From 6cd0fc480ca0db204c741d167a61ea2fa671d753 Mon Sep 17 00:00:00 2001 From: Aleksandr Skoriy Date: Wed, 7 Apr 2021 22:22:39 +0300 Subject: [PATCH] feat: Grant pull subscription permissions for external service account (#68) --- README.md | 1 + main.tf | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/README.md b/README.md index 8d8d64c..11b0e3d 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ module "pubsub" { minimum_backoff = "300s" // optional filter = "attributes.domain = \"com\"" // optional enable_message_ordering = true // optional + service_account = "service2@project2.iam.gserviceaccount.com" // optional } ] } diff --git a/main.tf b/main.tf index 4966d78..a04a3b5 100644 --- a/main.tf +++ b/main.tf @@ -234,3 +234,27 @@ resource "google_pubsub_subscription" "pull_subscriptions" { google_pubsub_topic.topic, ] } + +resource "google_pubsub_subscription_iam_member" "pull_subscription_sa_binding_subscriber" { + for_each = var.create_topic ? { for i in var.pull_subscriptions : i.name => i if lookup(i, "service_account", null) != null } : {} + + project = var.project_id + subscription = each.value.name + role = "roles/pubsub.subscriber" + member = "serviceAccount:${each.value.service_account}" + depends_on = [ + google_pubsub_subscription.pull_subscriptions, + ] +} + +resource "google_pubsub_subscription_iam_member" "pull_subscription_sa_binding_viewer" { + for_each = var.create_topic ? { for i in var.pull_subscriptions : i.name => i if lookup(i, "service_account", null) != null } : {} + + project = var.project_id + subscription = each.value.name + role = "roles/pubsub.viewer" + member = "serviceAccount:${each.value.service_account}" + depends_on = [ + google_pubsub_subscription.pull_subscriptions, + ] +}