FEA: Add maintainer_service_account_names input

Author: cortadocodes

iam_roles.tf

@@ -1,67 +1,57 @@
 locals {
-  service_account_emails = toset(
-    [
-      "serviceAccount:${google_service_account.server_service_account.email}",
-    ]
+  server_service_account_email = "serviceAccount:${google_service_account.server_service_account.email}"
+  maintainer_service_account_emails = toset(
+    [for account in google_service_account.maintainers : "serviceAccount:${account.email}"]
   )
+  all_service_account_emails = setunion(toset([local.server_service_account_email]), local.maintainer_service_account_emails)
 }
 
 
 resource "google_project_iam_member" "iam__service_account_user" {
-  for_each = local.service_account_emails
   project  = var.google_cloud_project_id
   role     = "roles/iam.serviceAccountUser"
-  member   = each.value
+  member   = local.server_service_account_email
 }
 
 
-# Allows the GHA to call "namespaces get" for Cloud Run to determine the resulting run URLs of the services.
-# This should also allow a service to get its own name by using:
-#   https://stackoverflow.com/questions/65628822/google-cloud-run-can-a-service-know-its-own-url/65634104#65634104
 resource "google_project_iam_member" "run__developer" {
-  for_each = local.service_account_emails
   project  = var.google_cloud_project_id
   role     = "roles/run.developer"
-  member   = each.value
+  member   = local.server_service_account_email
 }
 
 
 resource "google_project_iam_member" "storage__object_admin" {
-  for_each = local.service_account_emails
   project  = var.google_cloud_project_id
   role     = "roles/storage.objectAdmin"
-  member   = each.value
+  member   = local.server_service_account_email
 }
 
 
 resource "google_project_iam_member" "error_reporting__writer" {
   project = var.google_cloud_project_id
   role    = "roles/errorreporting.writer"
-  member  = "serviceAccount:${google_service_account.server_service_account.email}"
+  member  = local.server_service_account_email
 }
 
 
 resource "google_project_iam_member" "cloudsql__client" {
-  for_each = local.service_account_emails
   project  = var.google_cloud_project_id
   role     = "roles/cloudsql.client"
-  member   = each.value
+  member   = local.server_service_account_email
 }
 
 
-# Ensure superuser developers can connect to, import and export from
-# production/staging databases via cloudsql from terminals
-#   https://cloud.google.com/sql/docs/mysql/iam-roles
-#   https://cloud.google.com/sql/docs/mysql/iam-permissions
-# resource "google_project_iam_member" "cloudsql_superusers" {
-#   project = var.project
-#   role    = "roles/cloudsql.editor"
-#   members = [
-#     local.server_service_accounts["thclark"].member_signature,
-#     local.server_service_accounts["cortadocodes"].member_signature,
-#     local.server_service_accounts["nvnnil"].member_signature
-#   ]
-# }
+# Ensure maintainers can connect to, import and export from production/staging databases via cloudsql from
+# terminals
+#  - https://cloud.google.com/sql/docs/mysql/iam-roles
+#  - https://cloud.google.com/sql/docs/mysql/iam-permissions
+resource "google_project_iam_member" "cloudsql_maintainers" {
+  for_each = local.maintainer_service_account_emails
+  project = var.google_cloud_project_id
+  role    = "roles/cloudsql.editor"
+  member = each.value
+}
 
 
 # TODO REFACTOR REQUEST servers shouldn't be allowed to create and delete queues
@@ -76,17 +66,15 @@ resource "google_project_iam_member" "cloudsql__client" {
 
 # Allow django-gcp.tasks to create periodic tasks in google cloud scheduler
 resource "google_project_iam_member" "cloudscheduler__admin" {
-  for_each = local.service_account_emails
   project  = var.google_cloud_project_id
   role     = "roles/cloudscheduler.admin"
-  member   = each.value
+  member   = local.server_service_account_email
 }
 
 
-# Allow the server to pull
+# Allow the server to pull secrets.
 resource "google_project_iam_member" "secretmanager__secret_accessor" {
-  for_each = local.service_account_emails
   project  = var.google_cloud_project_id
   role     = "roles/secretmanager.secretAccessor"
-  member   = each.value
+  member   = local.server_service_account_email
 }

iam_service_accounts.tf

@@ -4,3 +4,12 @@ resource "google_service_account" "server_service_account" {
   display_name = "${var.resource_affix}--server--${var.environment}"
   project      = var.google_cloud_project_id
 }
+
+
+resource "google_service_account" "maintainers" {
+  for_each     = var.maintainer_service_account_names
+  account_id   = "maintainer-${each.key}"
+  display_name = "maintainer-${each.key}"
+  project      = var.google_cloud_project_id
+  description  = "Allow ${each.key} to access most resources related to Octue Twined services."
+}

secrets.tf

@@ -11,6 +11,6 @@ resource "google_secret_manager_secret_iam_member" "service_account_secret_acces
   for_each   = google_secret_manager_secret.secrets
   secret_id  = each.value.secret_id
   role       = "roles/secretmanager.secretAccessor"
-  member     = "serviceAccount:${google_service_account.server_service_account.email}"
+  member     = local.server_service_account_email
   depends_on = [google_secret_manager_secret.secrets]
 }

tasks.tf

@@ -18,9 +18,8 @@ resource "google_cloud_tasks_queue" "default" {
 
 
 resource "google_cloud_tasks_queue_iam_member" "default_queue_task_create" {
-  for_each = local.service_account_emails
   name     = google_cloud_tasks_queue.default.name
   location = google_cloud_tasks_queue.default.location
   role     = "roles/cloudtasks.enqueuer"
-  member   = each.value
+  member   = local.server_service_account_email
 }

variables.tf

@@ -23,6 +23,13 @@ variable "environment" {
 }
 
 
+variable "maintainer_service_account_names" {
+  type        = set(string)
+  default     = ["default"]
+  description = "The names of each maintainer IAM service account that should be created. They'll automatically be prefixed with 'maintainer-'."
+}
+
+
 variable "secret_names" {
   description = "A list of secrets to be created and made accessible to the cloud run instance."
   type        = set(string)