Merge pull request dora-team#107 from GoogleCloudPlatform/davidstanke…

…/issue104 TF: Use a custom svc acct for Cloud Run Fixes dora-team#104
mammutmw · Apr 13, 2021 · 0d84a4a · 0d84a4a
2 parents d558f69 + 633c92e
commit 0d84a4a
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 16 deletions.
diff --git a/experimental/terraform/cloud_run_service/main.tf b/experimental/terraform/cloud_run_service/main.tf
@@ -28,6 +28,7 @@ resource "google_cloud_run_service" "cloud_run_service" {
           value = var.google_project_id
         }
       }
+      service_account_name = var.service_account
     }
   }
 

diff --git a/experimental/terraform/cloud_run_service/variables.tf b/experimental/terraform/cloud_run_service/variables.tf
@@ -8,4 +8,8 @@ variable "google_region" {
 
 variable "service_name" {
   type = string
+}
+
+variable "service_account" {
+  type = string
 }
diff --git a/experimental/terraform/main.tf b/experimental/terraform/main.tf
@@ -14,17 +14,12 @@ resource "google_project_service" "sm_api" {
   service = "secretmanager.googleapis.com"
 }
 
-# needed in order to fetch the default GCE service account
-# TODO: is there a cleaner way to get this?
-resource "google_project_service" "gce_api" {
-  service = "compute.googleapis.com"
-}
-
 module "event_handler_service" {
   source            = "./cloud_run_service"
   google_project_id = var.google_project_id
   google_region     = var.google_region
   service_name      = "event-handler"
+  service_account   = google_service_account.event_handler_service_account.email
 
   depends_on = [
     google_project_service.run_api,
@@ -59,16 +54,17 @@ resource "google_secret_manager_secret" "event-handler-secret" {
 }
 
 resource "google_secret_manager_secret_version" "event-handler-secret-version" {
-  secret = google_secret_manager_secret.event-handler-secret.id
+  secret      = google_secret_manager_secret.event-handler-secret.id
   secret_data = random_id.event-handler-random-value.hex
 }
 
-data "google_compute_default_service_account" "default" {
-  depends_on = [google_project_service.gce_api]
+resource "google_service_account" "event_handler_service_account" {
+  account_id   = "event-handler"
+  display_name = "Service Account for Event Handler Cloud Run Service"
 }
 
 resource "google_secret_manager_secret_iam_member" "event-handler" {
   secret_id = google_secret_manager_secret.event-handler-secret.id
-  role = "roles/secretmanager.secretAccessor"
-  member = "serviceAccount:${data.google_compute_default_service_account.default.email}"
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.event_handler_service_account.email}"
 }
diff --git a/experimental/terraform/outputs.tf b/experimental/terraform/outputs.tf
@@ -3,10 +3,6 @@ output "event-handler-endpoint" {
 }
 
 output "event-handler-secret" {
-  value = google_secret_manager_secret_version.event-handler-secret-version.secret_data
+  value     = google_secret_manager_secret_version.event-handler-secret-version.secret_data
   sensitive = true
-}
-
-output "run-service-account" {
-  value = data.google_compute_default_service_account.default.email
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -28,6 +28,7 @@ resource "google_cloud_run_service" "cloud_run_service" { @@
               value = var.google_project_id
             }
           }
+          service_account_name = var.service_account
         }
       }
@@ Expand Down @@