-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.tf
93 lines (74 loc) · 2.36 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
locals {
users = concat(
[
"serviceAccount:${var.tamr_service_account}",
],
var.additional_users
)
}
# stackdriver
resource "google_project_iam_member" "log_writer" {
count = var.enabled_monitoring_perms == true ? length(local.users) : 0
role = "roles/logging.logWriter"
project = var.project_id
member = local.users[count.index]
}
resource "google_project_iam_member" "metric_writer" {
count = var.enabled_monitoring_perms == true ? length(local.users) : 0
role = "roles/monitoring.metricWriter"
project = var.project_id
member = local.users[count.index]
}
# dataproc
resource "google_project_iam_member" "dataproc_worker" {
count = length(local.users)
role = "roles/dataproc.worker"
project = var.project_id
member = local.users[count.index]
}
resource "google_project_iam_member" "dataproc_admin" {
count = length(local.users)
role = "roles/dataproc.admin"
project = var.project_id
member = local.users[count.index]
}
# NOTE: this is needed to run dataproc jobs
resource "google_project_iam_member" "compute_admin" {
count = length(local.users)
role = "roles/compute.instanceAdmin.v1"
project = var.project_id
member = local.users[count.index]
}
#tfsec:ignore:google-iam-no-project-level-service-account-impersonation
resource "google_project_iam_member" "service_account_user" {
count = length(local.users)
role = "roles/iam.serviceAccountUser"
project = var.project_id
member = local.users[count.index]
}
# big query
resource "google_project_iam_member" "bq_dataEditor" {
count = var.enabled_bigquery_perms == true ? length(local.users) : 0
role = "roles/bigquery.dataEditor"
project = var.project_id
member = local.users[count.index]
}
resource "google_project_iam_member" "bq_dataOwner" {
count = var.enabled_bigquery_perms == true ? length(local.users) : 0
role = "roles/bigquery.dataOwner"
project = var.project_id
member = local.users[count.index]
}
resource "google_project_iam_member" "bq_user" {
count = var.enabled_bigquery_perms == true ? length(local.users) : 0
role = "roles/bigquery.user"
project = var.project_id
member = local.users[count.index]
}
# iam
resource "google_project_iam_member" "cloud_sql_admin" {
count = length(local.users)
project = var.project_id
role = "roles/cloudsql.admin"
member = local.users[count.index]
}