Move `bq` robot service account into the robot service account project output (#262)
This commit is contained in:
parent
d1b560c76d
commit
efb52eeb6c
|
@ -4,6 +4,7 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
## [Unreleased]
|
||||
- Fix `message_retention_duration` variable type in `pubsub` module
|
||||
- Move `bq` robot service account into the robot service account project output
|
||||
|
||||
## [4.9.0] - 2021-06-04
|
||||
|
||||
|
|
|
@ -134,7 +134,7 @@ module "kms" {
|
|||
},
|
||||
key-bq = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
"serviceAccount:${module.project-service.service_accounts.default.bq}",
|
||||
"serviceAccount:${module.project-service.service_accounts.robots.bq}",
|
||||
#"serviceAccount:${data.google_bigquery_default_service_account.bq_sa.email}",
|
||||
]
|
||||
},
|
||||
|
|
|
@ -17,12 +17,11 @@
|
|||
locals {
|
||||
service_account_cloud_services = "${local.project.number}@cloudservices.gserviceaccount.com"
|
||||
service_accounts_default = {
|
||||
# TODO: Find a better place to store BQ service account
|
||||
bq = "bq-${local.project.number}@bigquery-encryption.iam.gserviceaccount.com"
|
||||
compute = "${local.project.number}-compute@developer.gserviceaccount.com"
|
||||
gae = "${local.project.project_id}@appspot.gserviceaccount.com"
|
||||
}
|
||||
service_accounts_robot_services = {
|
||||
bq = "bigquery-encryption"
|
||||
cloudasset = "gcp-sa-cloudasset"
|
||||
cloudbuild = "gcp-sa-cloudbuild"
|
||||
compute = "compute-system"
|
||||
|
@ -37,6 +36,6 @@ locals {
|
|||
}
|
||||
service_accounts_robots = {
|
||||
for service, name in local.service_accounts_robot_services :
|
||||
service => "service-${local.project.number}@${name}.iam.gserviceaccount.com"
|
||||
service => "${service == "bq" ? "bq" : "service"}-${local.project.number}@${name}.iam.gserviceaccount.com"
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue