From ff0f7aaed21e8f2de42031ee8bf94dc0ef95ed14 Mon Sep 17 00:00:00 2001 From: Elliot Date: Mon, 24 Jun 2024 08:40:56 +0000 Subject: [PATCH] Clean up IAM roles: 5-projects stage needs KMS permissions to create a keyring in environment-wide org projects. Also remove some leftover references to KMS in cai-monitoring --- 0-bootstrap/main.tf | 1 - 0-bootstrap/sa.tf | 1 + 1-org/modules/cai-monitoring/iam.tf | 10 ---------- 3 files changed, 1 insertion(+), 11 deletions(-) diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf index 3c48d6dda..bac71557f 100644 --- a/0-bootstrap/main.tf +++ b/0-bootstrap/main.tf @@ -60,7 +60,6 @@ module "seed_bootstrap" { project_prefix = var.project_prefix encrypt_gcs_bucket_tfstate = true key_rotation_period = "7776000s" - kms_prevent_destroy = !var.bucket_tfstate_kms_force_destroy project_labels = { environment = "bootstrap" diff --git a/0-bootstrap/sa.tf b/0-bootstrap/sa.tf index b18d5c375..da23168b0 100644 --- a/0-bootstrap/sa.tf +++ b/0-bootstrap/sa.tf @@ -62,6 +62,7 @@ locals { "roles/accesscontextmanager.policyAdmin", "roles/resourcemanager.organizationAdmin", "roles/serviceusage.serviceUsageConsumer", + "roles/cloudkms.admin", ], local.common_roles)), } diff --git a/1-org/modules/cai-monitoring/iam.tf b/1-org/modules/cai-monitoring/iam.tf index af723709c..48226d04b 100644 --- a/1-org/modules/cai-monitoring/iam.tf +++ b/1-org/modules/cai-monitoring/iam.tf @@ -46,15 +46,6 @@ data "google_storage_project_service_account" "gcs_sa" { project = var.project_id } -// Encrypter/Decrypter role -resource "google_kms_crypto_key_iam_member" "encrypter_decrypter" { - for_each = var.enable_cmek ? local.identities : {} - - crypto_key_id = var.encryption_key - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = each.value -} - // Cloud Function SA resource "google_service_account" "cloudfunction" { account_id = "cai-monitoring" @@ -80,7 +71,6 @@ resource "google_project_iam_member" "cloudfunction_iam" { resource "time_sleep" "wait_kms_iam" { create_duration = "60s" depends_on = [ - google_kms_crypto_key_iam_member.encrypter_decrypter, google_organization_iam_member.cloudfunction_findings_editor, google_project_iam_member.cloudfunction_iam ]