From 43a52e74db21d0d839010764e81b97ad4d713332 Mon Sep 17 00:00:00 2001
From: Zeid Derhally <derhally@gmail.com>
Date: Tue, 26 Nov 2024 14:45:45 -0500
Subject: [PATCH] Add support for granting permissions to apache kafka service
 agent

Managed Kafka service agent needs roles/managedkafka.serviceAgent on the subnet.
---
 modules/shared_vpc_access/main.tf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/shared_vpc_access/main.tf b/modules/shared_vpc_access/main.tf
index 345d10e8..564664c0 100644
--- a/modules/shared_vpc_access/main.tf
+++ b/modules/shared_vpc_access/main.tf
@@ -58,6 +58,10 @@ locals {
       service_account = format("service-%s@gcp-sa-networkconnectivity.iam.gserviceaccount.com", local.service_project_number)
       role            = "roles/compute.networkUser"
     }
+    "managedkafka.googleapis.com" : {
+      service_account = format("service-%s@gcp-sa-managedkafka.iam.gserviceaccount.com", local.service_project_number)
+      role            = "roles/managedkafka.serviceAgent"
+    }
   }
   gke_shared_vpc_enabled        = contains(var.active_apis, "container.googleapis.com")
   composer_shared_vpc_enabled   = contains(var.active_apis, "composer.googleapis.com")