From d8a097a6be88e06ca5afdbadafcc1f70615f4153 Mon Sep 17 00:00:00 2001
From: Colleen Murphy <cmurphy@users.noreply.github.com>
Date: Wed, 3 Jul 2024 06:57:15 -0700
Subject: [PATCH] Allow rekor service account to post to metrics (#1163)

The rekor service account was assigned the cloudsql.client to allow it
to connect to MySQL, but it was not given permission to report metrics
for doing so. Copy the permissions that the trillian logserver user has
to post to Stackdriver.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
---
 terraform/gcp/modules/rekor/service_accounts.tf | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/terraform/gcp/modules/rekor/service_accounts.tf b/terraform/gcp/modules/rekor/service_accounts.tf
index 510460df4..25fd5dc1a 100644
--- a/terraform/gcp/modules/rekor/service_accounts.tf
+++ b/terraform/gcp/modules/rekor/service_accounts.tf
@@ -62,3 +62,17 @@ resource "google_project_iam_member" "db_admin_member_rekor" {
   member     = "serviceAccount:${google_service_account.rekor-sa.email}"
   depends_on = [google_service_account.rekor-sa]
 }
+
+resource "google_project_iam_member" "logserver_iam" {
+  # // Give rekor permission to export metrics to Stackdriver
+  for_each = toset([
+    "roles/logging.logWriter",
+    "roles/monitoring.metricWriter",
+    "roles/stackdriver.resourceMetadata.writer",
+    "roles/cloudtrace.agent"
+  ])
+  project    = var.project_id
+  role       = each.key
+  member     = "serviceAccount:${google_service_account.rekor-sa.email}"
+  depends_on = [google_service_account.rekor-sa]
+}