zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add logging and monitoring roles to openshift SAs

This commit is contained in:
Ludovico Magnocavallo 2021-05-16 10:28:51 +02:00
parent e275f17a48
commit 0a647df4dc
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
third-party-solutions/openshift/tf/iam.tf
View File

@ -14,6 +14,13 @@
* limitations under the License.
*/
locals {
minimal_sa_roles = [
"roles/logging.logWriter",
"roles/monitoring.metricWriter"
]
}
resource "google_service_account" "default" {
for_each = { m = "master", w = "worker" }
project = var.service_project.project_id
@ -46,23 +53,23 @@ resource "google_project_iam_member" "host-worker" {
# https://docs.openshift.com/container-platform/4.7/installing/installing_gcp/installing-restricted-networks-gcp.html#installation-creating-gcp-iam-shared-vpc_installing-restricted-networks-gcp
resource "google_project_iam_member" "service-master" {
for_each = toset([
for_each = toset(concat(local.minimal_sa_roles, [
"roles/compute.instanceAdmin",
"roles/compute.networkAdmin",
"roles/compute.securityAdmin",
"roles/iam.serviceAccountUser",
"roles/storage.admin"
])
]))
project = var.service_project.project_id
role = each.key
member = "serviceAccount:${google_service_account.default["m"].email}"
}
resource "google_project_iam_member" "service-worker" {
for_each = toset([
for_each = toset(concat(local.minimal_sa_roles, [
"roles/compute.viewer",
"roles/storage.admin"
])
]))
project = var.service_project.project_id
role = each.key
member = "serviceAccount:${google_service_account.default["w"].email}"