allow using cicd service accounts in build triggers
This commit is contained in:
parent
6d8f3f7e22
commit
a35ed1ca0f
|
@ -96,7 +96,9 @@ module "branch-dp-dev-sa-cicd" {
|
|||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
? {}
|
||||
? {
|
||||
"roles/iam.serviceAccountUser" = [local.automation_resman_sa]
|
||||
}
|
||||
# impersonated via workload identity federation for external repos
|
||||
: {
|
||||
"roles/iam.workloadIdentityUser" = [
|
||||
|
@ -135,7 +137,9 @@ module "branch-dp-prod-sa-cicd" {
|
|||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
? {}
|
||||
? {
|
||||
"roles/iam.serviceAccountUser" = [local.automation_resman_sa]
|
||||
}
|
||||
# impersonated via workload identity federation for external repos
|
||||
: {
|
||||
"roles/iam.workloadIdentityUser" = [
|
||||
|
|
|
@ -63,7 +63,9 @@ module "branch-network-sa-cicd" {
|
|||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
? {}
|
||||
? {
|
||||
"roles/iam.serviceAccountUser" = [local.automation_resman_sa]
|
||||
}
|
||||
# impersonated via workload identity federation for external repos
|
||||
: {
|
||||
"roles/iam.workloadIdentityUser" = [
|
||||
|
|
|
@ -63,7 +63,9 @@ module "branch-security-sa-cicd" {
|
|||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
? {}
|
||||
? {
|
||||
"roles/iam.serviceAccountUser" = [local.automation_resman_sa]
|
||||
}
|
||||
# impersonated via workload identity federation for external repos
|
||||
: {
|
||||
"roles/iam.workloadIdentityUser" = [
|
||||
|
|
|
@ -96,7 +96,9 @@ module "branch-teams-dev-pf-sa-cicd" {
|
|||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
? {}
|
||||
? {
|
||||
"roles/iam.serviceAccountUser" = [local.automation_resman_sa]
|
||||
}
|
||||
# impersonated via workload identity federation for external repos
|
||||
: {
|
||||
"roles/iam.workloadIdentityUser" = [
|
||||
|
@ -135,7 +137,9 @@ module "branch-teams-prod-pf-sa-cicd" {
|
|||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
? {}
|
||||
? {
|
||||
"roles/iam.serviceAccountUser" = [local.automation_resman_sa]
|
||||
}
|
||||
# impersonated via workload identity federation for external repos
|
||||
: {
|
||||
"roles/iam.workloadIdentityUser" = [
|
||||
|
|
|
@ -16,6 +16,10 @@
|
|||
|
||||
locals {
|
||||
# convenience flags that express where billing account resides
|
||||
automation_resman_sa = format(
|
||||
"serviceAccount:%s",
|
||||
data.google_client_openid_userinfo.provider_identity.email
|
||||
)
|
||||
billing_ext = var.billing_account.organization_id == null
|
||||
billing_org = var.billing_account.organization_id == var.organization.id
|
||||
billing_org_ext = !local.billing_ext && !local.billing_org
|
||||
|
@ -64,3 +68,5 @@ locals {
|
|||
try(var.automation.federated_identity_providers, null), {}
|
||||
)
|
||||
}
|
||||
|
||||
data "google_client_openid_userinfo" "provider_identity" {}
|
||||
|
|
Loading…
Reference in New Issue