Add IAM cryptDecrypt role to robo service account on specified keys
This commit is contained in:
parent
d1b560c76d
commit
476d2c79e9
|
@ -65,6 +65,14 @@ locals {
|
||||||
if sink.iam && sink.type == type
|
if sink.iam && sink.type == type
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
service_encryption_key_ids_flatten = flatten([
|
||||||
|
for service in keys(var.service_encryption_key_ids) : [
|
||||||
|
for key in var.service_encryption_key_ids[service] : {
|
||||||
|
service = service
|
||||||
|
key = key
|
||||||
|
}
|
||||||
|
]
|
||||||
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
data "google_project" "project" {
|
data "google_project" "project" {
|
||||||
|
@ -356,3 +364,12 @@ resource "google_access_context_manager_service_perimeter_resource" "service-per
|
||||||
perimeter_name = each.value
|
perimeter_name = each.value
|
||||||
resource = "projects/${local.project.number}"
|
resource = "projects/${local.project.number}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "google_kms_crypto_key_iam_member" "crypto_key" {
|
||||||
|
for_each = {
|
||||||
|
for service_key in local.service_encryption_key_ids_flatten : "${service_key.service}.${service_key.key}" => service_key
|
||||||
|
}
|
||||||
|
crypto_key_id = each.value.key
|
||||||
|
role = "roles/cloudkms.cryptoKeyEncrypter"
|
||||||
|
member = "serviceAccount:${local.service_accounts_robots[each.value.service]}"
|
||||||
|
}
|
||||||
|
|
|
@ -40,3 +40,14 @@ locals {
|
||||||
service => "service-${local.project.number}@${name}.iam.gserviceaccount.com"
|
service => "service-${local.project.number}@${name}.iam.gserviceaccount.com"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
data "google_storage_project_service_account" "gcs_account" {
|
||||||
|
count = try(var.services["storage.googleapis.com"], false) ? 1 : 0
|
||||||
|
project = local.project.project_id
|
||||||
|
}
|
||||||
|
|
||||||
|
data "google_bigquery_default_service_account" "bq_sa" {
|
||||||
|
count = try(var.services["bigquery.googleapis.com"], false) ? 1 : 0
|
||||||
|
|
||||||
|
project = local.project.project_id
|
||||||
|
}
|
||||||
|
|
|
@ -148,6 +148,12 @@ variable "service_config" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "service_encryption_key_ids" {
|
||||||
|
description = "Cloud KMS encryption key in {SERVICE => [KEY_URL]} format."
|
||||||
|
type = map(list(string))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
variable "shared_vpc_host_config" {
|
variable "shared_vpc_host_config" {
|
||||||
description = "Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project)."
|
description = "Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project)."
|
||||||
type = object({
|
type = object({
|
||||||
|
|
Loading…
Reference in New Issue