forked from vinnie357/demo-nginx-consul-gcp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathiam.tf
36 lines (34 loc) · 1.43 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
resource google_service_account gce-nginx-sa {
account_id = "gce-nginx-sa"
display_name = "nginx service account for secret access"
}
# add service account read permissions to secret
resource google_secret_manager_secret_iam_member gce-nginx-sa-iam {
depends_on = [google_service_account.gce-nginx-sa]
secret_id = google_secret_manager_secret.nginx-secret.secret_id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.gce-nginx-sa.email}"
}
resource google_project_iam_member project {
project = var.gcpProjectId
role = "roles/compute.networkViewer"
member = "serviceAccount:${google_service_account.gce-nginx-sa.email}"
}
resource google_service_account gce-controller-sa {
account_id = "gce-controller-sa"
display_name = "controller service account for secret access"
}
# add service account read permissions to secret
resource google_secret_manager_secret_iam_member gce-controller-sa-iam {
depends_on = [google_service_account.gce-controller-sa]
secret_id = google_secret_manager_secret.controller-secret.secret_id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.gce-controller-sa.email}"
}
resource google_storage_bucket_iam_binding binding {
bucket = var.controllerBucket
role = "roles/storage.objectViewer"
members = [
"serviceAccount:${google_service_account.gce-controller-sa.email}"
]
}