ENH: Give GHA service account permission to access static bucket

cortadocodes · cortadocodes · commit 86b418417e02 · 2025-04-17T12:04:04.000+01:00
diff --git a/README.md b/README.md
@@ -144,14 +144,15 @@ terraform destroy
 
 # Input reference
 
-| Name                           | Type       | Required | Default    |
-|--------------------------------|------------|----------|------------| 
-| `server_service_account_email` | `string`   | Yes      | N/A        |  
-| `google_cloud_project_id`      | `string`   | Yes      | N/A        |  
-| `resource_affix`               | `string`   | Yes      | N/A        |                 
-| `environment`                  | `string`   | No       | `"main"`   |     
-| `create_public_bucket`         | `boolean`  | No       | `false`    |     
-| `deletion_protection`          | `bool`     | No       | `true`     | 
+| Name                                   | Type       | Required | Default    |
+|----------------------------------------|------------|----------|------------| 
+| `server_service_account_email`         | `string`   | Yes      | N/A        |  
+| `github_actions_service_account_email` | `string`   | Yes      | N/A        |  
+| `google_cloud_project_id`              | `string`   | Yes      | N/A        |  
+| `resource_affix`                       | `string`   | Yes      | N/A        |                 
+| `environment`                          | `string`   | No       | `"main"`   |     
+| `create_public_bucket`                 | `boolean`  | No       | `false`    |     
+| `deletion_protection`                  | `bool`     | No       | `true`     | 
 
 See [`variables.tf`](/variables.tf) for descriptions.
 
diff --git a/VERSION.txt b/VERSION.txt
@@ -1 +1 @@
-0.1.0
+0.1.1
diff --git a/storage.tf b/storage.tf
@@ -25,11 +25,17 @@ resource "google_storage_bucket_iam_member" "static_assets_object_viewer" {
 }
 
 
-# Allow the server to administer what's on the staging bucket
+# Allow the server to administer what's on the static bucket.
 resource "google_storage_bucket_iam_member" "static_assets_object_admin" {
+  for_each = toset(
+    [
+      "serviceAccount:${var.server_service_account_email}",
+      "serviceAccount:${var.github_actions_service_account_email}"
+    ]
+  )
   bucket = google_storage_bucket.static_assets.name
   role   = "roles/storage.objectAdmin"
-  member = "serviceAccount:${var.server_service_account_email}"
+  member = each.value
 }
 
 
diff --git a/variables.tf b/variables.tf
@@ -4,6 +4,12 @@ variable "server_service_account_email" {
 }
 
 
+variable "github_actions_service_account_email" {
+  type = string
+  description = "The email address of the GitHub Actions service account."
+}
+
+
 variable "google_cloud_project_id" {
   type        = string
   description = "The ID of the GCP project to deploy resources in."
