValueOf(e.Role)
 
 	klog.V(2).Infof("Creating GCS bucket IAM for gs://%s for %s as %s", bucket, member, role)
@@ -126,19 +130,23 @@ func (_ *StorageBucketIAM) RenderGCE(t *gce.GCEAPITarget, a, e, changes *Storage
 
 // terraformStorageBucketIAM is the model for a terraform google_storage_bucket_iam_member rule
 type terraformStorageBucketIAM struct {
-	Bucket string `cty:"bucket"`
-	Role   string `cty:"role"`
-	Member string `cty:"member"`
+	Bucket string                   `cty:"bucket"`
+	Role   string                   `cty:"role"`
+	Member *terraformWriter.Literal `cty:"member"`
 }
 
 func (_ *StorageBucketIAM) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *StorageBucketIAM) error {
 	tf := &terraformStorageBucketIAM{
 		Bucket: fi.ValueOf(e.Bucket),
 		Role:   fi.ValueOf(e.Role),
-		Member: fi.ValueOf(e.Member),
+		Member: e.MemberServiceAccount.TerraformLink_Member(),
+	}
+
+	if err := t.RenderResource("google_storage_bucket_iam_member", *e.Name, tf); err != nil {
+		return err
 	}
 
-	return t.RenderResource("google_storage_bucket_iam_member", *e.Name, tf)
+	return nil
 }
 
 func patchPolicy(policy *storage.Policy, wantMember string, wantRole string) bool {

upup/pkg/fi/cloudup/gcetasks/storagebucketiam_test.go

@@ -34,16 +34,23 @@ func TestStorageBucketIAM(t *testing.T) {
 
 	// We define a function so we can rebuild the tasks, because we modify in-place when running
 	buildTasks := func() map[string]fi.CloudupTask {
+		serviceAccount := &ServiceAccount{
+			Lifecycle: fi.LifecycleSync,
+
+			Email: fi.PtrTo("[email protected]"),
+		}
+
 		binding := &StorageBucketIAM{
 			Lifecycle: fi.LifecycleSync,
 
-			Bucket: fi.PtrTo("bucket1"),
-			Member: fi.PtrTo("serviceAccount:[email protected]"),
-			Role:   fi.PtrTo("roles/owner"),
+			Bucket:               fi.PtrTo("bucket1"),
+			MemberServiceAccount: serviceAccount,
+			Role:                 fi.PtrTo("roles/owner"),
 		}
 
 		return map[string]fi.CloudupTask{
-			"binding": binding,
+			"serviceAccount": serviceAccount,
+			"binding":        binding,
 		}
 	}