/** * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ resource "google_service_account_iam_member" "custom_service_account" { provider = google-beta service_account_id = google_service_account.composer.id role = "roles/composer.ServiceAgentV2Ext" member = "serviceAccount:service-${module.app_cloudbuild_project.project_number}@cloudcomposer-accounts.iam.gserviceaccount.com" } resource "google_project_iam_custom_role" "composer-sa-gcs" { project = module.app_cloudbuild_project.project_id role_id = "composerServiceAccountGCS" title = "Composer Service Account Cloud Storage" description = "Provides access to cloud storage for Cloud Composer service accounts" permissions = [ # Storage Object Admin "resourcemanager.projects.get", "storage.objects.create", "storage.objects.delete", "storage.objects.get", "storage.objects.getIamPolicy", "storage.objects.list", "storage.objects.update", ] } resource "google_project_iam_custom_role" "composer-sa-bq" { project = module.app_cloudbuild_project.project_id role_id = "composerServiceAccountBQ" title = "Composer Service Account BigQuery" description = "Provides access to BigQuery for Cloud Composer service accounts" permissions = [ # BigQuery Data Editor "bigquery.datasets.create", "bigquery.datasets.get", "bigquery.datasets.getIamPolicy", "bigquery.datasets.updateTag", "bigquery.models.create", "bigquery.models.delete", "bigquery.models.export", "bigquery.models.getData", "bigquery.models.getMetadata", "bigquery.models.list", "bigquery.models.updateData", "bigquery.models.updateMetadata", "bigquery.models.updateTag", "bigquery.routines.create", "bigquery.routines.delete", "bigquery.routines.get", "bigquery.routines.list", "bigquery.routines.update", "bigquery.routines.updateTag", "bigquery.tables.create", "bigquery.tables.createSnapshot", "bigquery.tables.delete", "bigquery.tables.export", "bigquery.tables.get", "bigquery.tables.getData", "bigquery.tables.getIamPolicy", "bigquery.tables.list", "bigquery.tables.restoreSnapshot", "bigquery.tables.update", "bigquery.tables.updateData", "bigquery.tables.updateTag", "resourcemanager.projects.get", "bigquery.jobs.create" ] } resource "google_project_iam_custom_role" "composer-sa-vertex" { project = module.app_cloudbuild_project.project_id role_id = "composerServiceAccountVertex" title = "Composer Service Account Vertex AI" description = "Provides access to Vertex for Cloud Composer service accounts" permissions = [ # Vertex AI User "aiplatform.annotations.create", "aiplatform.annotations.delete", "aiplatform.annotations.get", "aiplatform.annotations.list", "aiplatform.annotations.update", "aiplatform.annotationSpecs.create", "aiplatform.annotationSpecs.delete", "aiplatform.annotationSpecs.get", "aiplatform.annotationSpecs.list", "aiplatform.annotationSpecs.update", "aiplatform.artifacts.create", "aiplatform.artifacts.delete", "aiplatform.artifacts.get", "aiplatform.artifacts.list", "aiplatform.artifacts.update", "aiplatform.batchPredictionJobs.cancel", "aiplatform.batchPredictionJobs.create", "aiplatform.batchPredictionJobs.delete", "aiplatform.batchPredictionJobs.get", "aiplatform.batchPredictionJobs.list", "aiplatform.contexts.addContextArtifactsAndExecutions", "aiplatform.contexts.addContextChildren", "aiplatform.contexts.create", "aiplatform.contexts.delete", "aiplatform.contexts.get", "aiplatform.contexts.list", "aiplatform.contexts.queryContextLineageSubgraph", "aiplatform.contexts.update", "aiplatform.customJobs.cancel", "aiplatform.customJobs.create", "aiplatform.customJobs.delete", "aiplatform.customJobs.get", "aiplatform.customJobs.list", "aiplatform.dataItems.create", "aiplatform.dataItems.delete", "aiplatform.dataItems.get", "aiplatform.dataItems.list", "aiplatform.dataItems.update", "aiplatform.dataLabelingJobs.cancel", "aiplatform.dataLabelingJobs.create", "aiplatform.dataLabelingJobs.delete", "aiplatform.dataLabelingJobs.get", "aiplatform.dataLabelingJobs.list", "aiplatform.datasets.create", "aiplatform.datasets.delete", "aiplatform.datasets.export", "aiplatform.datasets.get", "aiplatform.datasets.import", "aiplatform.datasets.list", "aiplatform.datasets.update", "aiplatform.edgeDeploymentJobs.create", "aiplatform.edgeDeploymentJobs.delete", "aiplatform.edgeDeploymentJobs.get", "aiplatform.edgeDeploymentJobs.list", "aiplatform.edgeDeviceDebugInfo.get", "aiplatform.edgeDevices.create", "aiplatform.edgeDevices.delete", "aiplatform.edgeDevices.get", "aiplatform.edgeDevices.list", "aiplatform.edgeDevices.update", "aiplatform.endpoints.create", "aiplatform.endpoints.delete", "aiplatform.endpoints.deploy", "aiplatform.endpoints.explain", "aiplatform.endpoints.get", "aiplatform.endpoints.list", "aiplatform.endpoints.predict", "aiplatform.endpoints.undeploy", "aiplatform.endpoints.update", "aiplatform.entityTypes.create", "aiplatform.entityTypes.delete", "aiplatform.entityTypes.exportFeatureValues", "aiplatform.entityTypes.get", "aiplatform.entityTypes.importFeatureValues", "aiplatform.entityTypes.list", "aiplatform.entityTypes.readFeatureValues", "aiplatform.entityTypes.streamingReadFeatureValues", "aiplatform.entityTypes.update", "aiplatform.entityTypes.writeFeatureValues", "aiplatform.executions.addExecutionEvents", "aiplatform.executions.create", "aiplatform.executions.delete", "aiplatform.executions.get", "aiplatform.executions.list", "aiplatform.executions.queryExecutionInputsAndOutputs", "aiplatform.executions.update", "aiplatform.features.create", "aiplatform.features.delete", "aiplatform.features.get", "aiplatform.features.list", "aiplatform.features.update", "aiplatform.featurestores.batchReadFeatureValues", "aiplatform.featurestores.create", "aiplatform.featurestores.delete", "aiplatform.featurestores.exportFeatures", "aiplatform.featurestores.get", "aiplatform.featurestores.importFeatures", "aiplatform.featurestores.list", "aiplatform.featurestores.readFeatures", "aiplatform.featurestores.update", "aiplatform.featurestores.writeFeatures", "aiplatform.humanInTheLoops.create", "aiplatform.humanInTheLoops.delete", "aiplatform.humanInTheLoops.get", "aiplatform.humanInTheLoops.list", "aiplatform.humanInTheLoops.send", "aiplatform.humanInTheLoops.update", "aiplatform.hyperparameterTuningJobs.cancel", "aiplatform.hyperparameterTuningJobs.create", "aiplatform.hyperparameterTuningJobs.delete", "aiplatform.hyperparameterTuningJobs.get", "aiplatform.hyperparameterTuningJobs.list", "aiplatform.indexEndpoints.create", "aiplatform.indexEndpoints.delete", "aiplatform.indexEndpoints.deploy", "aiplatform.indexEndpoints.get", "aiplatform.indexEndpoints.list", "aiplatform.indexEndpoints.undeploy", "aiplatform.indexEndpoints.update", "aiplatform.indexes.create", "aiplatform.indexes.delete", "aiplatform.indexes.get", "aiplatform.indexes.list", "aiplatform.indexes.update", "aiplatform.locations.get", "aiplatform.locations.list", "aiplatform.metadataSchemas.create", "aiplatform.metadataSchemas.delete", "aiplatform.metadataSchemas.get", "aiplatform.metadataSchemas.list", "aiplatform.metadataStores.create", "aiplatform.metadataStores.delete", "aiplatform.metadataStores.get", "aiplatform.metadataStores.list", "aiplatform.modelDeploymentMonitoringJobs.create", "aiplatform.modelDeploymentMonitoringJobs.delete", "aiplatform.modelDeploymentMonitoringJobs.get", "aiplatform.modelDeploymentMonitoringJobs.list", "aiplatform.modelDeploymentMonitoringJobs.pause", "aiplatform.modelDeploymentMonitoringJobs.resume", "aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies", "aiplatform.modelDeploymentMonitoringJobs.update", "aiplatform.modelEvaluations.exportEvaluatedDataItems", "aiplatform.modelEvaluations.get", "aiplatform.modelEvaluations.list", "aiplatform.modelEvaluationSlices.get", "aiplatform.modelEvaluationSlices.list", "aiplatform.models.delete", "aiplatform.models.export", "aiplatform.models.get", "aiplatform.models.list", "aiplatform.models.update", "aiplatform.models.upload", "aiplatform.nasJobs.cancel", "aiplatform.nasJobs.create", "aiplatform.nasJobs.delete", "aiplatform.nasJobs.get", "aiplatform.nasJobs.list", "aiplatform.operations.list", "aiplatform.pipelineJobs.cancel", "aiplatform.pipelineJobs.create", "aiplatform.pipelineJobs.delete", "aiplatform.pipelineJobs.get", "aiplatform.pipelineJobs.list", "aiplatform.specialistPools.create", "aiplatform.specialistPools.delete", "aiplatform.specialistPools.get", "aiplatform.specialistPools.list", "aiplatform.specialistPools.update", "aiplatform.studies.create", "aiplatform.studies.delete", "aiplatform.studies.get", "aiplatform.studies.list", "aiplatform.studies.update", "aiplatform.tensorboardExperiments.create", "aiplatform.tensorboardExperiments.delete", "aiplatform.tensorboardExperiments.get", "aiplatform.tensorboardExperiments.list", "aiplatform.tensorboardExperiments.update", "aiplatform.tensorboardExperiments.write", "aiplatform.tensorboardRuns.create", "aiplatform.tensorboardRuns.delete", "aiplatform.tensorboardRuns.get", "aiplatform.tensorboardRuns.list", "aiplatform.tensorboardRuns.update", "aiplatform.tensorboardRuns.write", "aiplatform.tensorboards.create", "aiplatform.tensorboards.delete", "aiplatform.tensorboards.get", "aiplatform.tensorboards.list", "aiplatform.tensorboards.update", "aiplatform.tensorboardTimeSeries.create", "aiplatform.tensorboardTimeSeries.delete", "aiplatform.tensorboardTimeSeries.get", "aiplatform.tensorboardTimeSeries.list", "aiplatform.tensorboardTimeSeries.read", "aiplatform.tensorboardTimeSeries.update", "aiplatform.trainingPipelines.cancel", "aiplatform.trainingPipelines.create", "aiplatform.trainingPipelines.delete", "aiplatform.trainingPipelines.get", "aiplatform.trainingPipelines.list", "aiplatform.trials.create", "aiplatform.trials.delete", "aiplatform.trials.get", "aiplatform.trials.list", "aiplatform.trials.update", "resourcemanager.projects.get", ] }