1apiVersion: iam.cnrm.cloud.google.com/v1beta1
2kind: IAMServiceAccount
3metadata:
4 name: bff-sa
5spec:
6 displayName: sa-for-bff
7---
8#folder access needed for creating iam in tenant projects when bootstrapping a cluster
9apiVersion: iam.cnrm.cloud.google.com/v1beta1
10kind: IAMPolicyMember
11metadata:
12 name: ${cluster_uuid}-iam-sa-admin-tenants
13spec:
14 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
15 resourceRef:
16 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
17 kind: Folder
18 external: ${tenants_gcp_folder_id}
19 role: roles/iam.serviceAccountAdmin
20---
21#folder access needed for creating iam in tenant projects when bootstrapping a cluster
22apiVersion: iam.cnrm.cloud.google.com/v1beta1
23kind: IAMPolicyMember
24metadata:
25 name: ${cluster_uuid}-iam-sakey-admin-tenants
26spec:
27 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
28 resourceRef:
29 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
30 kind: Folder
31 external: ${tenants_gcp_folder_id}
32 role: roles/iam.serviceAccountKeyAdmin
33---
34#folder access needed for creating iam in tenant projects when bootstrapping a cluster
35apiVersion: iam.cnrm.cloud.google.com/v1beta1
36kind: IAMPolicyMember
37metadata:
38 name: ${cluster_uuid}-iam-admin-tenants
39spec:
40 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
41 resourceRef:
42 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
43 kind: Folder
44 external: ${tenants_gcp_folder_id}
45 role: roles/iam.securityAdmin
46---
47apiVersion: iam.cnrm.cloud.google.com/v1beta1
48kind: IAMPolicyMember
49metadata:
50 name: ${cluster_uuid}-k8s-viewer-foreman
51spec:
52 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
53 resourceRef:
54 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
55 kind: Project
56 external: ${gcp_project_id}
57 role: roles/container.clusterViewer
58---
59apiVersion: iam.cnrm.cloud.google.com/v1beta1
60kind: IAMPolicyMember
61metadata:
62 name: ${cluster_uuid}-sql-client-foreman
63spec:
64 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
65 resourceRef:
66 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
67 kind: Project
68 external: ${gcp_project_id}
69 role: roles/cloudsql.client
70---
71apiVersion: iam.cnrm.cloud.google.com/v1beta1
72kind: IAMPolicyMember
73metadata:
74 name: ${cluster_uuid}-compute-viewer
75spec:
76 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
77 resourceRef:
78 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
79 kind: Project
80 external: ${gcp_project_id}
81 role: roles/compute.viewer
82---
83apiVersion: iam.cnrm.cloud.google.com/v1beta1
84kind: IAMPolicyMember
85metadata:
86 name: ${cluster_uuid}-k8s-metrics
87spec:
88 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
89 resourceRef:
90 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
91 kind: Project
92 external: ${gcp_project_id}
93 role: roles/monitoring.admin
94---
95#folder access needed for managing secrets in tenant projects
96apiVersion: iam.cnrm.cloud.google.com/v1beta1
97kind: IAMPolicyMember
98metadata:
99 name: ${cluster_uuid}-k8s-secret-manager-tenants
100spec:
101 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
102 resourceRef:
103 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
104 kind: Folder
105 external: ${tenants_gcp_folder_id}
106 role: roles/secretmanager.admin
107---
108apiVersion: iam.cnrm.cloud.google.com/v1beta1
109kind: IAMPolicyMember
110metadata:
111 name: ${cluster_uuid}-k8s-secret-manager-foreman
112spec:
113 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
114 resourceRef:
115 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
116 kind: Project
117 external: ${gcp_project_id}
118 role: roles/secretmanager.admin
119---
120apiVersion: iam.cnrm.cloud.google.com/v1beta1
121kind: IAMPolicyMember
122metadata:
123 name: ${cluster_uuid}-big-query-job-user
124spec:
125 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
126 resourceRef:
127 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
128 kind: Project
129 external: ${gcp_project_id}
130 role: roles/bigquery.jobUser
131---
132apiVersion: iam.cnrm.cloud.google.com/v1beta1
133kind: IAMPolicyMember
134metadata:
135 name: ${cluster_uuid}-big-query-data-viewer
136spec:
137 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
138 resourceRef:
139 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
140 kind: Project
141 external: ${gcp_project_id}
142 role: roles/bigquery.dataViewer
143---
144apiVersion: iam.cnrm.cloud.google.com/v1beta1
145kind: IAMPolicyMember
146metadata:
147 name: ${cluster_uuid}-pubsub-publisher
148spec:
149 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
150 resourceRef:
151 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
152 kind: Project
153 external: ${gcp_project_id}
154 role: roles/pubsub.publisher
155---
156apiVersion: iam.cnrm.cloud.google.com/v1beta1
157kind: IAMPolicyMember
158metadata:
159 name: ${cluster_uuid}-edge-agent-tenants-pubsub-publisher
160spec:
161 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
162 resourceRef:
163 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
164 kind: Folder
165 external: ${tenants_gcp_folder_id}
166 role: roles/pubsub.publisher
167---
168apiVersion: iam.cnrm.cloud.google.com/v1beta1
169kind: IAMPolicyMember
170metadata:
171 name: ${cluster_uuid}-edge-agent-tenants-pubsubview
172spec:
173 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
174 resourceRef:
175 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
176 kind: Folder
177 external: ${tenants_gcp_folder_id}
178 role: roles/pubsub.viewer
179---
180apiVersion: iam.cnrm.cloud.google.com/v1beta1
181kind: IAMPolicyMember
182metadata:
183 name: ${cluster_uuid}-pubsub-subscriber
184spec:
185 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
186 resourceRef:
187 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
188 kind: Project
189 external: ${gcp_project_id}
190 role: roles/pubsub.subscriber
191---
192apiVersion: iam.cnrm.cloud.google.com/v1beta1
193kind: IAMPolicyMember
194metadata:
195 name: ${cluster_uuid}-edge-db-instance-viewer
196spec:
197 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
198 resourceRef:
199 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
200 kind: Project
201 external: ${gcp_project_id}
202 role: roles/cloudsql.instanceUser
203---
204apiVersion: iam.cnrm.cloud.google.com/v1beta1
205kind: IAMPolicyMember
206metadata:
207 name: ${cluster_uuid}-api-artifact-read
208spec:
209 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
210 resourceRef:
211 apiVersion: artifactregistry.cnrm.cloud.google.com/v1beta1
212 kind: ArtifactRegistryRepository
213 external: projects/${foreman_gcp_project_id}/locations/${gcp_region}/repositories/warehouse
214 role: roles/artifactregistry.reader
215---
216apiVersion: sql.cnrm.cloud.google.com/v1beta1
217kind: SQLUser
218metadata:
219 name: edge-backend-sa-sql-user
220 namespace: edge-system
221 annotations:
222 cnrm.cloud.google.com/deletion-policy: abandon
223spec:
224 type: CLOUD_IAM_SERVICE_ACCOUNT
225 instanceRef:
226 name: ${edge_sql_db_name}-migrated
227 namespace: edge-system
228 resourceID: bff-sa@${gcp_project_id}.iam
229---
230apiVersion: iam.cnrm.cloud.google.com/v1beta1
231kind: IAMPolicyMember
232metadata:
233 name: ${cluster_uuid}-iam-admin-foreman
234spec:
235 member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
236 resourceRef:
237 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
238 kind: Project
239 external: ${foreman_gcp_project_id}
240 role: roles/iam.securityAdmin
View as plain text