From 303d01477237648be22123a03c4d15480edafe55 Mon Sep 17 00:00:00 2001 From: Jason Davenport Date: Tue, 19 Sep 2023 19:56:39 -0600 Subject: [PATCH 1/2] fix api identity for p/s --- modules/data_warehouse/main.tf | 22 ++++++++++++++-------- modules/data_warehouse/workflows.tf | 23 ----------------------- 2 files changed, 14 insertions(+), 31 deletions(-) diff --git a/modules/data_warehouse/main.tf b/modules/data_warehouse/main.tf index 53aacbff..8c88a6ee 100644 --- a/modules/data_warehouse/main.tf +++ b/modules/data_warehouse/main.tf @@ -47,6 +47,20 @@ module "project-services" { "workflows.googleapis.com", ] + activate_api_identities = [ + { + api = "pubsub.googleapis.com" + roles = [ + "roles/iam.serviceAccountTokenCreator", + ] + }, + { + api = "workflows.googleapis.com" + roles = [ + "roles/workflows.viewer" + ] + } + ] } // Create random ID to be used for deployment uniqueness @@ -153,14 +167,6 @@ resource "google_project_iam_member" "eventarc_service_account_invoke_role" { ] } -# # Get the Pub/Sub service account to trigger the pub/sub notification -# # TODO: File bug for this to be a pickable service account -resource "google_project_iam_member" "pub_sub_permissions_token" { - project = module.project-services.project_id - role = "roles/iam.serviceAccountTokenCreator" - member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com" -} - // Sleep for 60 seconds to drop start file resource "time_sleep" "wait_to_startfile" { depends_on = [ diff --git a/modules/data_warehouse/workflows.tf b/modules/data_warehouse/workflows.tf index 3c611341..669b52de 100644 --- a/modules/data_warehouse/workflows.tf +++ b/modules/data_warehouse/workflows.tf @@ -14,28 +14,6 @@ * limitations under the License. */ -resource "google_project_service_identity" "workflows" { - provider = google-beta - project = module.project-services.project_id - service = "workflows.googleapis.com" - - depends_on = [ - module.project-services - ] -} - -# # Grant the Workflow service account access -resource "google_project_iam_member" "workflow_identity_roles" { - for_each = toset([ - "roles/workflows.viewer", - ]) - - project = module.project-services.project_id - role = each.key - member = "serviceAccount:${google_project_service_identity.workflows.email}" - -} - # Set up Workflows service account # # Set up the Workflows service account resource "google_service_account" "workflow_service_account" { @@ -76,6 +54,5 @@ resource "google_workflows_workflow" "workflow" { depends_on = [ google_project_iam_member.workflow_service_account_roles, - google_project_service_identity.workflows, ] } From 0492038633a7bb8bb459e35e41dab4927bd77a0f Mon Sep 17 00:00:00 2001 From: Jason Davenport Date: Tue, 19 Sep 2023 20:01:47 -0600 Subject: [PATCH 2/2] fix lint --- modules/data_warehouse/main.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/data_warehouse/main.tf b/modules/data_warehouse/main.tf index 8c88a6ee..0f99fdbd 100644 --- a/modules/data_warehouse/main.tf +++ b/modules/data_warehouse/main.tf @@ -14,10 +14,6 @@ * limitations under the License. */ -data "google_project" "project" { - project_id = var.project_id -} - module "project-services" { source = "terraform-google-modules/project-factory/google//modules/project_services" version = "14.3"