Provision and configure the IAP service identity

The IAP service agent invokes Cloud Run when IAP is configured. This SA needs
the role run.invoker
This commit is contained in:
Julio Diez 2023-04-17 13:11:12 +02:00
parent 121bc30e90
commit 102c8ed0fb
1 changed files with 14 additions and 1 deletions

View File

@ -49,7 +49,10 @@ module "cloud_run" {
}
}
iam = {
"roles/run.invoker" = ["allUsers"]
"roles/run.invoker" = (local.gclb_create && var.iap.enabled
? ["serviceAccount:${google_project_service_identity.iap_sa[0].email}"]
: ["allUsers"]
)
}
ingress_settings = var.ingress_settings
}
@ -183,3 +186,13 @@ resource "google_iap_web_iam_member" "iap_iam" {
role = "roles/iap.httpsResourceAccessor"
member = "user:${var.iap.email}"
}
# SA service agent for IAP, which invokes CR
# Note:
# Once created, this resource cannot be updated or destroyed. These actions are a no-op.
resource "google_project_service_identity" "iap_sa" {
provider = google-beta
count = local.gclb_create && var.iap.enabled ? 1 : 0
project = module.project.project_id
service = "iap.googleapis.com"
}