replace org_step_sa with a dedicated cai_monitoring_builder sa.

terraform-google-modules · Jun 28, 2024 · 95280e2 · 95280e2
1 parent 21f1870
commit 95280e2
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 5 deletions.
diff --git a/0-bootstrap/sa.tf b/0-bootstrap/sa.tf
@@ -72,9 +72,6 @@ locals {
     ],
     "org" = [
       "roles/resourcemanager.folderAdmin",
-      "roles/logging.logWriter",
-      "roles/storage.objectViewer",
-      "roles/artifactregistry.writer",
     ],
     "env" = [
       "roles/resourcemanager.folderAdmin"

diff --git a/1-org/envs/shared/cai_monitoring.tf b/1-org/envs/shared/cai_monitoring.tf
@@ -21,6 +21,5 @@ module "cai_monitoring" {
   billing_account       = local.billing_account
   project_id            = module.scc_notifications.project_id
   location              = local.default_region
-  build_service_account = local.org_step_terraform_service_account_email
-  build_service_account = "projects/${local.seed_project_id}/serviceAccounts/${local.organization_step_terraform_service_account_email}"
+  build_service_account = "projects/${module.scc_notifications.project_id}/serviceAccounts/${google_service_account.cai_monitoring_builder}"
 }
diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf
@@ -188,3 +188,14 @@ resource "google_project_iam_member" "kms_admin" {
   role    = "roles/cloudkms.viewer"
   member  = "group:${var.gcp_groups.kms_admin}"
 }
+
+resource "google_project_iam_member" "cai_monitoring_builder" {
+  project = module.scc_notifications.project_id
+  for_each = toset([
+    "roles/logging.logWriter",
+    "roles/storage.objectViewer",
+    "roles/artifactregistry.writer",
+  ])
+  role   = each.key
+  member = "serviceAccount:${google_service_account.cai_monitoring_builder}"
+}
diff --git a/1-org/envs/shared/sa.tf b/1-org/envs/shared/sa.tf
@@ -0,0 +1,22 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_service_account" "cai_monitoring_builder" {
+  project                      = module.scc_notifications.project_id
+  account_id                   = "cai-monitoring-functions-builder"
+  description                  = "Cloud Functions v2 has an underlying dependency on Cloud Build and other services. This service account allows Cloud Build to provision the necessary resources for Cloud Functions."
+  create_ignore_already_exists = true
+}