JIT service account for storage
This commit is contained in:
parent
1fbd018f5f
commit
1498696b6b
|
@ -14,6 +14,9 @@
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
prefix = "${var.prefix}-${var.timestamp}${var.suffix}"
|
prefix = "${var.prefix}-${var.timestamp}${var.suffix}"
|
||||||
|
jit_services = [
|
||||||
|
"storage.googleapis.com", # no permissions granted by default
|
||||||
|
]
|
||||||
services = [
|
services = [
|
||||||
# trimmed down list of services, to be extended as needed
|
# trimmed down list of services, to be extended as needed
|
||||||
"apigee.googleapis.com",
|
"apigee.googleapis.com",
|
||||||
|
@ -93,6 +96,15 @@ resource "google_kms_crypto_key" "key" {
|
||||||
rotation_period = "100000s"
|
rotation_period = "100000s"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "google_project_service_identity" "jit_si" {
|
||||||
|
for_each = toset(local.jit_services)
|
||||||
|
provider = google-beta
|
||||||
|
project = google_project.project.project_id
|
||||||
|
service = each.value
|
||||||
|
depends_on = [google_project_service.project_service]
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
resource "local_file" "terraform_tfvars" {
|
resource "local_file" "terraform_tfvars" {
|
||||||
filename = "e2e_tests.tfvars"
|
filename = "e2e_tests.tfvars"
|
||||||
content = templatefile("e2e_tests.tfvars.tftpl", {
|
content = templatefile("e2e_tests.tfvars.tftpl", {
|
||||||
|
|
Loading…
Reference in New Issue