Added SA for Astro Airflow user

[kevinsunny1996]

No description provided.

[github-actions]

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Validation 🤖``

Terraform Plan 📖success

Show Plan

terraform
module.flyte_gcs_backend.random_id.bucket_suffix: Refreshing state... [id=FsY]
module.gcs_api_extract.random_id.bucket_suffix: Refreshing state... [id=i_k]
random_password.flyte_db_password: Refreshing state... [id=none]
google_sql_user.flyte_db_user: Refreshing state... [id=postgres//flyte-db-backend]
google_project_service.composer_api: Refreshing state... [id=exemplary-tide-379122/composer.googleapis.com]
google_project_service.secret_mgr_api: Refreshing state... [id=exemplary-tide-379122/secretmanager.googleapis.com]
data.google_client_config.default: Reading...
google_sql_database_instance.flyte_db_backend: Refreshing state... [id=flyte-db-backend]
google_project_service.compute_api: Refreshing state... [id=exemplary-tide-379122/compute.googleapis.com]
google_project_service.container_api: Refreshing state... [id=exemplary-tide-379122/container.googleapis.com]
google_project_service.cloud_sql_api: Refreshing state... [id=exemplary-tide-379122/sqladmin.googleapis.com]
module.gcs_api_extract.google_storage_bucket.buckets["spotify-web-api-extracts"]: Refreshing state... [id=pricing-aggregator-us-east1-spotify-web-api-extracts]
module.flyte_gcs_backend.google_storage_bucket.buckets["flyte-storage-backend"]: Refreshing state... [id=pricing-aggregator-us-east1-flyte-storage-backend]
data.google_client_config.default: Read complete after 1s [id=projects/"exemplary-tide-379122"/regions/"us-east1"/zones/<null>]
module.flyte_gcs_backend.google_storage_bucket_iam_binding.admins["flyte-storage-backend"]: Refreshing state... [id=b/pricing-aggregator-us-east1-flyte-storage-backend/roles/storage.objectAdmin]
module.gcs_api_extract.google_storage_bucket_iam_binding.admins["spotify-web-api-extracts"]: Refreshing state... [id=b/pricing-aggregator-us-east1-spotify-web-api-extracts/roles/storage.objectAdmin]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  - destroy

Terraform will perform the following actions:

  # google_project_iam_binding.bq_access will be created
  + resource "google_project_iam_binding" "bq_access" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + members = (known after apply)
      + project = (sensitive value)
      + role    = "roles/bigquery.dataEditor"
    }

  # google_project_iam_binding.gcs_access will be created
  + resource "google_project_iam_binding" "gcs_access" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + members = (known after apply)
      + project = (sensitive value)
      + role    = "roles/storage.objectAdmin"
    }

  # google_project_iam_binding.gsm_access will be created
  + resource "google_project_iam_binding" "gsm_access" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + members = (known after apply)
      + project = (sensitive value)
      + role    = "roles/secretmanager.secretAccessor"
    }

  # google_service_account.airflow_user_sa will be created
  + resource "google_service_account" "airflow_user_sa" {
      + account_id   = "airflow-user-sa"
      + disabled     = false
      + display_name = "Custom Service Account for Astro Airflow User"
      + email        = (known after apply)
      + id           = (known after apply)
      + member       = (known after apply)
      + name         = (known after apply)
      + project      = (known after apply)
      + unique_id    = (known after apply)
    }

  # google_sql_database_instance.flyte_db_backend will be destroyed
  # (because google_sql_database_instance.flyte_db_backend is not in configuration)
  - resource "google_sql_database_instance" "flyte_db_backend" {
      - available_maintenance_versions = [] -> null
      - connection_name                = "exemplary-tide-379122:us-east1:flyte-db-backend" -> null
      - database_version               = "POSTGRES_14" -> null
      - deletion_protection            = true -> null
      - first_ip_address               = "35.196.182.207" -> null
      - id                             = "flyte-db-backend" -> null
      - instance_type                  = "CLOUD_SQL_INSTANCE" -> null
      - ip_address                     = [
          - {
              - ip_address     = "35.196.182.207"
              - time_to_retire = ""
              - type           = "PRIMARY"
            },
          - {
              - ip_address     = "34.138.38.166"
              - time_to_retire = ""
              - type           = "OUTGOING"
            },
        ] -> null
      - maintenance_version            = "POSTGRES_14_9.R20230830.01_01" -> null
      - name                           = "flyte-db-backend" -> null
      - project                        = "exemplary-tide-379122" -> null
      - public_ip_address              = "35.196.182.207" -> null
      - region                         = "us-east1" -> null
      - self_link                      = "https://sqladmin.googleapis.com/sql/v1beta4/projects/exemplary-tide-379122/instances/flyte-db-backend" -> null
      - server_ca_cert                 = [
          - {
              - cert             = <<-EOT
                    -----BEGIN CERTIFICATE-----
                    MIIDfzCCAmegAwIBAgIBADANBgkqhkiG9w0BAQsFADB3MS0wKwYDVQQuEyQ0ZDE0
                    YmU1Yy04ODc4LTQxNWUtYjJkNi1jZmEzMjNlMGM3YjQxIzAhBgNVBAMTGkdvb2ds
                    ZSBDbG91ZCBTUUwgU2VydmVyIENBMRQwEgYDVQQKEwtHb29nbGUsIEluYzELMAkG
                    A1UEBhMCVVMwHhcNMjMwNzEwMTMzNzMyWhcNMzMwNzA3MTMzODMyWjB3MS0wKwYD
                    VQQuEyQ0ZDE0YmU1Yy04ODc4LTQxNWUtYjJkNi1jZmEzMjNlMGM3YjQxIzAhBgNV
                    BAMTGkdvb2dsZSBDbG91ZCBTUUwgU2VydmVyIENBMRQwEgYDVQQKEwtHb29nbGUs
                    IEluYzELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
                    AQCKF6hwvS6qFbaazMY7P3i5zD73lv9gL69oHp3MA60mnedMt3rKGzdibeexXE2U
                    cs0tM/HosDxwFdBZiU806skoYvl4AXXiTLPsE/yxP+zrrtksLurb8v7bROiWHZvY
                    i38xoHGnbcwPVOnb2wayW7Hre+qxZiumApqpZEXWaQBSbDDmwYL40/8dcV7q3vfW
                    2vW+JxXUIphcnjMNZCM4Ry+ujIFEYDq48WME7qYe0yGGPH9HghgK6z+HVbrwi2Q5
                    /9mZeBvhKRJ9CRvytnshfb/eXgein8WmAX7+qRkSHsoceEX1IqDahl8OsaEVf3cn
                    dzXCCE9UAGS3GmPgVSe9perfAgMBAAGjFjAUMBIGA1UdEwEB/wQIMAYBAf8CAQAw
                    DQYJKoZIhvcNAQELBQADggEBAE1giMqjARG2ZSxUPNKynL24x+O3bbNJUDocYMLa
                    eMyjDfHmtZzLcemDEo3MZKzxXbxuI0rtZUMrx1yDMd2NS/P+oH/kK+C6yTNCdhXx
                    3kuJbR3KsFW/d+x5zQwpZywC8Zm58lLEDChVhqY62nOrt5UuxMR8jXpf4x+b1rH/
                    exB/y1aDoGSdeQXtBIV1H3YruIHmznLCDn4rhoIZ7hABi0UqjORK0RsrCGLx6VkY
                    WW163ygMrlmfQZyrk0DzwEzVMt5h9n9jpTulddqmkWNO2qF9uM8LGFcVDWm5VmVU
                    KYx+nudeBmz1GK95fc73sKvGWSCR2dPQ2s0sQVorc4fbKqY=
                    -----END CERTIFICATE-----
                EOT
              - common_name      = "C=US,O=Google\\, Inc,CN=Google Cloud SQL Server CA,dnQualifier=4d14be5c-8878-415e-b2d6-cfa323e0c7b4"
              - create_time      = "2023-07-10T13:37:32.923Z"
              - expiration_time  = "2033-07-07T13:38:32.923Z"
              - sha1_fingerprint = "01b82ab13e7245cbaab1c70fbf14aadeaf5dbcdf"
            },
        ] -> null
      - service_account_email_address  = "[email protected]" -> null

      - settings {
          - activation_policy           = "ALWAYS" -> null
          - availability_type           = "ZONAL" -> null
          - connector_enforcement       = "NOT_REQUIRED" -> null
          - deletion_protection_enabled = false -> null
          - disk_autoresize             = true -> null
          - disk_autoresize_limit       = 0 -> null
          - disk_size                   = 10 -> null
          - disk_type                   = "PD_HDD" -> null
          - pricing_plan                = "PER_USE" -> null
          - tier                        = "db-f1-micro" -> null
          - user_labels                 = {} -> null
          - version                     = 34 -> null

          - backup_configuration {
              - binary_log_enabled             = false -> null
              - enabled                        = false -> null
              - point_in_time_recovery_enabled = false -> null
              - start_time                     = "03:00" -> null
              - transaction_log_retention_days = 7 -> null

              - backup_retention_settings {
                  - retained_backups = 7 -> null
                  - retention_unit   = "COUNT" -> null
                }
            }

          - ip_configuration {
              - enable_private_path_for_google_cloud_services = false -> null
              - ipv4_enabled                                  = true -> null
              - require_ssl                                   = false -> null

              - authorized_networks {
                  - name  = "Flyte cluster whitelist" -> null
                  - value = "34.0.0.0/7" -> null
                }
              - authorized_networks {
                  - name  = "sql connect at time 2023-07-23 05:55:21.554076+00:00" -> null
                  - value = "34.87.101.146" -> null
                }
            }

          - location_preference {
              - zone = "us-east1-c" -> null
            }
        }
    }

  # google_sql_user.flyte_db_user will be destroyed
  # (because google_sql_user.flyte_db_user is not in configuration)
  - resource "google_sql_user" "flyte_db_user" {
      - id                      = "postgres//flyte-db-backend" -> null
      - instance                = "flyte-db-backend" -> null
      - name                    = "postgres" -> null
      - password                = (sensitive value) -> null
      - project                 = "exemplary-tide-379122" -> null
      - sql_server_user_details = [] -> null
    }

  # random_password.flyte_db_password will be destroyed
  # (because random_password.flyte_db_password is not in configuration)
  - resource "random_password" "flyte_db_password" {
      - bcrypt_hash      = (sensitive value) -> null
      - id               = "none" -> null
      - length           = 16 -> null
      - lower            = true -> null
      - min_lower        = 0 -> null
      - min_numeric      = 0 -> null
      - min_special      = 0 -> null
      - min_upper        = 0 -> null
      - number           = true -> null
      - numeric          = true -> null
      - override_special = "_@#" -> null
      - result           = (sensitive value) -> null
      - special          = true -> null
      - upper            = true -> null
    }

Plan: 4 to add, 0 to change, 3 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Pushed by: @kevinsunny1996, Action: pull_request

[github-actions]

Infracost report

💰 Monthly cost will decrease by $16 📉

Project	Cost change	New monthly cost
kevinsunny1996/aggregator-terraform-infra/terraform	-$16	$0

Cost details

──────────────────────────────────
Project: kevinsunny1996/aggregator-terraform-infra/terraform

- google_sql_database_instance.flyte_db_backend
  -$16

    - SQL instance (db-f1-micro, zonal)
      -$8

    - Storage (HDD, zonal)
      -$0.90

    - Backups
      Monthly cost depends on usage
        -$0.08 per GB

    - IP address (if unused)
      -$7

Monthly cost change for kevinsunny1996/aggregator-terraform-infra/terraform
Amount:  -$16 ($16 → $0.00)

──────────────────────────────────
Key: ~ changed, + added, - removed

13 cloud resources were detected:
∙ 2 were estimated, all of which include usage-based costs, see https://infracost.io/usage-file
∙ 11 were free, rerun with --show-skipped to see details

Infracost estimate: Monthly cost will decrease by $16 ↓
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃ Project                                             ┃ Cost change ┃ New monthly cost ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━┫
┃ kevinsunny1996/aggregator-terraform-infra/terraform ┃        -$16 ┃ $0.00            ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━┛

_{This comment will be updated when code changes.}

[guardrails]

⚠️ We detected 2 security issues in this pull request:

Insecure Access Control (2)

Severity	Details	Docs
Medium	Title: Service Account with Improper Privileges aggregator-terraform-infra/terraform/service_accounts.tf Line 41 in 03acff3 role = "roles/bigquery.dataEditor"	📚
Medium	Title: Service Account with Improper Privileges aggregator-terraform-infra/terraform/service_accounts.tf Line 35 in 03acff3 role = "roles/storage.objectAdmin"	📚

More info on how to fix Insecure Access Control in Terraform.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.