Group for Terraform backend service accounts
brettcurtis opened this issue · comments
Description
We will need a group for Terraform backend service accounts. For example, each backend service account created will require IAM roles to solve this problem:
Error: Request `Create IAM Members roles/logging.bucketWriter serviceAccount:p980112215208-515759@gcp-sa-logging.iam.gserviceaccount.com for project "shared-logs01-tf3521-sb"` returned error: Error retrieving IAM policy for project "shared-logs01-tf3521-sb": googleapi: Error 403: The caller does not have permission, forbidden
In this example, we have a service account creating a new project and resource for google_logging_project_sink, which requires project IAM admin in the logging project. This isn't ideal from a security perspective, but I'm not sure there is another way around it if we set up logging buckets this way.
Acceptance
- Terraform backend service accounts should be able to create the
google_logging_project_sink
resource
Implementation Notes
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_project_sink
Additional Context
Also, note the service account for the terraform backend will need to be a manager in the group.