Skip to content

Commit

Permalink
fix: data_warehouse api identity dependency for p/s (#252)
Browse files Browse the repository at this point in the history
  • Loading branch information
@davenportjw
davenportjw authored Sep 20, 2023
1 parent fc7d4ae commit d2c1256
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 35 deletions.
26 changes: 14 additions & 12 deletions modules/data_warehouse/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,6 @@
* limitations under the License.
*/

data "google_project" "project" {
project_id = var.project_id
}

module "project-services" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
version = "14.3"
Expand Down Expand Up @@ -47,6 +43,20 @@ module "project-services" {
"workflows.googleapis.com",
]

activate_api_identities = [
{
api = "pubsub.googleapis.com"
roles = [
"roles/iam.serviceAccountTokenCreator",
]
},
{
api = "workflows.googleapis.com"
roles = [
"roles/workflows.viewer"
]
}
]
}

// Create random ID to be used for deployment uniqueness
Expand Down Expand Up @@ -153,14 +163,6 @@ resource "google_project_iam_member" "eventarc_service_account_invoke_role" {
]
}

# # Get the Pub/Sub service account to trigger the pub/sub notification
# # TODO: File bug for this to be a pickable service account
resource "google_project_iam_member" "pub_sub_permissions_token" {
project = module.project-services.project_id
role = "roles/iam.serviceAccountTokenCreator"
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
}

// Sleep for 60 seconds to drop start file
resource "time_sleep" "wait_to_startfile" {
depends_on = [
Expand Down
23 changes: 0 additions & 23 deletions modules/data_warehouse/workflows.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,28 +14,6 @@
* limitations under the License.
*/

resource "google_project_service_identity" "workflows" {
provider = google-beta
project = module.project-services.project_id
service = "workflows.googleapis.com"

depends_on = [
module.project-services
]
}

# # Grant the Workflow service account access
resource "google_project_iam_member" "workflow_identity_roles" {
for_each = toset([
"roles/workflows.viewer",
])

project = module.project-services.project_id
role = each.key
member = "serviceAccount:${google_project_service_identity.workflows.email}"

}

# Set up Workflows service account
# # Set up the Workflows service account
resource "google_service_account" "workflow_service_account" {
Expand Down Expand Up @@ -76,6 +54,5 @@ resource "google_workflows_workflow" "workflow" {

depends_on = [
google_project_iam_member.workflow_service_account_roles,
google_project_service_identity.workflows,
]
}

0 comments on commit d2c1256

Please sign in to comment.