Skip to content

Commit abc8ff1

Browse files
roger2hkroger2hk
authored
Remove IAM from GCP Cloud Run module (#69)
1 parent f7a3741 commit abc8ff1

File tree

1 file changed

+4
-46
lines changed
  • deployment/modules/gcp/cloudrun

1 file changed

+4
-46
lines changed

deployment/modules/gcp/cloudrun/main.tf

Lines changed: 4 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -14,52 +14,10 @@ resource "google_project_service" "cloudrun_api" {
1414
disable_on_destroy = false
1515
}
1616

17-
resource "google_service_account" "cloudrun_service_account" {
18-
account_id = "cloudrun-${var.env}-sa"
19-
display_name = "Service Account for Cloud Run (${var.env})"
20-
}
21-
22-
resource "google_project_iam_member" "run_service_agent" {
23-
project = var.project_id
24-
role = "roles/run.serviceAgent"
25-
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
26-
}
27-
28-
resource "google_project_iam_member" "monitoring_metric_writer" {
29-
project = var.project_id
30-
role = "roles/monitoring.metricWriter"
31-
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
32-
}
33-
34-
resource "google_storage_bucket_iam_member" "member" {
35-
bucket = var.bucket
36-
role = "roles/storage.objectUser"
37-
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
38-
}
39-
40-
resource "google_project_iam_member" "iam_secret_accessor" {
41-
project = var.project_id
42-
role = "roles/secretmanager.secretAccessor"
43-
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
44-
}
45-
46-
resource "google_spanner_database_iam_member" "iam_log_spanner_database_user" {
47-
instance = var.log_spanner_instance
48-
database = var.log_spanner_db
49-
role = "roles/spanner.databaseUser"
50-
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
51-
}
52-
53-
resource "google_spanner_database_iam_member" "iam_dedup_spanner_database_user" {
54-
instance = var.log_spanner_instance
55-
database = var.dedup_spanner_db
56-
role = "roles/spanner.databaseUser"
57-
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
58-
}
59-
6017
locals {
61-
spanner_log_db_path = "projects/${var.project_id}/instances/${var.log_spanner_instance}/databases/${var.log_spanner_db}"
62-
spanner_dedup_db_path = "projects/${var.project_id}/instances/${var.log_spanner_instance}/databases/${var.dedup_spanner_db}"
18+
cloudrun_service_account_id = "cloudrun-${var.env}-sa"
19+
spanner_log_db_path = "projects/${var.project_id}/instances/${var.log_spanner_instance}/databases/${var.log_spanner_db}"
20+
spanner_dedup_db_path = "projects/${var.project_id}/instances/${var.log_spanner_instance}/databases/${var.dedup_spanner_db}"
6321
}
6422

6523
resource "google_cloud_run_v2_service" "default" {
@@ -68,7 +26,7 @@ resource "google_cloud_run_v2_service" "default" {
6826
launch_stage = "GA"
6927

7028
template {
71-
service_account = google_service_account.cloudrun_service_account.account_id
29+
service_account = "projects/${var.project_id}/serviceAccounts/${local.cloudrun_service_account_id}@${var.project_id}.iam.gserviceaccount.com"
7230
max_instance_request_concurrency = 700
7331
timeout = "5s"
7432

0 commit comments

Comments
 (0)