From 81373a188d56c0e8c67665b1985a069c345b2eae Mon Sep 17 00:00:00 2001 From: Antonio Bosak Date: Thu, 10 Jul 2025 16:03:09 +0200 Subject: [PATCH 1/3] fix iam policies --- terraform/modules/pubsub/main.tf | 36 +++++++-------------------- terraform/modules/pubsub/variables.tf | 10 -------- 2 files changed, 9 insertions(+), 37 deletions(-) diff --git a/terraform/modules/pubsub/main.tf b/terraform/modules/pubsub/main.tf index 798fd719..519cb554 100644 --- a/terraform/modules/pubsub/main.tf +++ b/terraform/modules/pubsub/main.tf @@ -110,58 +110,40 @@ resource "google_pubsub_subscription" "amplifier_tasks_sub" { labels = var.default_labels } -data "google_iam_policy" "tasks_publish" { +data "google_iam_policy" "pubsub_publisher" { binding { role = "roles/pubsub.publisher" members = [ - "serviceAccount:${var.tasks_publisher_service_account_email}", + "serviceAccount:${var.publisher_service_account_email}", ] } } -data "google_iam_policy" "tasks_subscribe" { +data "google_iam_policy" "pubsub_subscriber" { binding { - role = "roles/pubsub.publisher" - members = [ - "serviceAccount:${var.tasks_subscriber_service_account_email}", - ] - } -} - -data "google_iam_policy" "events_publish" { - binding { - role = "roles/pubsub.publisher" - members = [ - "serviceAccount:${var.events_publisher_service_account_email}", - ] - } -} - -data "google_iam_policy" "events_subscribe" { - binding { - role = "roles/pubsub.publisher" + role = "roles/pubsub.subscriber" members = [ - "serviceAccount:${var.events_subscriber_service_account_email}", + "serviceAccount:${var.subscriber_service_account_email}", ] } } resource "google_pubsub_topic_iam_policy" "tasks_publish" { topic = google_pubsub_topic.amplifier_tasks.name - policy_data = data.google_iam_policy.tasks_publish.policy_data + policy_data = data.google_iam_policy.pubsub_publisher.policy_data } resource "google_pubsub_topic_iam_policy" "tasks_subscribe" { topic = google_pubsub_topic.amplifier_tasks.name - policy_data = data.google_iam_policy.tasks_subscribe.policy_data + policy_data = data.google_iam_policy.pubsub_subscriber.policy_data } resource "google_pubsub_topic_iam_policy" "events_publish" { topic = google_pubsub_topic.amplifier_events.name - policy_data = data.google_iam_policy.events_publish.policy_data + policy_data = data.google_iam_policy.pubsub_subscriber.policy_data } resource "google_pubsub_topic_iam_policy" "events_subscribe" { topic = google_pubsub_topic.amplifier_events.name - policy_data = data.google_iam_policy.events_subscribe.policy_data + policy_data = data.google_iam_policy.events_publisher.policy_data } diff --git a/terraform/modules/pubsub/variables.tf b/terraform/modules/pubsub/variables.tf index ef83196d..15eec294 100644 --- a/terraform/modules/pubsub/variables.tf +++ b/terraform/modules/pubsub/variables.tf @@ -61,16 +61,6 @@ variable "tasks_subscriber_service_account_email" { description = "The email address of the tasks subscriber service account" } -variable "events_publisher_service_account_email" { - type = string - description = "The email address of the events publisher service account" -} - -variable "events_subscriber_service_account_email" { - type = string - description = "The email address of the events subscriber service account" -} - variable "default_labels" { description = "Default labels to apply to all resources" type = map(string) From 7d1ee9e8c0f5e538cf2ce0651d3c6da22e195cb5 Mon Sep 17 00:00:00 2001 From: Antonio Bosak Date: Thu, 10 Jul 2025 16:05:12 +0200 Subject: [PATCH 2/3] var name change --- terraform/modules/pubsub/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/pubsub/variables.tf b/terraform/modules/pubsub/variables.tf index 15eec294..7bf47800 100644 --- a/terraform/modules/pubsub/variables.tf +++ b/terraform/modules/pubsub/variables.tf @@ -51,12 +51,12 @@ variable "allowed_persistence_regions" { default = ["europe-north2"] } -variable "tasks_publisher_service_account_email" { +variable "publisher_service_account_email" { type = string description = "The email address of the tasks publisher service account" } -variable "tasks_subscriber_service_account_email" { +variable "subscriber_service_account_email" { type = string description = "The email address of the tasks subscriber service account" } From 7b99880eba94332c30e15b106f983c924771e34b Mon Sep 17 00:00:00 2001 From: Antonio Bosak Date: Thu, 10 Jul 2025 16:06:30 +0200 Subject: [PATCH 3/3] ugh... --- terraform/modules/pubsub/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/pubsub/main.tf b/terraform/modules/pubsub/main.tf index 519cb554..411aa16b 100644 --- a/terraform/modules/pubsub/main.tf +++ b/terraform/modules/pubsub/main.tf @@ -145,5 +145,5 @@ resource "google_pubsub_topic_iam_policy" "events_publish" { resource "google_pubsub_topic_iam_policy" "events_subscribe" { topic = google_pubsub_topic.amplifier_events.name - policy_data = data.google_iam_policy.events_publisher.policy_data + policy_data = data.google_iam_policy.pubsub_publisher.policy_data }