diff --git a/ops/tf-modules/warehouse/main.tf b/ops/tf-modules/warehouse/main.tf index c26dd8049..6421479f9 100644 --- a/ops/tf-modules/warehouse/main.tf +++ b/ops/tf-modules/warehouse/main.tf @@ -41,6 +41,16 @@ resource "google_service_account" "warehouse_readonly" { display_name = "Read only service account for ${var.name}" } +### +# Additional bucket_rw users that are managed by this terraform module +### +resource "google_service_account" "managed_bucket_rw_user" { + for_each = toset(var.additional_bucket_rw_service_account_names) + + account_id = each.key + display_name = "A bucket rw service account ${each.key}" +} + ### # BigQuery Dataset @@ -178,6 +188,20 @@ resource "google_storage_bucket_iam_member" "bucket_rw_write" { member = each.key } +resource "google_storage_bucket_iam_member" "managed_bucket_rw_read" { + for_each = toset(var.additional_bucket_rw_service_account_names) + bucket = google_storage_bucket.dataset_transfer.name + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.managed_bucket_rw_user[each.key].email}" +} + +resource "google_storage_bucket_iam_member" "managed_bucket_rw_write" { + for_each = toset(var.additional_bucket_rw_service_account_names) + bucket = google_storage_bucket.dataset_transfer.name + role = "roles/storage.objectCreator" + member = "serviceAccount:${google_service_account.managed_bucket_rw_user[each.key].email}" +} + ### # Service account permissions ### diff --git a/ops/tf-modules/warehouse/variables.tf b/ops/tf-modules/warehouse/variables.tf index 5a326c065..0152c9da4 100644 --- a/ops/tf-modules/warehouse/variables.tf +++ b/ops/tf-modules/warehouse/variables.tf @@ -37,6 +37,12 @@ variable "bucket_rw_principals" { default = [] } +variable "additional_bucket_rw_service_account_names" { + type = list(string) + description = "List of names to use for new service accounts with rw access" + default = [] +} + variable "cloudsql_db_name" { type = string default = "postgres"