allow using cicd service accounts in build triggers

2022-06-16 22:16:43 +02:00 · 2022-06-16 22:16:43 +02:00 · a35ed1ca0f
parent 6d8f3f7e22
commit a35ed1ca0f
5 changed files with 24 additions and 6 deletions
--- a/fast/stages/01-resman/cicd-data-platform.tf
+++ b/fast/stages/01-resman/cicd-data-platform.tf
@ -96,7 +96,9 @@ module "branch-dp-dev-sa-cicd" {
  iam = (
    each.value.type == "sourcerepo"
    # used directly from the cloud build trigger for source repos
-    ? {}
+    ? {
+      "roles/iam.serviceAccountUser" = [local.automation_resman_sa]
+    }
    # impersonated via workload identity federation for external repos
    : {
      "roles/iam.workloadIdentityUser" = [
@ -135,7 +137,9 @@ module "branch-dp-prod-sa-cicd" {
  iam = (
    each.value.type == "sourcerepo"
    # used directly from the cloud build trigger for source repos
-    ? {}
+    ? {
+      "roles/iam.serviceAccountUser" = [local.automation_resman_sa]
+    }
    # impersonated via workload identity federation for external repos
    : {
      "roles/iam.workloadIdentityUser" = [
--- a/fast/stages/01-resman/cicd-networking.tf
+++ b/fast/stages/01-resman/cicd-networking.tf
@ -63,7 +63,9 @@ module "branch-network-sa-cicd" {
  iam = (
    each.value.type == "sourcerepo"
    # used directly from the cloud build trigger for source repos
-    ? {}
+    ? {
+      "roles/iam.serviceAccountUser" = [local.automation_resman_sa]
+    }
    # impersonated via workload identity federation for external repos
    : {
      "roles/iam.workloadIdentityUser" = [
--- a/fast/stages/01-resman/cicd-security.tf
+++ b/fast/stages/01-resman/cicd-security.tf
@ -63,7 +63,9 @@ module "branch-security-sa-cicd" {
  iam = (
    each.value.type == "sourcerepo"
    # used directly from the cloud build trigger for source repos
-    ? {}
+    ? {
+      "roles/iam.serviceAccountUser" = [local.automation_resman_sa]
+    }
    # impersonated via workload identity federation for external repos
    : {
      "roles/iam.workloadIdentityUser" = [
--- a/fast/stages/01-resman/cicd-teams.tf
+++ b/fast/stages/01-resman/cicd-teams.tf
@ -96,7 +96,9 @@ module "branch-teams-dev-pf-sa-cicd" {
  iam = (
    each.value.type == "sourcerepo"
    # used directly from the cloud build trigger for source repos
-    ? {}
+    ? {
+      "roles/iam.serviceAccountUser" = [local.automation_resman_sa]
+    }
    # impersonated via workload identity federation for external repos
    : {
      "roles/iam.workloadIdentityUser" = [
@ -135,7 +137,9 @@ module "branch-teams-prod-pf-sa-cicd" {
  iam = (
    each.value.type == "sourcerepo"
    # used directly from the cloud build trigger for source repos
-    ? {}
+    ? {
+      "roles/iam.serviceAccountUser" = [local.automation_resman_sa]
+    }
    # impersonated via workload identity federation for external repos
    : {
      "roles/iam.workloadIdentityUser" = [
--- a/fast/stages/01-resman/main.tf
+++ b/fast/stages/01-resman/main.tf
@ -16,6 +16,10 @@

 locals {
  # convenience flags that express where billing account resides
+  automation_resman_sa = format(
+    "serviceAccount:%s",
+    data.google_client_openid_userinfo.provider_identity.email
+  )
  billing_ext     = var.billing_account.organization_id == null
  billing_org     = var.billing_account.organization_id == var.organization.id
  billing_org_ext = !local.billing_ext && !local.billing_org
@ -64,3 +68,5 @@ locals {
    try(var.automation.federated_identity_providers, null), {}
  )
 }
+
+data "google_client_openid_userinfo" "provider_identity" {}