zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Provision and configure the IAP service identity 

The IAP service agent invokes Cloud Run when IAP is configured. This SA needs
the role run.invoker
This commit is contained in:
Julio Diez 2023-04-17 13:11:12 +02:00
parent 121bc30e90
commit 102c8ed0fb
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
blueprints/serverless/cloud-run-explore/main.tf
View File

@ -49,7 +49,10 @@ module "cloud_run" {
}
}
iam = {
"roles/run.invoker" = ["allUsers"]
"roles/run.invoker" = (local.gclb_create && var.iap.enabled
? ["serviceAccount:${google_project_service_identity.iap_sa[0].email}"]
: ["allUsers"]
)
}
ingress_settings = var.ingress_settings
}
@ -183,3 +186,13 @@ resource "google_iap_web_iam_member" "iap_iam" {
role = "roles/iap.httpsResourceAccessor"
member = "user:${var.iap.email}"
}
# SA service agent for IAP, which invokes CR
# Note:
# Once created, this resource cannot be updated or destroyed. These actions are a no-op.
resource "google_project_service_identity" "iap_sa" {
provider = google-beta
count = local.gclb_create && var.iap.enabled ? 1 : 0
project = module.project.project_id
service = "iap.googleapis.com"
}