From d2c125676f176c8fa33eb9dad12b7ed992dee6ac Mon Sep 17 00:00:00 2001 From: Jason Davenport Date: Wed, 20 Sep 2023 12:49:10 +0000 Subject: [PATCH] fix: data_warehouse api identity dependency for p/s (#252) --- modules/data_warehouse/main.tf | 26 ++++++++++++++------------ modules/data_warehouse/workflows.tf | 23 ----------------------- 2 files changed, 14 insertions(+), 35 deletions(-) diff --git a/modules/data_warehouse/main.tf b/modules/data_warehouse/main.tf index 53aacbff..0f99fdbd 100644 --- a/modules/data_warehouse/main.tf +++ b/modules/data_warehouse/main.tf @@ -14,10 +14,6 @@ * limitations under the License. */ -data "google_project" "project" { - project_id = var.project_id -} - module "project-services" { source = "terraform-google-modules/project-factory/google//modules/project_services" version = "14.3" @@ -47,6 +43,20 @@ module "project-services" { "workflows.googleapis.com", ] + activate_api_identities = [ + { + api = "pubsub.googleapis.com" + roles = [ + "roles/iam.serviceAccountTokenCreator", + ] + }, + { + api = "workflows.googleapis.com" + roles = [ + "roles/workflows.viewer" + ] + } + ] } // Create random ID to be used for deployment uniqueness @@ -153,14 +163,6 @@ resource "google_project_iam_member" "eventarc_service_account_invoke_role" { ] } -# # Get the Pub/Sub service account to trigger the pub/sub notification -# # TODO: File bug for this to be a pickable service account -resource "google_project_iam_member" "pub_sub_permissions_token" { - project = module.project-services.project_id - role = "roles/iam.serviceAccountTokenCreator" - member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com" -} - // Sleep for 60 seconds to drop start file resource "time_sleep" "wait_to_startfile" { depends_on = [ diff --git a/modules/data_warehouse/workflows.tf b/modules/data_warehouse/workflows.tf index 3c611341..669b52de 100644 --- a/modules/data_warehouse/workflows.tf +++ b/modules/data_warehouse/workflows.tf @@ -14,28 +14,6 @@ * limitations under the License. */ -resource "google_project_service_identity" "workflows" { - provider = google-beta - project = module.project-services.project_id - service = "workflows.googleapis.com" - - depends_on = [ - module.project-services - ] -} - -# # Grant the Workflow service account access -resource "google_project_iam_member" "workflow_identity_roles" { - for_each = toset([ - "roles/workflows.viewer", - ]) - - project = module.project-services.project_id - role = each.key - member = "serviceAccount:${google_project_service_identity.workflows.email}" - -} - # Set up Workflows service account # # Set up the Workflows service account resource "google_service_account" "workflow_service_account" { @@ -76,6 +54,5 @@ resource "google_workflows_workflow" "workflow" { depends_on = [ google_project_iam_member.workflow_service_account_roles, - google_project_service_identity.workflows, ] }