Provision and configure the IAP service identity
The IAP service agent invokes Cloud Run when IAP is configured. This SA needs the role run.invoker
This commit is contained in:
parent
121bc30e90
commit
102c8ed0fb
|
@ -49,7 +49,10 @@ module "cloud_run" {
|
|||
}
|
||||
}
|
||||
iam = {
|
||||
"roles/run.invoker" = ["allUsers"]
|
||||
"roles/run.invoker" = (local.gclb_create && var.iap.enabled
|
||||
? ["serviceAccount:${google_project_service_identity.iap_sa[0].email}"]
|
||||
: ["allUsers"]
|
||||
)
|
||||
}
|
||||
ingress_settings = var.ingress_settings
|
||||
}
|
||||
|
@ -183,3 +186,13 @@ resource "google_iap_web_iam_member" "iap_iam" {
|
|||
role = "roles/iap.httpsResourceAccessor"
|
||||
member = "user:${var.iap.email}"
|
||||
}
|
||||
|
||||
# SA service agent for IAP, which invokes CR
|
||||
# Note:
|
||||
# Once created, this resource cannot be updated or destroyed. These actions are a no-op.
|
||||
resource "google_project_service_identity" "iap_sa" {
|
||||
provider = google-beta
|
||||
count = local.gclb_create && var.iap.enabled ? 1 : 0
|
||||
project = module.project.project_id
|
||||
service = "iap.googleapis.com"
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue