zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move IAM grant to function level for trigger SA

This commit is contained in:
Wiktor Niesiobędzki 2023-07-12 12:25:16 +00:00 committed by Wiktor Niesiobędzki
parent 93b2f9cba2
commit cc0b278df3
1 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
modules/cloud-function-v2/main.tf
View File

@ -24,6 +24,18 @@ locals {
: null
)
)
_iam_run_invoker_members = concat(
lookup(var.iam, "roles/run.invoker", []),
var.trigger_config == null ? [] :
var.trigger_config.service_account_create ? ["serviceAccount:${local.trigger_service_account_email}"] : []
)
iam = merge(
var.iam,
length(local._iam_run_invoker_members) == 0 ? {} :
{
"roles/run.invoker" : local._iam_run_invoker_members
},
)
prefix = var.prefix == null ? "" : "${var.prefix}-"
service_account_email = (
var.service_account_create
@ -211,12 +223,3 @@ resource "google_service_account" "trigger_service_account" {
account_id = "tf-cf-trigger-${var.name}"
display_name = "Terraform trigger for Cloud Function ${var.name}."
}
resource "google_project_iam_member" "trigger_iam" {
count = (
try(var.trigger_config.service_account_create, false) == true ? 1 : 0
)
project = var.project_id
member = "serviceAccount:${google_service_account.trigger_service_account[0].email}"
role = "roles/run.invoker"
}