32 lines
1 KiB
HCL
32 lines
1 KiB
HCL
resource "google_service_account" "forgejo" {
|
|
account_id = "forgejo-vm"
|
|
display_name = "Forgejo VM service account"
|
|
}
|
|
|
|
resource "google_secret_manager_secret_iam_member" "forgejo_secrets" {
|
|
for_each = toset(["forgejo-secret-key", "forgejo-internal-token"])
|
|
project = var.project_id
|
|
secret_id = each.value
|
|
role = "roles/secretmanager.secretAccessor"
|
|
member = "serviceAccount:${google_service_account.forgejo.email}"
|
|
}
|
|
|
|
resource "google_storage_bucket_iam_member" "backups_writer" {
|
|
bucket = google_storage_bucket.backups.name
|
|
role = "roles/storage.objectAdmin"
|
|
member = "serviceAccount:${google_service_account.forgejo.email}"
|
|
}
|
|
|
|
resource "google_iap_tunnel_instance_iam_member" "ssh_admin" {
|
|
project = var.project_id
|
|
zone = var.zone
|
|
instance = google_compute_instance.forgejo.name
|
|
role = "roles/iap.tunnelResourceAccessor"
|
|
member = "user:${var.admin_email}"
|
|
}
|
|
|
|
resource "google_project_iam_member" "ssh_os_login" {
|
|
project = var.project_id
|
|
role = "roles/compute.osLogin"
|
|
member = "user:${var.admin_email}"
|
|
}
|