explicitly set pubsub permission for cloud asset robot account

2020-07-30 18:11:11 +02:00 · 2020-07-30 18:11:11 +02:00 · 2f70e811ae
parent 6c5b35d0e2
commit 2f70e811ae
1 changed files with 8 additions and 0 deletions
--- a/cloud-operations/asset-inventory-feed-remediation/main.tf
+++ b/cloud-operations/asset-inventory-feed-remediation/main.tf
@ -59,6 +59,14 @@ module "pubsub" {
  project_id    = module.project.project_id
  name          = var.name
  subscriptions = { "${var.name}-default" = null }
+  iam_roles = [
+    "roles/pubsub.publisher"
+  ]
+  iam_members = {
+    "roles/pubsub.publisher" = [
+      "serviceAccount:${module.project.service_accounts.robots.cloudasset}"
+    ]
+  }
 }

 module "service-account" {