fix(tf): don't use default service accounts in eventarc

cloudspannerecosystem · Oct 25, 2024 · d20dfa3 · d20dfa3
1 parent 5c6f0a9
commit d20dfa3
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 20 deletions.
diff --git a/terraform/modules/autoscaler-functions/main.tf b/terraform/modules/autoscaler-functions/main.tf
@@ -24,10 +24,6 @@ data "google_project" "project" {
 
 }
 
-locals {
-  eventarc_sa = "${data.google_project.project.number}[email protected]"
-}
-
 // PubSub
 
 resource "google_pubsub_topic" "poller_topic" {
@@ -129,9 +125,10 @@ resource "google_cloudfunctions2_function" "poller_function" {
   }
 
   event_trigger {
-    event_type   = "google.cloud.pubsub.topic.v1.messagePublished"
-    pubsub_topic = google_pubsub_topic.poller_topic.id
-    retry_policy = "RETRY_POLICY_RETRY"
+    event_type            = "google.cloud.pubsub.topic.v1.messagePublished"
+    pubsub_topic          = google_pubsub_topic.poller_topic.id
+    retry_policy          = "RETRY_POLICY_RETRY"
+    service_account_email = var.poller_sa_email
   }
 
   lifecycle {
@@ -165,9 +162,10 @@ resource "google_cloudfunctions2_function" "scaler_function" {
   }
 
   event_trigger {
-    event_type   = "google.cloud.pubsub.topic.v1.messagePublished"
-    pubsub_topic = google_pubsub_topic.scaler_topic.id
-    retry_policy = "RETRY_POLICY_RETRY"
+    event_type            = "google.cloud.pubsub.topic.v1.messagePublished"
+    pubsub_topic          = google_pubsub_topic.scaler_topic.id
+    retry_policy          = "RETRY_POLICY_RETRY"
+    service_account_email = var.scaler_sa_email
   }
 
   lifecycle {
@@ -182,13 +180,13 @@ resource "google_cloud_run_service_iam_member" "cloud_run_poller_invoker" {
   location = google_cloudfunctions2_function.poller_function.location
   service  = google_cloudfunctions2_function.poller_function.name
   role     = "roles/run.invoker"
-  member   = "serviceAccount:${local.eventarc_sa}"
+  member   = "serviceAccount:${var.poller_sa_email}"
 }
 
 resource "google_cloud_run_service_iam_member" "cloud_run_scaler_invoker" {
   project  = google_cloudfunctions2_function.scaler_function.project
   location = google_cloudfunctions2_function.scaler_function.location
   service  = google_cloudfunctions2_function.scaler_function.name
   role     = "roles/run.invoker"
-  member   = "serviceAccount:${local.eventarc_sa}"
+  member   = "serviceAccount:${var.scaler_sa_email}"
 }
diff --git a/terraform/modules/forwarder/main.tf b/terraform/modules/forwarder/main.tf
@@ -21,10 +21,6 @@ data "google_project" "project" {
 
 }
 
-locals {
-  eventarc_sa = "${data.google_project.project.number}[email protected]"
-}
-
 resource "google_service_account" "build_sa" {
   project      = var.project_id
   account_id   = "build-sa"
@@ -125,9 +121,10 @@ resource "google_cloudfunctions2_function" "forwarder_function" {
   }
 
   event_trigger {
-    event_type   = "google.cloud.pubsub.topic.v1.messagePublished"
-    pubsub_topic = google_pubsub_topic.forwarder_topic.id
-    retry_policy = "RETRY_POLICY_RETRY"
+    event_type            = "google.cloud.pubsub.topic.v1.messagePublished"
+    pubsub_topic          = google_pubsub_topic.forwarder_topic.id
+    retry_policy          = "RETRY_POLICY_RETRY"
+    service_account_email = google_service_account.forwarder_sa.email
   }
 
   depends_on = [
@@ -141,5 +138,5 @@ resource "google_cloud_run_service_iam_member" "cloud_run_forwarder_invoker" {
   location = google_cloudfunctions2_function.forwarder_function.location
   service  = google_cloudfunctions2_function.forwarder_function.name
   role     = "roles/run.invoker"
-  member   = "serviceAccount:${local.eventarc_sa}"
+  member   = google_service_account.forwarder_sa.member
 }