Allow rekor service account to post to metrics (#1163)

The rekor service account was assigned the cloudsql.client to allow it
to connect to MySQL, but it was not given permission to report metrics
for doing so. Copy the permissions that the trillian logserver user has
to post to Stackdriver.

Signed-off-by: Colleen Murphy <[email protected]>

terraform/gcp/modules/rekor/service_accounts.tf

@@ -62,3 +62,17 @@ resource "google_project_iam_member" "db_admin_member_rekor" {
   member     = "serviceAccount:${google_service_account.rekor-sa.email}"
   depends_on = [google_service_account.rekor-sa]
 }
+
+resource "google_project_iam_member" "logserver_iam" {
+  # // Give rekor permission to export metrics to Stackdriver
+  for_each = toset([
+    "roles/logging.logWriter",
+    "roles/monitoring.metricWriter",
+    "roles/stackdriver.resourceMetadata.writer",
+    "roles/cloudtrace.agent"
+  ])
+  project    = var.project_id
+  role       = each.key
+  member     = "serviceAccount:${google_service_account.rekor-sa.email}"
+  depends_on = [google_service_account.rekor-sa]
+}