/* * Copyright © 2020 Atomist, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ import * as gcp from "@pulumi/gcp"; import * as postgres from "../postgres"; interface ServiceUserArgs { cluster: gcp.alloydb.Cluster; gcpProject: string; primaryInstance: gcp.alloydb.Instance; serviceName: string; workloadIdentityServiceAccount: gcp.serviceaccount.Account; extraDatabaseRoles?: string[]; } export function serviceUser({ cluster, gcpProject, primaryInstance, serviceName, workloadIdentityServiceAccount, extraDatabaseRoles = [], }: ServiceUserArgs): gcp.alloydb.User { new gcp.projects.IAMMember(`${serviceName}-alloydb-client-iam-member`, { project: gcpProject, role: "roles/alloydb.client", member: workloadIdentityServiceAccount.member, }); new gcp.projects.IAMMember( `${serviceName}-alloydb-database-user-iam-member`, { project: gcpProject, role: "roles/alloydb.databaseUser", member: workloadIdentityServiceAccount.member, }, ); new gcp.projects.IAMMember( `${serviceName}-service-usage-consumer-iam-member`, { project: gcpProject, role: "roles/serviceusage.serviceUsageConsumer", member: workloadIdentityServiceAccount.member, }, ); const user = new gcp.alloydb.User( `alloydb-cluster-${serviceName}-user-${serviceName}-service`, { cluster: cluster.name, databaseRoles: ["alloydbiamuser", ...extraDatabaseRoles], userId: postgres.serviceIAMUser(workloadIdentityServiceAccount), userType: "ALLOYDB_IAM_USER", }, { dependsOn: primaryInstance }, ); return user; } interface UserArgs { cluster: gcp.alloydb.Cluster; gcpProject: string; iamUser: string; primaryInstance: gcp.alloydb.Instance; serviceName: string; extraDatabaseRoles?: string[]; } export function user({ cluster, gcpProject, iamUser, primaryInstance, serviceName, extraDatabaseRoles = [], }: UserArgs): gcp.alloydb.User { const matches = iamUser.match(/^user:(\S+)$/); if (!matches) { throw new Error(`invalid iamUser: ${iamUser}`); } const iamEmail = matches[1]; const iamName = iamEmail.split("@", 2)[0]; new gcp.projects.IAMMember(`${iamName}-alloydb-database-user-iam-member`, { project: gcpProject, role: "roles/alloydb.databaseUser", member: iamUser, }); new gcp.projects.IAMMember(`${iamName}-service-usage-consumer-iam-member`, { project: gcpProject, role: "roles/serviceusage.serviceUsageConsumer", member: iamUser, }); const user = new gcp.alloydb.User( `alloydb-cluster-${serviceName}-user-${iamName}`, { cluster: cluster.name, databaseRoles: [ "alloydbiamuser", "alloydbsuperuser", ...extraDatabaseRoles, ], userId: iamEmail, userType: "ALLOYDB_IAM_USER", }, { dependsOn: primaryInstance }, ); return user; }