diff --git a/configs/terraform/environments/prod/iam-variables.tf b/configs/terraform/environments/prod/iam-variables.tf new file mode 100644 index 000000000000..ceefd563207e --- /dev/null +++ b/configs/terraform/environments/prod/iam-variables.tf @@ -0,0 +1,5 @@ +variable "kyma_developer_admin_email" { + description = "The email of the Kyma Developer Admins group." + type = string + default = "kyma_developer_admin@sap.com" +} \ No newline at end of file diff --git a/configs/terraform/environments/prod/iam.tf b/configs/terraform/environments/prod/iam.tf new file mode 100644 index 000000000000..5edbd87ca953 --- /dev/null +++ b/configs/terraform/environments/prod/iam.tf @@ -0,0 +1,20 @@ +# Setups IAM for the project administrators in the kyma-project GCP project. +import { + id = "kyma-project roles/editor group:kyma_developer_admin@sap.com" + to = google_project_iam_member.kyma_developer_admin_editor +} + +resource "google_project_iam_member" "kyma_developer_admin_editor" { + provider = google.kyma_project + project = var.kyma_project_gcp_project_id + role = "roles/editor" + member = "group:${var.kyma_developer_admin_email}" +} + +# Add roles required to see audit logs in kyma-project GCP project. +resource "google_project_iam_member" "kyma_developer_admin_logging_viewer" { + provider = google.kyma_project + project = var.kyma_project_gcp_project_id + role = "roles/logging.viewer" + member = "group:${var.kyma_developer_admin_email}" +} diff --git a/configs/terraform/environments/prod/service_accounts.tf b/configs/terraform/environments/prod/service_accounts.tf index cfdc6bd8f901..7312e42f57eb 100644 --- a/configs/terraform/environments/prod/service_accounts.tf +++ b/configs/terraform/environments/prod/service_accounts.tf @@ -4,12 +4,6 @@ resource "google_service_account" "sa-gke-kyma-integration" { description = "Service account is used by Prow to integrate with GKE. Will be removed with Prow" } -resource "google_service_account" "gcr-cleaner" { - account_id = "gcr-cleaner" - display_name = "gcr-cleaner" - description = "Service account is used by gcr-cleaner tool." -} - resource "google_service_account" "control-plane" { account_id = "control-plane" display_name = "control-plane"