-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathiam.tf
56 lines (49 loc) · 2.06 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
resource "google_service_account" "firefly" {
display_name = "${var.resource_prefix}${data.google_project.current.name}-firefly-access"
account_id = "${var.resource_prefix}firefly-gcp"
project = data.google_project.current.project_id
depends_on = [google_project_service.main]
}
resource "google_project_iam_member" "service_account_project_membership" {
project = data.google_project.current.project_id
role = "roles/iam.securityReviewer"
member = "serviceAccount:${google_service_account.firefly.email}"
}
resource "google_project_iam_member" "service_account_project_membership_storage_viewer" {
project = data.google_project.current.project_id
role = "roles/storage.objectViewer"
member = "serviceAccount:${google_service_account.firefly.email}"
condition {
title = "TFfstate"
description = "Allow access to objects that end with .tfstate only"
expression = "resource.name.endsWith(\"tfstate\")"
}
}
resource "google_project_iam_member" "service_account_project_viewer" {
project = data.google_project.current.project_id
role = "roles/viewer"
member = "serviceAccount:${google_service_account.firefly.email}"
}
resource "google_project_iam_custom_role" "firefly_logging_custom_role" {
count = var.enable_event_driven ? 1 : 0
project = data.google_project.current.project_id
role_id = "firefly_logging_custom_role"
title = "Firefly Logging Custom Role"
description = "Allows Firefly to create logging sinks"
permissions = [
"logging.sinks.create",
"logging.sinks.delete",
"logging.sinks.get",
"logging.sinks.list",
"logging.sinks.update",
]
}
resource "google_project_iam_member" "service_account_project_event_driven_sink_creation" {
count = var.enable_event_driven ? 1 : 0
project = data.google_project.current.project_id
role = google_project_iam_custom_role.firefly_logging_custom_role[0].name
member = "serviceAccount:${google_service_account.firefly.email}"
}
resource "google_service_account_key" "credentials" {
service_account_id = google_service_account.firefly.name
}