From 5048e4a7296a5fea7f7624ef0df068a53572bc9a Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Wed, 20 May 2026 15:14:28 -0500 Subject: [PATCH 1/2] Add SAs and IAM bindings for USDF, Cloud Run, and Dataflow service accounts. --- environment/deployments/ppdb/sa.tf | 159 +++++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) create mode 100644 environment/deployments/ppdb/sa.tf diff --git a/environment/deployments/ppdb/sa.tf b/environment/deployments/ppdb/sa.tf new file mode 100644 index 00000000..8177d388 --- /dev/null +++ b/environment/deployments/ppdb/sa.tf @@ -0,0 +1,159 @@ +# USDF Replication Service Account + +resource "google_service_account" "usdf_replication" { + account_id = "usdf-replication" + display_name = "Terraform-managed service account for USDF Replication" + project = module.project_factory.project_id +} + +resource "google_pubsub_topic_iam_member" "usdf_replication_stage_chunk_topic" { + topic = google_pubsub_topic.stage_chunk_topic.id + role = "roles/pubsub.publisher" + member = "serviceAccount:${google_service_account.usdf_replication.email}" + project = module.project_factory.project_id +} + +resource "google_project_iam_member" "usdf_replication_cloudsql_client" { + project = module.project_factory.project_id + role = "roles/cloudsql.client" + member = "serviceAccount:${google_service_account.usdf_replication.email}" +} + +resource "google_project_iam_member" "usdf_replication_cloudsql_instance_user" { + project = module.project_factory.project_id + role = "roles/cloudsql.instanceUser" + member = "serviceAccount:${google_service_account.usdf_replication.email}" +} + +resource "google_storage_bucket_iam_member" "usdf_replication_gcs" { + bucket = google_storage_bucket.ingest.name + role = "roles/storage.objectUser" + member = "serviceAccount:${google_service_account.usdf_replication.email}" +} + +# Dataflow Service Account + +resource "google_service_account" "dataflow_stage_chunk" { + account_id = "dataflow-stage-chunk" + display_name = "Terraform-managed service account for dataflow stage chunk" + project = module.project_factory.project_id +} + +resource "google_pubsub_topic_iam_member" "dataflow_stage_chunk_stage_chunk_topic" { + topic = google_pubsub_topic.stage_chunk_topic.id + role = "roles/pubsub.subscriber" + member = "serviceAccount:${google_service_account.dataflow_stage_chunk.email}" + project = module.project_factory.project_id +} + +resource "google_pubsub_topic_iam_member" "dataflow_track_chunk_track_chunk_topic" { + topic = google_pubsub_topic.track_chunk_topic.id + role = "roles/pubsub.publisher" + member = "serviceAccount:${google_service_account.dataflow_stage_chunk.email}" + project = module.project_factory.project_id +} + +resource "google_project_iam_member" "dataflow_stage_chunks_dataflow_worker" { + project = module.project_factory.project_id + role = "roles/dataflow.worker" + member = "serviceAccount:${google_service_account.dataflow_stage_chunk.email}" +} + +resource "google_project_iam_member" "dataflow_stage_chunks_logging_writer" { + project = module.project_factory.project_id + role = "roles/logging.logWriter" + member = "serviceAccount:${google_service_account.dataflow_stage_chunk.email}" +} + +resource "google_storage_bucket_iam_member" "dataflow_stage_chunks_ingest_object_viewer" { + bucket = google_storage_bucket.ingest.name + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.dataflow_stage_chunk.email}" +} + +# Cloud Run Trigger Stage Chunk Service Account + +resource "google_service_account" "cloudrun_trigger_stage_chunk" { + account_id = "cloudrun-trigger-stage-chunk" + display_name = "Terraform-managed service account for cloud run trigger stage chunk" + project = module.project_factory.project_id +} + +resource "google_project_iam_member" "cloudrun_trigger_stage_chunk_dataflow" { + project = module.project_factory.project_id + role = "roles/dataflow.developer" + member = "serviceAccount:${google_service_account.cloudrun_trigger_stage_chunk.email}" +} + +resource "google_pubsub_topic_iam_member" "cloudrun_trigger_stage_chunk_sa_stage_chunk_topic" { + topic = google_pubsub_topic.stage_chunk_topic.id + role = "roles/pubsub.subscriber" + member = "serviceAccount:${google_service_account.cloudrun_trigger_stage_chunk.email}" + project = module.project_factory.project_id +} + +# Cloud Run Promote Chunks Service Account + +resource "google_service_account" "cloudrun_promote_chunks" { + account_id = "cloudrun-promote-chunks" + display_name = "Terraform-managed service account for Cloud Run to promote chunks" + project = module.project_factory.project_id +} + +resource "google_storage_bucket_iam_member" "cloudrun_promote_chunks_ingest_object_viewer" { + bucket = google_storage_bucket.ingest.name + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cloudrun_promote_chunks.email}" +} + +resource "google_bigquery_dataset_access" "cloudrun_promote_chunks_staging_dataset_editor" { + dataset_id = google_bigquery_dataset.ppdb_staging.dataset_id + role = "roles/bigquery.dataEditor" + iam_member = "serviceAccount:${google_service_account.cloudrun_promote_chunks.email}" + project = module.project_factory.project_id +} + +resource "google_project_iam_member" "cloudrun_promote_chunks_bq_job_user" { + project = module.project_factory.project_id + role = "roles/bigquery.jobUser" + member = "serviceAccount:${google_service_account.cloudrun_promote_chunks.email}" +} + +resource "google_project_iam_member" "cloudrun_promote_chunks_sql_client" { + project = module.project_factory.project_id + role = "roles/cloudsql.client" + member = "serviceAccount:${google_service_account.cloudrun_promote_chunks.email}" +} + +resource "google_project_iam_member" "cloudrun_promote_chunks_sql_instance_user" { + project = module.project_factory.project_id + role = "roles/cloudsql.instanceUser" + member = "serviceAccount:${google_service_account.cloudrun_promote_chunks.email}" +} + +# Cloud Run Track Chunks Service Account + +resource "google_service_account" "cloudrun_track_chunks" { + account_id = "cloudrun-track-chunks" + display_name = "Terraform-managed service account for Cloud Run to track chunks" + project = module.project_factory.project_id +} + +resource "google_project_iam_member" "cloudrun_track_chunks_sql_client" { + project = module.project_factory.project_id + role = "roles/cloudsql.client" + member = "serviceAccount:${google_service_account.cloudrun_track_chunks.email}" +} + +resource "google_project_iam_member" "cloudrun_track_chunks_sql_instance_user" { + project = module.project_factory.project_id + role = "roles/cloudsql.instanceUser" + member = "serviceAccount:${google_service_account.cloudrun_track_chunks.email}" +} + +resource "google_pubsub_topic_iam_member" "cloudrun_trigger_stage_chunk_stage_chunk_topic" { + topic = google_pubsub_topic.track_chunk_topic.id + role = "roles/pubsub.subscriber" + member = "serviceAccount:${google_service_account.cloudrun_track_chunks.email}" + project = module.project_factory.project_id +} \ No newline at end of file From 145191c0d91b00be7de7da20755a42598fb02860 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Fri, 22 May 2026 14:39:18 -0500 Subject: [PATCH 2/2] Increase serial to run GHA. --- environment/deployments/ppdb/env/dev.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/environment/deployments/ppdb/env/dev.tfvars b/environment/deployments/ppdb/env/dev.tfvars index a7652f2c..aff92cd5 100644 --- a/environment/deployments/ppdb/env/dev.tfvars +++ b/environment/deployments/ppdb/env/dev.tfvars @@ -57,4 +57,4 @@ activate_apis = [ # force Terraform to update this environment. You may need to do this if you # changed .tf files in this environment, or if you changed any modules that # this environment uses, but you didn't change any variables in this file. -# Serial: 3 +# Serial: 4