Merge pull request #59 from ollionorg/bug/fix-2

fixed bug Permission denied on Cloud KMS key. Please ensure that your…
ollionorg · Mar 13, 2024 · 24ef9e0 · 24ef9e0
2 parents 67c17d8 + 7982fae
commit 24ef9e0
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/modules/cloudbuild/main.tf b/modules/cloudbuild/main.tf
@@ -122,11 +122,12 @@ resource "google_kms_crypto_key" "tf_key" {
 
 resource "google_kms_crypto_key_iam_binding" "cloudbuild_crypto_key_decrypter" {
   crypto_key_id = google_kms_crypto_key.tf_key.id
-  role          = "roles/cloudkms.cryptoKeyDecrypter"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
   members = [
     "serviceAccount:${module.cloudbuild_project.project_number}@cloudbuild.gserviceaccount.com",
-    "serviceAccount:${var.terraform_sa_email}"
+    "serviceAccount:${var.terraform_sa_email}",
+    "serviceAccount:service-${module.cloudbuild_project.project_number}@gs-project-accounts.iam.gserviceaccount.com"
   ]
 }
 

diff --git a/modules/terraform-google-bootstrap/main.tf b/modules/terraform-google-bootstrap/main.tf
@@ -119,24 +119,30 @@ resource "google_storage_bucket" "org_terraform_state" {
   versioning {
     enabled = true
   }
-   encryption {
-      default_kms_key_name = module.kms.keys["${var.project_prefix}-key"]
-    }
+  encryption {
+    default_kms_key_name = module.kms.keys["${var.project_prefix}-key"]
+  }
 }
 
 //Creating folder to store UI evidence
 
 resource "google_storage_bucket_object" "ui_evidence" {
-  name          = "ui-evidence/"
-  content       = "To store evidences collected form UI."
-  bucket        = google_storage_bucket.org_terraform_state.name
+  name    = "ui-evidence/"
+  content = "To store evidences collected form UI."
+  bucket  = google_storage_bucket.org_terraform_state.name
 }
 
 /***********************************************
   Authorative permissions at org. Required to
   remove default org wide permissions
   granting billing account and project creation.
  ***********************************************/
+resource "google_project_iam_binding" "gs_encrypt_decrypt" {
+  members = [
+  "serviceAccount: service-${module.seed_project.project_number}@gs-project-accounts.iam.gserviceaccount.com"]
+  project = module.seed_project.project_id
+  role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+}
 
 resource "google_organization_iam_binding" "billing_creator" {
   org_id = var.org_id