create harness ccm connectors for gcp projects and assign access to gcp projects with tf

gcp.tf

locals {
  # pull in accounts csv
  projects_raw = csvdecode(file("./projects.csv"))
  # only get linked account (ignore masters)
  projects = [for account in local.projects_raw : account if account["Type"] == "Linked Account"]
}

variable "harness_gcp_sa" {
  type = string
}

terraform {
  required_providers {
    harness = {
      source = "harness/harness"
    }
    google = {
      source = "google"
    }
  }
}

resource "harness_platform_connector_gcp_cloud_cost" "this" {
  for_each = { for project in local.projects : "${trimspace(project["Linked account id"])}" => project }

  identifier = replace(trimspace(each.value["Linked account name"]), "-", "_")
  name       = replace(trimspace(each.value["Linked account name"]), "-", "_")

  features_enabled      = ["VISIBILITY", "OPTIMIZATION"]
  gcp_project_id        = trimspace(each.value["Linked account id"])
  service_account_email = var.harness_gcp_sa
}

# for view access
resource "google_project_iam_member" "viewer" {
  for_each = { for project in local.projects : "${trimspace(project["Linked account id"])}" => project }

  project = trimspace(each.value["Linked account id"])
  role    = "roles/viewer"
  member  = "serviceAccount:${var.harness_gcp_sa}"
}

# for fine grain autostopping permissions
resource "google_project_iam_custom_role" "harness_autostopping" {
  for_each = { for project in local.projects : "${trimspace(project["Linked account id"])}" => project }

  project = trimspace(each.value["Linked account id"])
  role_id = "harness_autostopping"
  title   = "harness_autostopping"
  permissions = [
    "compute.addresses.create",
    "compute.addresses.createInternal",
    "compute.addresses.delete",
    "compute.addresses.deleteInternal",
    "compute.addresses.get",
    "compute.addresses.list",
    "compute.addresses.setLabels",
    "compute.addresses.use",
    "compute.addresses.useInternal",
    "compute.autoscalers.create",
    "compute.autoscalers.delete",
    "compute.autoscalers.get",
    "compute.autoscalers.list",
    "compute.autoscalers.update",
    "compute.instanceGroupManagers.create",
    "compute.instanceGroupManagers.delete",
    "compute.instanceGroupManagers.get",
    "compute.instanceGroupManagers.list",
    "compute.instanceGroupManagers.update",
    "compute.instanceGroupManagers.use",
    "compute.instanceGroups.create",
    "compute.instanceGroups.delete",
    "compute.instanceGroups.get",
    "compute.instanceGroups.list",
    "compute.instanceGroups.update",
    "compute.instanceGroups.use",
    "compute.instances.addAccessConfig",
    "compute.instances.attachDisk",
    "compute.instances.create",
    "compute.instances.createTagBinding",
    "compute.instances.delete",
    "compute.instances.deleteAccessConfig",
    "compute.instances.deleteTagBinding",
    "compute.instances.detachDisk",
    "compute.instances.get",
    "compute.instances.getEffectiveFirewalls",
    "compute.instances.getIamPolicy",
    "compute.instances.getSerialPortOutput",
    "compute.instances.list",
    "compute.instances.listEffectiveTags",
    "compute.instances.listTagBindings",
    "compute.instances.osAdminLogin",
    "compute.instances.osLogin",
    "compute.instances.removeResourcePolicies",
    "compute.instances.reset",
    "compute.instances.resume",
    "compute.instances.sendDiagnosticInterrupt",
    "compute.instances.setDeletionProtection",
    "compute.instances.setDiskAutoDelete",
    "compute.instances.setIamPolicy",
    "compute.instances.setLabels",
    "compute.instances.setMachineResources",
    "compute.instances.setMachineType",
    "compute.instances.setMetadata",
    "compute.instances.setMinCpuPlatform",
    "compute.instances.setScheduling",
    "compute.instances.setServiceAccount",
    "compute.instances.setShieldedInstanceIntegrityPolicy",
    "compute.instances.setShieldedVmIntegrityPolicy",
    "compute.instances.setTags",
    "compute.instances.start",
    "compute.instances.stop",
    "compute.instances.suspend",
    "compute.instances.update",
    "compute.instances.updateAccessConfig",
    "compute.instances.updateDisplayDevice",
    "compute.instances.updateNetworkInterface",
    "compute.instances.updateSecurity",
    "compute.instances.updateShieldedInstanceConfig",
    "compute.instances.updateShieldedVmConfig",
    "compute.instances.use",
    "compute.instances.useReadOnly",
    "compute.machineTypes.list",
    "compute.networks.access",
    "compute.networks.get",
    "compute.networks.getEffectiveFirewalls",
    "compute.networks.getRegionEffectiveFirewalls",
    "compute.networks.list",
    "compute.networks.mirror",
    "compute.regions.get",
    "compute.regions.list",
    "compute.firewalls.list",
    "compute.subnetworks.list",
    "compute.disks.create",
    "compute.subnetworks.use",
    "compute.subnetworks.useExternalIp",
    "secretmanager.versions.access",
    "compute.projects.get",
  ]
}

resource "google_project_iam_member" "autostopping" {
  for_each = { for project in local.projects : "${trimspace(project["Linked account id"])}" => project }

  project = trimspace(each.value["Linked account id"])
  role    = google_project_iam_custom_role.harness_autostopping[trimspace(each.value["Linked account id"])].id
  member  = "serviceAccount:${var.harness_gcp_sa}"
}