From 2c4524321caeac3b81b0a1772f75f106f613e24b Mon Sep 17 00:00:00 2001
From: Dipo Ajayi <ajayidipo@ymail.com>
Date: Wed, 8 May 2024 17:17:42 +0100
Subject: [PATCH] updated storage permission scope

---
 iam.tf | 18 ++----------------
 1 file changed, 2 insertions(+), 16 deletions(-)

diff --git a/iam.tf b/iam.tf
index ee28f00..5df5f48 100644
--- a/iam.tf
+++ b/iam.tf
@@ -21,20 +21,6 @@ resource "google_project_iam_custom_role" "artifact_registry_tfy_role" {
   ]
 }
 
-resource "google_project_iam_custom_role" "gcs_tfy_role" {
-  count = var.feature_blob_storage_enabled ? 1 : 0
-
-  role_id     = replace("${local.trufoundry_platform_resources}_gcs_tfy_role", "-", "_")
-  title       = "GCS TFY Role"
-  description = "Role to manage GCS buckets starting with tfy"
-  permissions = [
-    "storage.buckets.get",
-    "storage.buckets.create",
-    "storage.buckets.delete",
-    "storage.buckets.update",
-  ]
-}
-
 resource "google_project_iam_member" "artifact_registry_role_binding" {
   count   = var.feature_docker_registry_enabled ? 1 : 0
   project = var.project
@@ -66,12 +52,12 @@ resource "google_project_iam_member" "gcs_role_binding" {
   count = var.feature_blob_storage_enabled ? 1 : 0
 
   project = var.project
-  role    = google_project_iam_custom_role.gcs_tfy_role[0].name
+  role    = "roles/storage.objectAdmin"
   member  = module.service_accounts.iam_email
 
   condition {
     title       = "Restrict to tfy storage buckets"
     description = "Allows access to buckets that start with 'tfy'"
-    expression  = "resource.name.startsWith('projects/${var.project}/buckets/tfy')"
+    expression  = "resource.name.startsWith('tfy')"
   }
 }