Adding note to use of Private Service Access module

community/examples/hpc-slurm-gromacs.yaml

@@ -31,6 +31,11 @@ deployment_groups:
   - id: network
     source: modules/network/vpc
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: private_service_access
     source: community/modules/network/private-service-access
     use: [network]

community/examples/hpc-slurm-local-ssd.yaml

@@ -31,6 +31,11 @@ deployment_groups:
   - id: network
     source: modules/network/vpc
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: private_service_access
     source: community/modules/network/private-service-access
     use: [network]

community/examples/hpc-slurm-ubuntu2004.yaml

@@ -36,6 +36,11 @@ deployment_groups:
   - id: network
     source: modules/network/vpc
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: private_service_access
     source: community/modules/network/private-service-access
     use: [network]

community/examples/htc-slurm.yaml

@@ -45,6 +45,11 @@ deployment_groups:
   - id: network
     source: modules/network/vpc
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: private_service_access
     source: community/modules/network/private-service-access
     use: [network]

community/modules/network/private-service-access/README.md

@@ -23,6 +23,11 @@ It will automatically perform the following steps, as described in the
   - source: modules/network/vpc
     id: network
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - source: community/modules/network/private-service-access
     id: ps_connect
     use: [network]

examples/gke-managed-parallelstore.yaml

@@ -38,6 +38,11 @@ deployment_groups:
         - range_name: services
           ip_cidr_range: 10.0.32.0/20
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: private_service_access # required for parallelstore
     source: community/modules/network/private-service-access
     use: [network]

examples/hcls-blueprint.yaml

@@ -53,6 +53,11 @@ deployment_groups:
   - id: network
     source: modules/network/vpc
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: private_service_access
     source: community/modules/network/private-service-access
     use: [network]

examples/hpc-enterprise-slurm.yaml

@@ -51,6 +51,11 @@ deployment_groups:
   - id: network
     source: modules/network/vpc
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: private_service_access
     source: community/modules/network/private-service-access
     use: [network]

examples/hpc-slurm.yaml

@@ -33,6 +33,11 @@ deployment_groups:
   - id: network
     source: modules/network/vpc
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: private_service_access
     source: community/modules/network/private-service-access
     use: [network]

examples/machine-learning/a3-megagpu-8g/slurm-a3mega-base.yaml

@@ -40,6 +40,11 @@ deployment_groups:
     outputs:
     - network_name
     - subnetwork_name
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: private_service_access
     source: community/modules/network/private-service-access
     use:

examples/ml-slurm.yaml

@@ -46,6 +46,11 @@ deployment_groups:
   - id: network
     source: modules/network/vpc
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: private_service_access
     source: community/modules/network/private-service-access
     use: [network]

examples/pfs-parallelstore.yaml

@@ -31,6 +31,11 @@ deployment_groups:
   - id: network
     source: modules/network/vpc
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: private_service_access
     source: community/modules/network/private-service-access
     use: [network]

examples/ps-slurm.yaml

@@ -39,6 +39,11 @@ deployment_groups:
   - id: network
     source: modules/network/vpc
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: private_service_access
     source: community/modules/network/private-service-access
     use: [network]

modules/file-system/gke-storage/README.md

@@ -15,6 +15,11 @@ then use them in a `gke-job-template` to dynamically provision the resource.
     settings:
       enable_parallelstore_csi: true
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: private_service_access
     source: community/modules/network/private-service-access
     use: [network]

modules/file-system/parallelstore/README.md

@@ -40,6 +40,11 @@ for this newly created network.
  - id: network
     source: modules/network/vpc
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: private_service_access
     source: community/modules/network/private-service-access
     use: [network]

tools/validate_configs/test_configs/hpc-cluster-simple-nfs-sql.yaml

@@ -28,6 +28,11 @@ deployment_groups:
   - id: network1
     source: modules/network/vpc
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - id: ps_connect
     source: community/modules/network/private-service-access
     use: [network1]

tools/validate_configs/test_configs/two-clusters-sql.yaml

@@ -50,6 +50,11 @@ deployment_groups:
   - source: modules/network/vpc
     id: hpc_network
 
+  # Private Service Access (PSA) requires the compute.networkAdmin role which is included in the Owner role, but not Editor
+  # PSA is a best practice for Filestore instances, but can be optionally
+  # removed by deleting the following 3 lines and any references to the module
+  # by Filestore modules. PSA is required for all Parallelstore functionality.
+  # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions
   - source: community/modules/network/private-service-access
     id: ps_connect
     use: [hpc_network]