fix(deploy): ensure build_sa iams are set before it can be used

Fixes possible race condition in cloud functions deployment where the function build started before the build_sa had all its IAMs bound.
cloudspannerecosystem · Sep 26, 2024 · 66d63b3 · 66d63b3
1 parent fe84d5c
commit 66d63b3
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/terraform/modules/autoscaler-base/outputs.tf b/terraform/modules/autoscaler-base/outputs.tf
@@ -17,10 +17,18 @@
 output "build_sa_id" {
   value       = google_service_account.build_sa.id
   description = "Service account ID for Builder SA"
-  depends_on = [ google_project_iam_binding.build_iam ]
+  depends_on = [
+    google_project_iam_binding.build_iam["roles/storage.objectViewer"],
+    google_project_iam_binding.build_iam["roles/logging.logWriter"],
+    google_project_iam_binding.build_iam["roles/artifactregistry.writer"]
+  ]
 }
 output "build_sa_email" {
   value       = google_service_account.build_sa.email
   description = "Service account email for Builder SA"
-  depends_on = [ google_project_iam_binding.build_iam ]
+  depends_on = [
+    google_project_iam_binding.build_iam["roles/storage.objectViewer"],
+    google_project_iam_binding.build_iam["roles/logging.logWriter"],
+    google_project_iam_binding.build_iam["roles/artifactregistry.writer"]
+  ]
 }