Adding new role to etl-load-sa account and smallchange to etl-subscri…

…ption to force it to refresh. (#756)

metamist_infrastructure/driver.py

@@ -323,10 +323,10 @@ def etl_pubsub_push_subscription(self):
         subscription = gcp.pubsub.Subscription(
             'metamist-etl-subscription',
             topic=self.etl_pubsub_topic.name,
-            ack_deadline_seconds=20,
+            ack_deadline_seconds=30,
             dead_letter_policy=gcp.pubsub.SubscriptionDeadLetterPolicyArgs(
                 dead_letter_topic=self.etl_pubsub_dead_letters_topic.id,
-                max_delivery_attempts=5,
+                max_delivery_attempts=3,
             ),
             push_config=gcp.pubsub.SubscriptionPushConfigArgs(
                 push_endpoint=self.etl_load_function.service_config.uri,
@@ -504,6 +504,16 @@ def _setup_etl(self):
                 'serviceAccount:', self.etl_load_service_account.email
             ),
         )
+        # give the etl_load_service_account ability
+        # to access accessor-configuration in secretmanager
+        gcp.projects.IAMMember(
+            'metamist-etl-load-secret-accessor-role',
+            project=self.config.metamist.gcp.project,
+            role='roles/secretmanager.secretAccessor',
+            member=pulumi.Output.concat(
+                'serviceAccount:', self.etl_load_service_account.email
+            ),
+        )
 
         # serverless-robot-prod.iam.gserviceaccount.com is used
         # by gcloud to setup cloud run service