-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdata.tf
40 lines (36 loc) · 1.13 KB
/
data.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
data "google_storage_bucket" "state_bucket" {
name = local.state_bucket_name
}
data "google_iam_policy" "github_actions_plan_sa_bindings" {
// Allow the plan identity to act as the service account
binding {
role = "roles/iam.workloadIdentityUser"
members = [local.github_actions_plan_identity]
}
// Allow the apply account to administer the service account
binding {
role = "roles/iam.serviceAccountAdmin"
members = [google_service_account.github_actions_apply.member]
}
}
data "google_iam_policy" "github_actions_apply_sa_bindings" {
// Allow the apply identity to act as the service account
binding {
role = "roles/iam.workloadIdentityUser"
members = [local.github_actions_apply_identity]
}
binding {
role = "roles/iam.serviceAccountTokenCreator"
members = [local.github_actions_apply_identity]
}
}
data "google_iam_policy" "state_bucket" {
// Plan action service account state bucket binding
binding {
role = "roles/storage.objectUser"
members = [
google_service_account.github_actions_plan.member,
google_service_account.github_actions_apply.member
]
}
}