forked from astronomer/terraform-google-astronomer-gcp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam.tf
58 lines (48 loc) · 1.63 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
resource "google_service_account_key" "default_key" {
service_account_id = google_service_account.k8s_registry.account_id
public_key_type = "TYPE_X509_PEM_FILE"
}
resource "google_storage_bucket_iam_member" "registry_user" {
bucket = google_storage_bucket.container_registry.name
member = "serviceAccount:${google_service_account.k8s_registry.email}"
role = "roles/storage.legacyBucketOwner"
}
// Enables Audit Logs of Users SSH session into Bastion via IAP in StackDriver
resource "google_project_iam_audit_config" "iap" {
audit_log_config {
log_type = "DATA_READ"
}
audit_log_config {
log_type = "DATA_WRITE"
}
audit_log_config {
log_type = "ADMIN_READ"
}
service = "iap.googleapis.com"
}
resource "google_service_account_key" "velero" {
service_account_id = google_service_account.velero.account_id
}
resource "google_project_iam_custom_role" "velero_server" {
role_id = "velero.server.${var.deployment_id}"
title = "Velero Server"
permissions = [
"compute.disks.get",
"compute.disks.create",
"compute.disks.createSnapshot",
"compute.snapshots.get",
"compute.snapshots.create",
"compute.snapshots.useReadOnly",
"compute.snapshots.delete",
"compute.zones.get"
]
}
resource "google_project_iam_member" "velero_server" {
member = "serviceAccount:${google_service_account.velero.email}"
role = google_project_iam_custom_role.velero_server.id
}
resource "google_storage_bucket_iam_member" "velero_server" {
bucket = google_storage_bucket.velero_k8s_backup.name
member = "serviceAccount:${google_service_account.velero.email}"
role = "roles/storage.objectAdmin"
}