Fix IAM bindings to impersonate resman CICD SAs at bootstrap stage (#2411)
This commit is contained in:
parent
1bd3380a3f
commit
1aad2c682c
|
@ -272,13 +272,13 @@ module "automation-tf-resman-sa" {
|
||||||
# we use additive IAM to allow tenant CI/CD SAs to impersonate it
|
# we use additive IAM to allow tenant CI/CD SAs to impersonate it
|
||||||
iam_bindings_additive = merge(
|
iam_bindings_additive = merge(
|
||||||
local.cicd_resman_sa == "" ? {} : {
|
local.cicd_resman_sa == "" ? {} : {
|
||||||
cicd_token_creator = {
|
cicd_token_creator_resman = {
|
||||||
member = local.cicd_resman_sa
|
member = local.cicd_resman_sa
|
||||||
role = "roles/iam.serviceAccountTokenCreator"
|
role = "roles/iam.serviceAccountTokenCreator"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
local.cicd_tenants_sa == "" ? {} : {
|
local.cicd_tenants_sa == "" ? {} : {
|
||||||
cicd_token_creator = {
|
cicd_token_creator_tenants = {
|
||||||
member = local.cicd_tenants_sa
|
member = local.cicd_tenants_sa
|
||||||
role = "roles/iam.serviceAccountTokenCreator"
|
role = "roles/iam.serviceAccountTokenCreator"
|
||||||
}
|
}
|
||||||
|
@ -299,13 +299,13 @@ module "automation-tf-resman-r-sa" {
|
||||||
# we use additive IAM to allow tenant CI/CD SAs to impersonate it
|
# we use additive IAM to allow tenant CI/CD SAs to impersonate it
|
||||||
iam_bindings_additive = merge(
|
iam_bindings_additive = merge(
|
||||||
local.cicd_resman_r_sa == "" ? {} : {
|
local.cicd_resman_r_sa == "" ? {} : {
|
||||||
cicd_token_creator = {
|
cicd_token_creator_resman = {
|
||||||
member = local.cicd_resman_r_sa
|
member = local.cicd_resman_r_sa
|
||||||
role = "roles/iam.serviceAccountTokenCreator"
|
role = "roles/iam.serviceAccountTokenCreator"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
local.cicd_tenants_r_sa == "" ? {} : {
|
local.cicd_tenants_r_sa == "" ? {} : {
|
||||||
cicd_token_creator = {
|
cicd_token_creator_tenants = {
|
||||||
member = local.cicd_tenants_r_sa
|
member = local.cicd_tenants_r_sa
|
||||||
role = "roles/iam.serviceAccountTokenCreator"
|
role = "roles/iam.serviceAccountTokenCreator"
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue