zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix IAM bindings to impersonate resman CICD SAs at bootstrap stage (#2411)

This commit is contained in:
Jay Bana 2024-07-08 11:58:41 +01:00 committed by GitHub
parent 1bd3380a3f
commit 1aad2c682c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
fast/stages/0-bootstrap/automation.tf
View File

@ -272,13 +272,13 @@ module "automation-tf-resman-sa" {
# we use additive IAM to allow tenant CI/CD SAs to impersonate it # we use additive IAM to allow tenant CI/CD SAs to impersonate it
iam_bindings_additive = merge( iam_bindings_additive = merge(
local.cicd_resman_sa == "" ? {} : { local.cicd_resman_sa == "" ? {} : {
cicd_token_creator = { cicd_token_creator_resman = {
member = local.cicd_resman_sa member = local.cicd_resman_sa
role = "roles/iam.serviceAccountTokenCreator" role = "roles/iam.serviceAccountTokenCreator"
} }
}, },
local.cicd_tenants_sa == "" ? {} : { local.cicd_tenants_sa == "" ? {} : {
cicd_token_creator = { cicd_token_creator_tenants = {
member = local.cicd_tenants_sa member = local.cicd_tenants_sa
role = "roles/iam.serviceAccountTokenCreator" role = "roles/iam.serviceAccountTokenCreator"
} }
@ -299,13 +299,13 @@ module "automation-tf-resman-r-sa" {
# we use additive IAM to allow tenant CI/CD SAs to impersonate it # we use additive IAM to allow tenant CI/CD SAs to impersonate it
iam_bindings_additive = merge( iam_bindings_additive = merge(
local.cicd_resman_r_sa == "" ? {} : { local.cicd_resman_r_sa == "" ? {} : {
cicd_token_creator = { cicd_token_creator_resman = {
member = local.cicd_resman_r_sa member = local.cicd_resman_r_sa
role = "roles/iam.serviceAccountTokenCreator" role = "roles/iam.serviceAccountTokenCreator"
} }
}, },
local.cicd_tenants_r_sa == "" ? {} : { local.cicd_tenants_r_sa == "" ? {} : {
cicd_token_creator = { cicd_token_creator_tenants = {
member = local.cicd_tenants_r_sa member = local.cicd_tenants_r_sa
role = "roles/iam.serviceAccountTokenCreator" role = "roles/iam.serviceAccountTokenCreator"
} }