Verified Commit cd06fcb0 authored by Cindy Pallares's avatar Cindy Pallares 👽

Create service account for packer and caching

Creates two new service accounts:

  * packer-runner with ""iam.serviceAccountUser" and "instanceAdmin.v1" roles
  * runner-cache with "storage.objectAdmin"

Removes the previously added permissions
parent 6a64eedd
......@@ -73,9 +73,31 @@ resource "google_project_iam_member" "runner-manager" {
member = "serviceAccount:${google_service_account.runner-manager.email}"
}
resource "google_project_iam_member" "iam-serviceAccountUser" {
resource "google_service_account" "packer-runner" {
account_id = "packer-runner"
display_name = "Packer Runner Account"
description = "Service account used by packer running in a linux runner to create Window images"
}
resource "google_project_iam_member" "iam-service-account-user" {
role = "roles/iam.serviceAccountUser"
member = "serviceAccount:${google_service_account.runner-manager.email}"
member = "serviceAccount:${google_service_account.packer-runner.email}"
}
resource "google_project_iam_member" "compute-instance-admin" {
role = "roles/compute.instanceAdmin.v1"
member = "serviceAccount:${google_service_account.packer-runner.email}"
}
resource "google_service_account" "runner-cache" {
account_id = "runner-cache"
display_name = "Access to GCS for Windows runners cache"
description = "Service account used by the runner managers for distributed cache"
}
resource "google_project_iam_member" "storage-object-admin" {
role = "roles/storage.objectAdmin"
member = "serviceAccount:${google_service_account.runner-cache.email}"
}
##################################
......@@ -99,7 +121,7 @@ module "runner" {
project = var.project
public_ports = []
region = var.region
service_account_email = var.service_account_email
service_account_email = google_service_account.packer-runner.email
service_port = 22
source = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-sv-with-group.git?ref=v3.0.0"
tier = "inf"
......
......@@ -72,14 +72,11 @@ variable "runner_manager_role_permissions" {
"compute.instances.create",
"compute.instances.delete",
"compute.instances.get",
"compute.instances.setServiceAccount",
"compute.instances.getSerialPortOutput",
"compute.instances.setMetadata",
"compute.instances.setTags",
"compute.machineTypes.get",
"compute.subnetworks.use",
"compute.subnetworks.useExternalIp",
"compute.zones.get",
"compute.zoneOperations.get",
"storage.buckets.get",
"storage.objects.get",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment