Atualiza o iam e sa

JJDSNT · JJDSNT · commit 0bcf8c5f1236 · 2025-05-14T12:29:57.000-03:00
diff --git a/infra-base/iam.tf b/infra-base/iam.tf
@@ -16,4 +16,29 @@ resource "google_project_iam_member" "terraform_ci_iam_viewer" {
   project = var.project_id
   role    = "roles/iam.serviceAccountViewer"
   member  = "serviceAccount:${google_service_account.terraform_ci.email}"
-}
+}
+
+# Permissão CI/CD para a service account do Github Actions
+resource "google_project_iam_member" "github_actions_iam_user" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountUser"
+  member  = "serviceAccount:${google_service_account.github_actions_deploy.email}"
+}
+
+resource "google_project_iam_member" "github_actions_run_admin" {
+  project = var.project_id
+  role    = "roles/run.admin"
+  member  = "serviceAccount:${google_service_account.github_actions_deploy.email}"
+}
+
+resource "google_project_iam_member" "github_actions_oidc_token_creator" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountTokenCreator"
+  member  = "serviceAccount:${google_service_account.github_actions_deploy.email}"
+}
+
+resource "google_project_iam_member" "github_actions_registry_reader" {
+  project = var.project_id
+  role    = "roles/storage.objectViewer" # ou roles/artifactregistry.reader se estiver usando Artifact Registry
+  member  = "serviceAccount:${google_service_account.github_actions_deploy.email}"
+}
diff --git a/infra-base/service-account.tf b/infra-base/service-account.tf
@@ -4,3 +4,9 @@ resource "google_service_account" "terraform_ci" {
   display_name = "Terraform CI/CD"
   description = "Criada pelo módulo infra-base para CI/CD do Terraform"
 }
+
+resource "google_service_account" "github_actions_deploy" {
+  account_id   = "github-actions-deploy"
+  display_name = "GitHub Actions Deploy"
+  description  = "Criada pelo módulo infra-base para CI/CD via GitHub Actions"
+}
