diff --git a/iam.tf b/iam.tf index 528e594..3c45e17 100644 --- a/iam.tf +++ b/iam.tf @@ -54,6 +54,31 @@ resource "google_project_iam_custom_role" "truefoundry_platform_feature_gcs_buck ] } +// cluster integration role +resource "google_project_iam_custom_role" "truefoundry_platform_feature_cluster_integration_role" { + count = var.feature_cluster_integration_enabled ? 1 : 0 + + role_id = replace("${local.trufoundry_platform_resources}_cluster_integration_tfy_role", "-", "_") + title = replace("${local.trufoundry_platform_resources}_cluster_integration_tfy_role", "-", "_") + description = "TrueFoundry platform feature role to view GKE cluster" + permissions = [ + "container.clusters.get", + "container.clusters.list", + "container.nodes.get", + "container.nodes.getStatus", + "container.nodes.list", + "resourcemanager.projects.get", + ] +} + +resource "google_project_iam_member" "truefoundry_platform_feature_cluster_integration_role_binding" { + count = var.feature_cluster_integration_enabled ? 1 : 0 + + project = var.project + role = google_project_iam_custom_role.truefoundry_platform_feature_cluster_integration_role[count.index].id + member = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}" +} + // custom role binding with condition for secret manager role resource "google_project_iam_member" "truefoundry_platform_feature_secret_manager_role_binding" { count = var.feature_secrets_enabled ? 1 : 0 @@ -102,24 +127,6 @@ resource "google_project_iam_member" "truefoundry_platform_feature_artifact_regi member = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}" } -// role binding container cluster viewer role to service account -resource "google_project_iam_member" "truefoundry_platform_feature_container_cluster_viewer_role_binding" { - count = var.feature_cluster_integration_enabled ? 1 : 0 - - project = var.project - role = "roles/container.clusterViewer" - member = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}" -} - -// role binding container viewer role to service account -resource "google_project_iam_member" "truefoundry_platform_feature_container_viewer_role_binding" { - count = var.feature_cluster_integration_enabled ? 1 : 0 - - project = var.project - role = "roles/container.viewer" - member = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}" -} - // service account key resource "google_service_account_key" "truefoundry_platform_feature_service_account_key" { service_account_id = google_service_account.truefoundry_platform_feature_service_account.id diff --git a/versions.tf b/versions.tf index fa38149..2d320eb 100644 --- a/versions.tf +++ b/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "4.81.0" + version = "4.85.0" } } } \ No newline at end of file