Db role tweaks (#238)

* add more dbs into config

Author: bolyachevets

gcp/terraform/docs/README.md

@@ -47,6 +47,18 @@ Before updating Terraform configuration, ensure you have the following:
         principals          # List of principals that can be granted the role
         role_type           # Optional value, when set to 'custom' ensures custom role URI is properply generated
 
+
+    instances        = ... # Optional list of cloudsql instances
+        instance           # instance name
+        databases          # list of databases
+            db_name        # database name
+            roles          # list of created custom roles to be managed by Terraform, e.g. ["readonly", "readwrite", "admin"]
+            owner          # database owner/role creator
+            database_role_assignment   # map of custom role assignments
+                readonly               # list of [email protected] emails to be granted db custom roles
+                readwrite              # list of [email protected] emails to be granted db custom roles
+                admin                  # list of [email protected] emails to be granted db custom roles
+
 For example, if you want to grant sa-pubsub service account in Connect Dev an invoker role for Cloud Run in Business Dev:
 ![invoker-grant](./images/cloud-run-invoker-role.png)
 
@@ -64,6 +76,11 @@ For example, if you want to grant sa-pubsub service account in Connect Dev an in
         principals            # List of principals that can be granted the role
         role_type             # Optional value, when set to 'custom' ensures custom role URI is properply generated
 
+  database_role_assignment   # Optional map of custom role assignments
+                              (roles will apply to all databases in the corresponnding env, that are listed in `project_account_bindings.auto.tfvars`)
+      readonly               # list of [email protected] emails to be granted db custom roles
+      readwrite              # list of [email protected] emails to be granted db custom roles
+      admin                  # list of [email protected] emails to be granted db custom roles
 
 `global_custom_roles.auto.tfvars`
 
@@ -72,6 +89,12 @@ For example, if you want to grant sa-pubsub service account in Connect Dev an in
     title                 # Name of the custom IAM role
     permissions           # List of permissions assigned to the role
     description           # Description of the custom role
+
+    database_role_assignment   # Optional map of custom role assignments
+                                (roles will apply to all databases, that are listed in `project_account_bindings.auto.tfvars`)
+        readonly               # list of [email protected] emails to be granted db custom roles
+        readwrite              # list of [email protected] emails to be granted db custom roles
+        admin                  # list of [email protected] emails to be granted db custom roles
 4. Merging the new branch into main will trigger 'terraform plan'
 5. Output of terraform plan can be reviewed in https://app.terraform.io/app/BCRegistry/workspaces/gcp-iam/runs
 6. If no errors are present, and if Terraform state changes are as expected, 'terraform apply' can be executed for the run in the UI (will either need permissions to access or ask SRE team to review)

gcp/terraform/global_custom_roles.auto.tfvars

@@ -1,7 +1,7 @@
 global_database_role_assignment = {
   readonly = []
   readwrite = []
-  admin = []
+  admin = ["[email protected]", "[email protected]"]
 }
 global_custom_roles = {
   rolestore = {

gcp/terraform/helper_scripts/cloud-functions/db-role-management/main.py

@@ -31,6 +31,7 @@ def grant_db_role(request):
 
         user = request_json['user']
         role = request_json['role']
+        db = request_json['database']
 
         if not re.match(r'^[a-zA-Z0-9_]+$', role):
             return {'error': 'Role name contains invalid characters (only letters, numbers and underscores allowed)'}, 400
@@ -53,7 +54,7 @@ def grant_db_role(request):
                 return {'error': 'gcs_uri must start with gs://'}, 400
 
             bucket_name = gcs_uri[5:].split('/')[0]
-            blob_name = os.path.join(*gcs_uri[5:].split('/')[1:], f"grant_role_{role}_{user.replace('@', '_at_')}.sql")
+            blob_name = os.path.join(*gcs_uri[5:].split('/')[1:], f"grant_role_{role}_{user.replace('@', '_at_')}_{db}.sql")
 
             storage_client = storage.Client()
             bucket = storage_client.bucket(bucket_name)
@@ -70,7 +71,7 @@ def grant_db_role(request):
             import_body = {
                 'importContext': {
                     'uri': f"gs://{bucket_name}/{blob_name}",
-                    'database': request_json['database'],
+                    'database': db,
                     'fileType': 'SQL'
                 }
             }
@@ -119,7 +120,7 @@ def should_retry(exc):
             return {
                 'status': 'success',
                 'operationId': response['name'],
-                'database': request_json['database'],
+                'database': db,
                 'user': user,
                 'role_granted': role,
                 'sql_executed': sql_content.strip(),