Adds additonal managed users for the bucket (#1260)

ops/tf-modules/warehouse/main.tf

@@ -41,6 +41,16 @@ resource "google_service_account" "warehouse_readonly" {
   display_name = "Read only service account for ${var.name}"
 }
 
+###
+# Additional bucket_rw users that are managed by this terraform module
+###
+resource "google_service_account" "managed_bucket_rw_user" {
+  for_each = toset(var.additional_bucket_rw_service_account_names)
+
+  account_id   = each.key
+  display_name = "A bucket rw service account ${each.key}"
+}
+
 
 ###
 # BigQuery Dataset
@@ -178,6 +188,20 @@ resource "google_storage_bucket_iam_member" "bucket_rw_write" {
   member   = each.key
 }
 
+resource "google_storage_bucket_iam_member" "managed_bucket_rw_read" {
+  for_each = toset(var.additional_bucket_rw_service_account_names)
+  bucket   = google_storage_bucket.dataset_transfer.name
+  role     = "roles/storage.objectViewer"
+  member   = "serviceAccount:${google_service_account.managed_bucket_rw_user[each.key].email}"
+}
+
+resource "google_storage_bucket_iam_member" "managed_bucket_rw_write" {
+  for_each = toset(var.additional_bucket_rw_service_account_names)
+  bucket   = google_storage_bucket.dataset_transfer.name
+  role     = "roles/storage.objectCreator"
+  member   = "serviceAccount:${google_service_account.managed_bucket_rw_user[each.key].email}"
+}
+
 ###
 # Service account permissions
 ###

ops/tf-modules/warehouse/variables.tf

@@ -37,6 +37,12 @@ variable "bucket_rw_principals" {
   default     = []
 }
 
+variable "additional_bucket_rw_service_account_names" {
+  type        = list(string)
+  description = "List of names to use for new service accounts with rw access"
+  default     = []
+}
+
 variable "cloudsql_db_name" {
   type        = string
   default     = "postgres"