fix: use less privilege roles for ci service account

metadata.yaml

@@ -195,7 +195,11 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/owner
+          - roles/memorystore.admin
+          - roles/redis.admin
+          - roles/memcache.admin
+          - roles/compute.networkAdmin
+          - roles/resourcemanager.projectIamAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - serviceusage.googleapis.com
@@ -204,6 +208,7 @@ spec:
       - serviceconsumermanagement.googleapis.com
       - networkconnectivity.googleapis.com
       - compute.googleapis.com
+      - memorystore.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 4.74.0, < 7"

modules/memcache/metadata.yaml

@@ -46,24 +46,53 @@ spec:
         location: examples/valkey
   interfaces:
     variables:
+      - name: region
+        description: The GCP region to use.
+        varType: string
+        required: true
+      - name: project_id
+        description: The ID of the project in which the resource belongs to.
+        varType: string
+        required: true
+      - name: enable_apis
+        description: Flag for enabling memcache.googleapis.com in your project
+        varType: bool
+        defaultValue: true
+      - name: name
+        description: The ID of the instance or a fully qualified identifier for the instance.
+        varType: string
+        required: true
+      - name: memcache_version
+        description: The major version of Memcached software.
+        varType: string
       - name: authorized_network
         description: The full name of the Google Compute Engine network to which the instance is connected. If left unspecified, the default network will be used.
         varType: string
+      - name: node_count
+        description: Number of nodes in the memcache instance.
+        varType: number
+        defaultValue: 1
       - name: cpu_count
         description: Number of CPUs per node
         varType: number
         defaultValue: 1
+      - name: memory_size_mb
+        description: Memcache memory size in MiB. Defaulted to 1024
+        varType: number
+        defaultValue: 1024
+      - name: zones
+        description: Zones where memcache nodes should be provisioned. If not provided, all zones will be used.
+        varType: list(string)
       - name: display_name
         description: An arbitrary and optional user-provided name for the instance.
         varType: string
-      - name: enable_apis
-        description: Flag for enabling memcache.googleapis.com in your project
-        varType: bool
-        defaultValue: true
       - name: labels
         description: The resource labels to represent user provided metadata.
         varType: map(string)
         defaultValue: {}
+      - name: params
+        description: Parameters for the memcache process
+        varType: map(string)
       - name: maintenance_policy
         description: The maintenance policy for an instance.
         varType: |-
@@ -77,35 +106,6 @@ spec:
                 nanos   = number
               })
             })
-      - name: memcache_version
-        description: The major version of Memcached software.
-        varType: string
-      - name: memory_size_mb
-        description: Memcache memory size in MiB. Defaulted to 1024
-        varType: number
-        defaultValue: 1024
-      - name: name
-        description: The ID of the instance or a fully qualified identifier for the instance.
-        varType: string
-        required: true
-      - name: node_count
-        description: Number of nodes in the memcache instance.
-        varType: number
-        defaultValue: 1
-      - name: params
-        description: Parameters for the memcache process
-        varType: map(string)
-      - name: project_id
-        description: The ID of the project in which the resource belongs to.
-        varType: string
-        required: true
-      - name: region
-        description: The GCP region to use.
-        varType: string
-        required: true
-      - name: zones
-        description: Zones where memcache nodes should be provisioned. If not provided, all zones will be used.
-        varType: list(string)
     outputs:
       - name: discovery
         description: The memorystore discovery endpoint.
@@ -119,7 +119,11 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/owner
+          - roles/memorystore.admin
+          - roles/redis.admin
+          - roles/memcache.admin
+          - roles/compute.networkAdmin
+          - roles/resourcemanager.projectIamAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - serviceusage.googleapis.com
@@ -128,3 +132,9 @@ spec:
       - serviceconsumermanagement.googleapis.com
       - networkconnectivity.googleapis.com
       - compute.googleapis.com
+      - memorystore.googleapis.com
+    providerVersions:
+      - source: hashicorp/google
+        version: ">= 4.23.0, < 7"
+      - source: hashicorp/google-beta
+        version: ">= 4.23.0, < 7"

modules/redis-cluster/metadata.yaml

@@ -46,52 +46,42 @@ spec:
         location: examples/valkey
   interfaces:
     variables:
-      - name: authorization_mode
-        description: "The authorization mode of the Redis cluster. If not provided, auth feature is disabled for the cluster. Default value is AUTH_MODE_DISABLED. Possible values are: AUTH_MODE_UNSPECIFIED, AUTH_MODE_IAM_AUTH, AUTH_MODE_DISABLED"
-        varType: string
-        defaultValue: AUTH_MODE_DISABLED
-      - name: deletion_protection_enabled
-        description: " Indicates if the cluster is deletion protected or not. If the value if set to true, any delete cluster operation will fail. Default value is true"
-        varType: bool
-        defaultValue: true
-      - name: enable_apis
-        description: Flag for enabling memcache.googleapis.com in your project
-        varType: bool
-        defaultValue: true
       - name: name
         description: The ID of the instance or a fully qualified identifier for the instance. must be 1 to 63 characters and use only lowercase letters, numbers, or hyphens. It must start with a lowercase letter and end with a lowercase letter or number
         varType: string
         required: true
-      - name: network
-        description: List of consumer network where the network address of the discovery endpoint will be reserved, in the form of projects/{network_project_id_or_number}/global/networks/{network_id}. Currently, only one item is supported
-        varType: list(string)
-        required: true
-      - name: node_type
-        description: "The nodeType for the Redis cluster. If not provided, REDIS_HIGHMEM_MEDIUM will be used as default Possible values are: REDIS_SHARED_CORE_NANO, REDIS_HIGHMEM_MEDIUM, REDIS_HIGHMEM_XLARGE, REDIS_STANDARD_SMALL."
-        varType: string
       - name: project_id
         description: The ID of the project in which the resource belongs to.
         varType: string
         required: true
-      - name: redis_configs
-        description: Configure Redis Cluster behavior using a subset of native Redis configuration parameters
-        varType: |-
-          object({
-              maxmemory-clients       = optional(string)
-              maxmemory               = optional(string)
-              maxmemory-policy        = optional(string)
-              notify-keyspace-events  = optional(string)
-              slowlog-log-slower-than = optional(number)
-              maxclients              = optional(number)
-            })
       - name: region
         description: The name of the region of the Redis cluster
         varType: string
         required: true
+      - name: enable_apis
+        description: Flag for enabling memcache.googleapis.com in your project
+        varType: bool
+        defaultValue: true
+      - name: shard_count
+        description: Required. Number of shards for the Redis cluster. The minimum number of shards in a Memorystore cluster is 3 shards
+        varType: number
+        defaultValue: 3
       - name: replica_count
         description: The number of replica nodes per shard. Each shard can have 0, 1, or 2 replica nodes. Replicas provide high availability and additional read throughput, and are evenly distributed across zones
         varType: number
         defaultValue: 0
+      - name: transit_encryption_mode
+        description: "The in-transit encryption for the Redis cluster. If not provided, encryption is disabled for the cluster. Default value is TRANSIT_ENCRYPTION_MODE_DISABLED. Possible values are: TRANSIT_ENCRYPTION_MODE_UNSPECIFIED, TRANSIT_ENCRYPTION_MODE_DISABLED, TRANSIT_ENCRYPTION_MODE_SERVER_AUTHENTICATION"
+        varType: string
+        defaultValue: TRANSIT_ENCRYPTION_MODE_DISABLED
+      - name: authorization_mode
+        description: "The authorization mode of the Redis cluster. If not provided, auth feature is disabled for the cluster. Default value is AUTH_MODE_DISABLED. Possible values are: AUTH_MODE_UNSPECIFIED, AUTH_MODE_IAM_AUTH, AUTH_MODE_DISABLED"
+        varType: string
+        defaultValue: AUTH_MODE_DISABLED
+      - name: network
+        description: List of consumer network where the network address of the discovery endpoint will be reserved, in the form of projects/{network_project_id_or_number}/global/networks/{network_id}. Currently, only one item is supported
+        varType: list(string)
+        required: true
       - name: service_connection_policies
         description: The Service Connection Policies to create
         varType: |-
@@ -104,21 +94,31 @@ spec:
               labels          = optional(map(string), {})
             }))
         defaultValue: {}
-      - name: shard_count
-        description: Required. Number of shards for the Redis cluster. The minimum number of shards in a Memorystore cluster is 3 shards
-        varType: number
-        defaultValue: 3
-      - name: transit_encryption_mode
-        description: "The in-transit encryption for the Redis cluster. If not provided, encryption is disabled for the cluster. Default value is TRANSIT_ENCRYPTION_MODE_DISABLED. Possible values are: TRANSIT_ENCRYPTION_MODE_UNSPECIFIED, TRANSIT_ENCRYPTION_MODE_DISABLED, TRANSIT_ENCRYPTION_MODE_SERVER_AUTHENTICATION"
+      - name: node_type
+        description: "The nodeType for the Redis cluster. If not provided, REDIS_HIGHMEM_MEDIUM will be used as default Possible values are: REDIS_SHARED_CORE_NANO, REDIS_HIGHMEM_MEDIUM, REDIS_HIGHMEM_XLARGE, REDIS_STANDARD_SMALL."
         varType: string
-        defaultValue: TRANSIT_ENCRYPTION_MODE_DISABLED
+      - name: redis_configs
+        description: Configure Redis Cluster behavior using a subset of native Redis configuration parameters
+        varType: |-
+          object({
+              maxmemory-clients       = optional(string)
+              maxmemory               = optional(string)
+              maxmemory-policy        = optional(string)
+              notify-keyspace-events  = optional(string)
+              slowlog-log-slower-than = optional(number)
+              maxclients              = optional(number)
+            })
       - name: zone_distribution_config_mode
         description: "The mode for zone distribution for Memorystore Redis cluster (Immutable). If not provided, MULTI_ZONE will be used as default value. Possible values are: MULTI_ZONE, SINGLE_ZONE"
         varType: string
         defaultValue: MULTI_ZONE
       - name: zone_distribution_config_zone
         description: The zone for single zone Memorystore Redis cluster (Immutable)
         varType: string
+      - name: deletion_protection_enabled
+        description: " Indicates if the cluster is deletion protected or not. If the value if set to true, any delete cluster operation will fail. Default value is true"
+        varType: bool
+        defaultValue: true
     outputs:
       - name: discovery_endpoints
         description: Endpoints created on each given network, for Redis clients to connect to the cluster. Currently only one endpoint is supported
@@ -132,7 +132,11 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/owner
+          - roles/memorystore.admin
+          - roles/redis.admin
+          - roles/memcache.admin
+          - roles/compute.networkAdmin
+          - roles/resourcemanager.projectIamAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - serviceusage.googleapis.com
@@ -141,3 +145,7 @@ spec:
       - serviceconsumermanagement.googleapis.com
       - networkconnectivity.googleapis.com
       - compute.googleapis.com
+      - memorystore.googleapis.com
+    providerVersions:
+      - source: hashicorp/google
+        version: ">= 6.0, < 7"