78 lines
No EOL
2.5 KiB
HCL
Executable file
78 lines
No EOL
2.5 KiB
HCL
Executable file
variable "project_id" {
|
|
type = string
|
|
default = "datacom-poc"
|
|
}
|
|
|
|
variable "project_number" {
|
|
type = string
|
|
default = "32472615575"
|
|
}
|
|
|
|
variable "region" {
|
|
type = string
|
|
default = "asia-northeast1"
|
|
}
|
|
|
|
|
|
# Cloud Functionsサービスアカウント
|
|
resource "google_service_account" "cf_sa" {
|
|
project = var.project_id
|
|
account_id = "mrt-cloudfunctions-sa-devtest"
|
|
display_name = "Cloud Functions SA"
|
|
}
|
|
|
|
# 権限をSAに付与
|
|
resource "google_project_iam_member" "cf_sa_role" {
|
|
for_each = toset(["roles/storage.objectAdmin","roles/workflows.invoker", "roles/secretmanager.secretAccessor", "roles/aiplatform.user"])
|
|
project = var.project_id
|
|
role = each.value
|
|
member = "serviceAccount:${google_service_account.cf_sa.email}"
|
|
}
|
|
|
|
|
|
# Cloud Workflows用サービスアカウント
|
|
resource "google_service_account" "workflows_sa" {
|
|
project = var.project_id
|
|
account_id = "mrt-cloudworkflows-sa-devtest"
|
|
display_name = "Cloud Workflows SA"
|
|
}
|
|
|
|
# 権限を SA に付与
|
|
resource "google_project_iam_member" "wf_cf_role" {
|
|
for_each = toset(["roles/cloudfunctions.invoker","roles/run.invoker"])
|
|
project = var.project_id
|
|
role = each.value
|
|
member = "serviceAccount:${google_service_account.workflows_sa.email}"
|
|
}
|
|
|
|
|
|
# API Gateway用サービスアカウント
|
|
resource "google_service_account" "gateway_sa" {
|
|
project = var.project_id
|
|
account_id = "mrt-apigateway-sa-devtest"
|
|
display_name = "Cloud Functions 起動用サービスアカウント"
|
|
}
|
|
|
|
# 権限を SA に付与
|
|
resource "google_project_iam_member" "gateway_role" {
|
|
for_each = toset(["roles/cloudfunctions.invoker","roles/run.invoker"])
|
|
project = var.project_id
|
|
role = each.value
|
|
member = "serviceAccount:${google_service_account.gateway_sa.email}"
|
|
}
|
|
|
|
|
|
# cloud build用サービスアカウント
|
|
resource "google_service_account" "cloudbuild_sa" {
|
|
project = var.project_id
|
|
account_id = "mrt-cloudbuild-sa-devtest"
|
|
display_name = "Cloud Build 用サービスアカウント"
|
|
}
|
|
|
|
# 権限を SA に付与
|
|
resource "google_project_iam_member" "cloudbuild_role" {
|
|
for_each = toset(["roles/cloudbuild.builds.builder","roles/storage.objectAdmin", "roles/artifactregistry.writer", "roles/developerconnect.readTokenAccessor", "roles/cloudfunctions.developer","roles/workflows.admin", "roles/iam.serviceAccountUser"])
|
|
project = var.project_id
|
|
role = each.value
|
|
member = "serviceAccount:${google_service_account.cloudbuild_sa.email}"
|
|
} |