Add Cloud Build for GCP CI env

roger2hk · roger2hk · commit 251530d429dd · 2024-11-21T17:41:37.000Z
diff --git a/deployment/modules/gcp/cloudbuild/main.tf b/deployment/modules/gcp/cloudbuild/main.tf
@@ -56,10 +56,17 @@ resource "google_project_iam_member" "logging_log_writer" {
 }
 
 resource "google_artifact_registry_repository_iam_member" "artifactregistry_writer" {
-  project = google_artifact_registry_repository.docker.project
-  location = google_artifact_registry_repository.docker.location
+  project    = google_artifact_registry_repository.docker.project
+  location   = google_artifact_registry_repository.docker.location
   repository = google_artifact_registry_repository.docker.name
-  role = "roles/artifactregistry.writer"
+  role       = "roles/artifactregistry.writer"
+  member     = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+# TODO: Use google_cloud_run_service_iam_member to limit the service scope.
+resource "google_project_iam_member" "run_developer" {
+  project = var.project_id
+  role    = "roles/run.developer"
   member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
 }
 
@@ -123,8 +130,8 @@ resource "google_cloudbuild_trigger" "build_trigger" {
     ## Deploy container image to Cloud Run.
     ## TODO: Remove this as the `terragrunt apply` will bring up the Cloud Run.
     step {
-      id   = "cloud_run_deploy"
-      name = "gcr.io/google.com/cloudsdktool/cloud-sdk"
+      id         = "cloud_run_deploy"
+      name       = "gcr.io/google.com/cloudsdktool/cloud-sdk"
       entrypoint = "gcloud"
       args = [
         "run",
