-
Notifications
You must be signed in to change notification settings - Fork 24
/
gcp-service-accts.tf
109 lines (90 loc) · 3.97 KB
/
gcp-service-accts.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
locals {
sa_count = var.gcp_keys_path == "" ? 1 : 0
sa_text = "serviceAccount"
sa_display_prefix = "Anthos Bare Metal Service Account for"
}
resource "google_service_account" "gcr_sa" {
count = local.sa_count
account_id = format("%s-gcr", local.cluster_name)
display_name = format("%s %s GCR", local.sa_display_prefix, local.cluster_name)
}
resource "google_service_account" "connect_sa" {
count = local.sa_count
account_id = format("%s-connect", local.cluster_name)
display_name = format("%s %s Connect", local.sa_display_prefix, local.cluster_name)
}
resource "google_service_account" "register_sa" {
count = local.sa_count
account_id = format("%s-register", local.cluster_name)
display_name = format("%s %s Register", local.sa_display_prefix, local.cluster_name)
}
resource "google_service_account" "cloud_ops_sa" {
count = local.sa_count
account_id = format("%s-ops", local.cluster_name)
display_name = format("%s %s Cloud Ops", local.sa_display_prefix, local.cluster_name)
}
resource "google_service_account" "bmctl_sa" {
count = local.sa_count
account_id = format("%s-bmctl", local.cluster_name)
display_name = format("%s %s Installation (bmctl)", local.sa_display_prefix, local.cluster_name)
}
resource "google_project_iam_member" "connect_sa_role_connect" {
count = local.sa_count
role = "roles/gkehub.connect"
member = format("%s:%s", local.sa_text, google_service_account.connect_sa[count.index].email)
}
resource "google_project_iam_member" "register_sa_role_admin" {
count = local.sa_count
role = "roles/gkehub.admin"
member = format("%s:%s", local.sa_text, google_service_account.register_sa[count.index].email)
}
resource "google_project_iam_member" "cloud_ops_sa_role_logwriter" {
count = local.sa_count
role = "roles/logging.logWriter"
member = format("%s:%s", local.sa_text, google_service_account.cloud_ops_sa[count.index].email)
}
resource "google_project_iam_member" "cloud_ops_sa_role_metricwriter" {
count = local.sa_count
role = "roles/monitoring.metricWriter"
member = format("%s:%s", local.sa_text, google_service_account.cloud_ops_sa[count.index].email)
}
resource "google_project_iam_member" "cloud_ops_sa_role_resourcewriter" {
count = local.sa_count
role = "roles/stackdriver.resourceMetadata.writer"
member = format("%s:%s", local.sa_text, google_service_account.cloud_ops_sa[count.index].email)
}
resource "google_project_iam_member" "cloud_ops_sa_role_dashboard" {
count = local.sa_count
role = "roles/monitoring.dashboardEditor"
member = format("%s:%s", local.sa_text, google_service_account.cloud_ops_sa[count.index].email)
}
resource "google_project_iam_member" "cloud_ops_sa_role_metadata_writer" {
count = local.sa_count
role = "roles/opsconfigmonitoring.resourceMetadata.writer"
member = format("%s:%s", local.sa_text, google_service_account.cloud_ops_sa[count.index].email)
}
resource "google_project_iam_member" "bmctl_sa_compute" {
count = local.sa_count
role = "roles/compute.viewer"
member = format("%s:%s", local.sa_text, google_service_account.bmctl_sa[count.index].email)
}
resource "google_service_account_key" "gcr_sa_key" {
count = local.sa_count
service_account_id = google_service_account.gcr_sa[count.index].name
}
resource "google_service_account_key" "connect_sa_key" {
count = local.sa_count
service_account_id = google_service_account.connect_sa[count.index].name
}
resource "google_service_account_key" "register_sa_key" {
count = local.sa_count
service_account_id = google_service_account.register_sa[count.index].name
}
resource "google_service_account_key" "cloud_ops_sa_key" {
count = local.sa_count
service_account_id = google_service_account.cloud_ops_sa[count.index].name
}
resource "google_service_account_key" "bmctl_sa_key" {
count = local.sa_count
service_account_id = google_service_account.bmctl_sa[count.index].name
}