Skip to content

Commit

Permalink
Clean up IAM roles: 5-projects stage needs KMS permissions to create …
Browse files Browse the repository at this point in the history 
…a keyring in environment-wide org projects. Also remove some leftover references to KMS in cai-monitoring
  • Loading branch information
@eeaton
eeaton committed Jun 24, 2024
1 parent 097660c commit ff0f7aa
Show file tree
Hide file tree
Showing 3 changed files with 1 addition and 11 deletions.
1 change: 0 additions & 1 deletion 0-bootstrap/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,6 @@ module "seed_bootstrap" {
project_prefix = var.project_prefix
encrypt_gcs_bucket_tfstate = true
key_rotation_period = "7776000s"
kms_prevent_destroy = !var.bucket_tfstate_kms_force_destroy

project_labels = {
environment = "bootstrap"
Expand Down
1 change: 1 addition & 0 deletions 0-bootstrap/sa.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ locals {
"roles/accesscontextmanager.policyAdmin",
"roles/resourcemanager.organizationAdmin",
"roles/serviceusage.serviceUsageConsumer",
"roles/cloudkms.admin",
], local.common_roles)),
}

Expand Down
10 changes: 0 additions & 10 deletions 1-org/modules/cai-monitoring/iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,15 +46,6 @@ data "google_storage_project_service_account" "gcs_sa" {
project = var.project_id
}

// Encrypter/Decrypter role
resource "google_kms_crypto_key_iam_member" "encrypter_decrypter" {
for_each = var.enable_cmek ? local.identities : {}

crypto_key_id = var.encryption_key
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = each.value
}

// Cloud Function SA
resource "google_service_account" "cloudfunction" {
account_id = "cai-monitoring"
Expand All @@ -80,7 +71,6 @@ resource "google_project_iam_member" "cloudfunction_iam" {
resource "time_sleep" "wait_kms_iam" {
create_duration = "60s"
depends_on = [
google_kms_crypto_key_iam_member.encrypter_decrypter,
google_organization_iam_member.cloudfunction_findings_editor,
google_project_iam_member.cloudfunction_iam
]
Expand Down

0 comments on commit ff0f7aa

Please sign in to comment.