From 4befdce47e6c7816193ffa1337c144b863847292 Mon Sep 17 00:00:00 2001 From: Christophe Courtaut Date: Wed, 21 Feb 2018 18:22:39 +0100 Subject: [PATCH 1/3] builder/googlecompute: Adds ability to specify service account This commit allows user to specify the service account they want to associate with the virtual machine provisionned by setting the service_account_email field in the config. It allows to manage permissions of the instantiated VM properly, using a service account that can be tied up to IAM roles and permissions. --- builder/googlecompute/config.go | 2 ++ builder/googlecompute/driver.go | 1 + builder/googlecompute/driver_gce.go | 13 +++++++++---- builder/googlecompute/step_create_instance.go | 1 + 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/builder/googlecompute/config.go b/builder/googlecompute/config.go index c8863d4d9..3d9194c17 100644 --- a/builder/googlecompute/config.go +++ b/builder/googlecompute/config.go @@ -58,6 +58,8 @@ type Config struct { UseInternalIP bool `mapstructure:"use_internal_ip"` Zone string `mapstructure:"zone"` + ServiceAccountEmail string `mapstructure:"service_account_email"` + Account AccountFile stateTimeout time.Duration imageAlreadyExists bool diff --git a/builder/googlecompute/driver.go b/builder/googlecompute/driver.go index fdb7d9442..c99c38359 100644 --- a/builder/googlecompute/driver.go +++ b/builder/googlecompute/driver.go @@ -75,6 +75,7 @@ type InstanceConfig struct { OnHostMaintenance string Preemptible bool Region string + ServiceAccountEmail string Scopes []string Subnetwork string Tags []string diff --git a/builder/googlecompute/driver_gce.go b/builder/googlecompute/driver_gce.go index c84ab222f..5f286fa71 100644 --- a/builder/googlecompute/driver_gce.go +++ b/builder/googlecompute/driver_gce.go @@ -343,6 +343,14 @@ func (d *driverGCE) RunInstance(c *InstanceConfig) (<-chan error, error) { guestAccelerators = append(guestAccelerators, ac) } + serviceAccount := &compute.ServiceAccount{ + Email: "default", + Scopes: c.Scopes, + } + if c.ServiceAccountEmail != "" { + serviceAccount.Email = c.ServiceAccountEmail + } + // Create the instance information instance := compute.Instance{ Description: c.Description, @@ -379,10 +387,7 @@ func (d *driverGCE) RunInstance(c *InstanceConfig) (<-chan error, error) { Preemptible: c.Preemptible, }, ServiceAccounts: []*compute.ServiceAccount{ - { - Email: "default", - Scopes: c.Scopes, - }, + serviceAccount, }, Tags: &compute.Tags{ Items: c.Tags, diff --git a/builder/googlecompute/step_create_instance.go b/builder/googlecompute/step_create_instance.go index ee3b6643b..9ff74d85f 100644 --- a/builder/googlecompute/step_create_instance.go +++ b/builder/googlecompute/step_create_instance.go @@ -117,6 +117,7 @@ func (s *StepCreateInstance) Run(_ context.Context, state multistep.StateBag) mu OnHostMaintenance: c.OnHostMaintenance, Preemptible: c.Preemptible, Region: c.Region, + ServiceAccountEmail: c.ServiceAccountEmail, Scopes: c.Scopes, Subnetwork: c.Subnetwork, Tags: c.Tags, From 16882c1252c56de28306871e5f436d9c9bd8987c Mon Sep 17 00:00:00 2001 From: Christophe Courtaut Date: Wed, 21 Feb 2018 18:25:08 +0100 Subject: [PATCH 2/3] builder/googlecompute: Go code formatting --- builder/googlecompute/driver.go | 42 +++++++++---------- builder/googlecompute/step_create_instance.go | 42 +++++++++---------- 2 files changed, 42 insertions(+), 42 deletions(-) diff --git a/builder/googlecompute/driver.go b/builder/googlecompute/driver.go index c99c38359..4c07a06cf 100644 --- a/builder/googlecompute/driver.go +++ b/builder/googlecompute/driver.go @@ -58,28 +58,28 @@ type Driver interface { } type InstanceConfig struct { - AcceleratorType string - AcceleratorCount int64 - Address string - Description string - DiskSizeGb int64 - DiskType string - Image *Image - Labels map[string]string - MachineType string - Metadata map[string]string - Name string - Network string - NetworkProjectId string - OmitExternalIP bool - OnHostMaintenance string - Preemptible bool - Region string + AcceleratorType string + AcceleratorCount int64 + Address string + Description string + DiskSizeGb int64 + DiskType string + Image *Image + Labels map[string]string + MachineType string + Metadata map[string]string + Name string + Network string + NetworkProjectId string + OmitExternalIP bool + OnHostMaintenance string + Preemptible bool + Region string ServiceAccountEmail string - Scopes []string - Subnetwork string - Tags []string - Zone string + Scopes []string + Subnetwork string + Tags []string + Zone string } // WindowsPasswordConfig is the data structue that GCE needs to encrypt the created diff --git a/builder/googlecompute/step_create_instance.go b/builder/googlecompute/step_create_instance.go index 9ff74d85f..bc37aa7b2 100644 --- a/builder/googlecompute/step_create_instance.go +++ b/builder/googlecompute/step_create_instance.go @@ -100,28 +100,28 @@ func (s *StepCreateInstance) Run(_ context.Context, state multistep.StateBag) mu var metadata map[string]string metadata, err = c.createInstanceMetadata(sourceImage, sshPublicKey) errCh, err = d.RunInstance(&InstanceConfig{ - AcceleratorType: c.AcceleratorType, - AcceleratorCount: c.AcceleratorCount, - Address: c.Address, - Description: "New instance created by Packer", - DiskSizeGb: c.DiskSizeGb, - DiskType: c.DiskType, - Image: sourceImage, - Labels: c.Labels, - MachineType: c.MachineType, - Metadata: metadata, - Name: name, - Network: c.Network, - NetworkProjectId: c.NetworkProjectId, - OmitExternalIP: c.OmitExternalIP, - OnHostMaintenance: c.OnHostMaintenance, - Preemptible: c.Preemptible, - Region: c.Region, + AcceleratorType: c.AcceleratorType, + AcceleratorCount: c.AcceleratorCount, + Address: c.Address, + Description: "New instance created by Packer", + DiskSizeGb: c.DiskSizeGb, + DiskType: c.DiskType, + Image: sourceImage, + Labels: c.Labels, + MachineType: c.MachineType, + Metadata: metadata, + Name: name, + Network: c.Network, + NetworkProjectId: c.NetworkProjectId, + OmitExternalIP: c.OmitExternalIP, + OnHostMaintenance: c.OnHostMaintenance, + Preemptible: c.Preemptible, + Region: c.Region, ServiceAccountEmail: c.ServiceAccountEmail, - Scopes: c.Scopes, - Subnetwork: c.Subnetwork, - Tags: c.Tags, - Zone: c.Zone, + Scopes: c.Scopes, + Subnetwork: c.Subnetwork, + Tags: c.Tags, + Zone: c.Zone, }) if err == nil { From bda07497e9e11604f4d1c999b0295faae2e063e0 Mon Sep 17 00:00:00 2001 From: Christophe Courtaut Date: Thu, 22 Feb 2018 18:46:13 +0100 Subject: [PATCH 3/3] website/docs: Adds documentation for GCE builder service account email new field --- website/source/docs/builders/googlecompute.html.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/website/source/docs/builders/googlecompute.html.md b/website/source/docs/builders/googlecompute.html.md index cda97b02c..fb006c7ae 100644 --- a/website/source/docs/builders/googlecompute.html.md +++ b/website/source/docs/builders/googlecompute.html.md @@ -268,6 +268,9 @@ builder. - `region` (string) - The region in which to launch the instance. Defaults to to the region hosting the specified `zone`. +- `service_account_email` (string) - The service account to be used for launched instance. Defaults to + the project's default service account. + - `scopes` (array of strings) - The service account scopes for launched instance. Defaults to: