gcp-fencing-example.tf

###########################################
# IAM ROLES
###########################################

resource "google_project_iam_custom_role" "fencing" {
  role_id = "fencing"
  title = "Fencing"
  permissions = [
    # Allows instance status to be queried.
    "compute.instances.get",
    # HARD reset: immediate reset, not an orderly shutdown.
    "compute.instances.reset",
    # SOFT poweroff: Orderly shutdown at the OS level, with a 3 minute timeout
    # until a hard poweroff.
    "compute.instances.stop",
    # NOTE: As of this writing, GCP has no HARD poweroff API call.
  ]
}

resource "google_project_iam_custom_role" "list-instances" {
  role_id = "list.instances"
  title = "List instances"
  permissions = [
    # All of these permissions are necessary for listing servers on a project.
    "compute.instances.list",
    "compute.zones.list",
    "compute.zoneOperations.get",
    "compute.zoneOperations.list",
  ]
}

###########################################
# IAM SERVICE ACCOUNTS
###########################################

resource "google_service_account" "data1" {
  account_id   = "data1"
  display_name = "data1"
}

resource "google_service_account" "data2" {
  account_id   = "data2"
  display_name = "data2"
}

###########################################
# ATTACHING SERVICE ACCOUNT TO INSTANCE
###########################################

resource "google_compute_instance" "data" {
  name = var.hostname
  # Other stuff...
  service_account {
    # Serivce account for this instance.
    email = "${var.hostname}@${var.project}.iam.gserviceaccount.com"
    scopes = [
      # Custom service accounts don't include the default permissions unless
      # they are explicitly granted.
      # TODO: Get rid of these when
      # https://github.com/terraform-providers/terraform-provider-google/issues/1943
      # is fixed.
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
      "https://www.googleapis.com/auth/pubsub",
      "https://www.googleapis.com/auth/service.management.readonly",
      "https://www.googleapis.com/auth/servicecontrol",
      "https://www.googleapis.com/auth/trace.append",
      #"default",
      "compute-rw",
    ]
  }
}

###########################################
# IAM INSTANCE-LEVEL BINDINGS
###########################################

locals {
  # NOTE: This expects no more than two data servers per region.
  fencing_peer = var.hostname == "data1" ? "data2" : "data1"
}

resource "google_compute_instance_iam_binding" "fencing" {
  zone = var.zone
  instance_name = google_compute_instance.data.name
  role = "projects/${var.project}/roles/fencing"
  members = [
    # Access to this instance's peer to allow fencing this instance.
    "serviceAccount:${local.fencing_peer}@${var.project}.iam.gserviceaccount.com",
  ]
}

###########################################
# IAM PROJECT-LEVEL BINDINGS
###########################################

resource "google_project_iam_member" "list-instances" {
  project = var.project
  role = "projects/${var.project}/roles/list.instances"
  # Access for this instance to list other instances.
  member = "serviceAccount:${var.hostname}@${var.project}.iam.gserviceaccount.com"
}

# Not strictly necessary, but adding a custom service account to the
# instance removes this, and it's nice to have.
resource "google_project_iam_member" "log-writer" {
  project = var.project
  role = "roles/logging.logWriter"
  member = "serviceAccount:${var.hostname}@${var.project}.iam.gserviceaccount.com"
}