fix: UI service invoker to work with IAP (#207)

abcxyz · Mar 8, 2023 · 82f0e7e · 82f0e7e
1 parent 716a006
commit 82f0e7e
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/terraform/e2e/iap.tf b/terraform/e2e/iap.tf
@@ -38,3 +38,18 @@ resource "google_iap_web_iam_member" "member" {
   member  = each.key
   role    = "roles/iap.httpsResourceAccessor"
 }
+
+# Allow allUsers to invoke the UI. This is safe because the service is behind
+# GCLB + IAP and only allows internal + load balancer ingress.
+#
+# Per https://cloud.google.com/iap/docs/enabling-cloud-run#known_limitations,
+# Cloud Run must have allUsers as the invoker to be fronted by IAP. Once IAP for
+# Cloud Run is GA, we should change this to grant the IAP SA permission to
+# invoke the Cloud Run service.
+resource "google_cloud_run_service_iam_member" "iap_invoker" {
+  location = var.region
+  project  = var.project_id
+  service  = module.jvs_services.jvs_ui_service_name
+  role     = "roles/run.invoker"
+  member   = "allUsers"
+}