diff --git a/modules/cloud-run-v2/README.md b/modules/cloud-run-v2/README.md index 55df972c4..4b0ce549e 100644 --- a/modules/cloud-run-v2/README.md +++ b/modules/cloud-run-v2/README.md @@ -644,10 +644,19 @@ module "cloud_run" { } } } + service_account_email = module.iam-service-account.email } deletion_protection = false + depends_on = [google_project_iam_member.trigger_sa_event_receiver] } -# tftest fixtures=fixtures/gcs.tf inventory=service-eventarc-storage.yaml e2e + +resource "google_project_iam_member" "trigger_sa_event_receiver" { + member = module.iam-service-account.iam_email + project = var.project_id + role = "roles/eventarc.eventReceiver" +} + +# tftest fixtures=fixtures/gcs.tf,fixtures/iam-service-account.tf inventory=service-eventarc-storage.yaml e2e ``` ### Using custom service accounts for triggers @@ -675,11 +684,11 @@ module "cloud_run" { service = "cloudresourcemanager.googleapis.com" } } - service_account_email = "cloud-run-trigger@my-project.iam.gserviceaccount.com" + service_account_email = module.iam-service-account.email } } } -# tftest inventory=service-eventarc-auditlogs-external-sa.yaml +# tftest fixtures=fixtures/iam-service-account.tf inventory=service-eventarc-auditlogs-external-sa.yaml e2e ``` Example using automatically created service account: @@ -734,7 +743,7 @@ module "cloud_run" { } deletion_protection = false } -# tftest modules=2 resources=6 fixtures=fixtures/gcs.tf inventory=service-eventarc-storage-sa-create.yaml e2e +# tftest fixtures=fixtures/gcs.tf inventory=service-eventarc-storage-sa-create.yaml e2e ``` ## Cloud Run Invoker IAM Disable diff --git a/modules/cloud-run-v2/main.tf b/modules/cloud-run-v2/main.tf index c17f417ad..f94927519 100644 --- a/modules/cloud-run-v2/main.tf +++ b/modules/cloud-run-v2/main.tf @@ -167,6 +167,9 @@ resource "google_eventarc_trigger" "storage_triggers" { } } service_account = local.trigger_sa_email + depends_on = [ + google_project_iam_member.trigger_sa_event_receiver + ] } resource "google_service_account" "trigger_service_account" { @@ -175,3 +178,10 @@ resource "google_service_account" "trigger_service_account" { account_id = "tf-cr-trigger-${var.name}" display_name = "Terraform trigger for Cloud Run ${var.name}." } + +resource "google_project_iam_member" "trigger_sa_event_receiver" { + count = local.trigger_sa_create ? 1 : 0 + member = google_service_account.trigger_service_account[0].member + project = var.project_id + role = "roles/eventarc.eventReceiver" +} diff --git a/tests/fixtures/gcs.tf b/tests/fixtures/gcs.tf index 86309aef6..6c78c6ffa 100644 --- a/tests/fixtures/gcs.tf +++ b/tests/fixtures/gcs.tf @@ -17,7 +17,7 @@ module "gcs" { project_id = var.project_id prefix = var.prefix name = "my-bucket" - location = "EU" + location = var.region iam = { "roles/storage.admin" = ["serviceAccount:service-${var.project_number}@gcp-sa-pubsub.iam.gserviceaccount.com"] } diff --git a/tests/modules/cloud_run_v2/examples/service-eventarc-auditlogs-external-sa.yaml b/tests/modules/cloud_run_v2/examples/service-eventarc-auditlogs-external-sa.yaml index 4b58ee7dd..00ed77467 100644 --- a/tests/modules/cloud_run_v2/examples/service-eventarc-auditlogs-external-sa.yaml +++ b/tests/modules/cloud_run_v2/examples/service-eventarc-auditlogs-external-sa.yaml @@ -49,12 +49,12 @@ values: value: google.cloud.audit.log.v1.written name: audit-log-setiampolicy project: project-id - service_account: cloud-run-trigger@my-project.iam.gserviceaccount.com + service_account: fixture-service-account@project-id.iam.gserviceaccount.com counts: google_cloud_run_v2_service: 1 google_eventarc_trigger: 1 - modules: 1 - resources: 2 + modules: 2 + resources: 3 outputs: {} diff --git a/tests/modules/cloud_run_v2/examples/service-eventarc-auditlogs-sa-create.yaml b/tests/modules/cloud_run_v2/examples/service-eventarc-auditlogs-sa-create.yaml index bafabe815..f38d3f512 100644 --- a/tests/modules/cloud_run_v2/examples/service-eventarc-auditlogs-sa-create.yaml +++ b/tests/modules/cloud_run_v2/examples/service-eventarc-auditlogs-sa-create.yaml @@ -69,6 +69,6 @@ counts: google_eventarc_trigger: 1 google_service_account: 1 modules: 1 - resources: 4 + resources: 5 outputs: {} diff --git a/tests/modules/cloud_run_v2/examples/service-eventarc-pubsub-sa-create.yaml b/tests/modules/cloud_run_v2/examples/service-eventarc-pubsub-sa-create.yaml index 595d01aaf..cf7cc7270 100644 --- a/tests/modules/cloud_run_v2/examples/service-eventarc-pubsub-sa-create.yaml +++ b/tests/modules/cloud_run_v2/examples/service-eventarc-pubsub-sa-create.yaml @@ -66,6 +66,6 @@ counts: google_eventarc_trigger: 1 google_service_account: 1 modules: 2 - resources: 6 + resources: 7 outputs: {} diff --git a/tests/modules/cloud_run_v2/examples/service-eventarc-storage-sa-create.yaml b/tests/modules/cloud_run_v2/examples/service-eventarc-storage-sa-create.yaml index 6b532fa56..bf19947c4 100644 --- a/tests/modules/cloud_run_v2/examples/service-eventarc-storage-sa-create.yaml +++ b/tests/modules/cloud_run_v2/examples/service-eventarc-storage-sa-create.yaml @@ -68,6 +68,6 @@ counts: google_eventarc_trigger: 1 google_service_account: 1 modules: 2 - resources: 6 + resources: 7 outputs: {} diff --git a/tests/modules/cloud_run_v2/examples/service-eventarc-storage.yaml b/tests/modules/cloud_run_v2/examples/service-eventarc-storage.yaml index e3da8d02d..3b4522fc2 100644 --- a/tests/modules/cloud_run_v2/examples/service-eventarc-storage.yaml +++ b/tests/modules/cloud_run_v2/examples/service-eventarc-storage.yaml @@ -47,12 +47,12 @@ values: value: google.cloud.storage.object.v1.finalized name: storage-bucket-upload project: project-id - service_account: null + service_account: fixture-service-account@project-id.iam.gserviceaccount.com counts: google_cloud_run_v2_service: 1 google_eventarc_trigger: 1 - modules: 2 - resources: 4 + modules: 3 + resources: 6 outputs: {}