-
Notifications
You must be signed in to change notification settings - Fork 0
/
delegator.tf
33 lines (29 loc) · 1.09 KB
/
delegator.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# Service account to delegate permission for DNS zone via IAM
resource "google_service_account" "delegator" {
account_id = local.resource_name
display_name = "${local.resource_name} service account"
}
resource "google_project_iam_custom_role" "dns-delegator" {
role_id = replace("dns_delegator_${local.resource_name}", "-", "_")
title = "DNS delegator ${local.resource_name}"
description = "DNS delegator for ${local.resource_name}"
permissions = [
"dns.changes.create",
"dns.changes.get",
"dns.resourceRecordSets.create",
"dns.resourceRecordSets.delete",
"dns.resourceRecordSets.get",
"dns.resourceRecordSets.list",
"dns.resourceRecordSets.update",
"dns.managedZones.get",
"dns.managedZones.list",
]
}
resource "google_project_iam_member" "dns-delegator" {
role = google_project_iam_custom_role.dns-delegator.id
member = "serviceAccount:${google_service_account.delegator.email}"
project = data.google_project.this.project_id
}
resource "google_service_account_key" "delegator" {
service_account_id = google_service_account.delegator.name
}