apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: bff-sa
spec:
  displayName: sa-for-bff
---
#folder access needed for creating iam in tenant projects when bootstrapping a cluster
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-iam-sa-admin-tenants
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Folder
    external: ${tenants_gcp_folder_id}
  role: roles/iam.serviceAccountAdmin
---
#folder access needed for creating iam in tenant projects when bootstrapping a cluster
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-iam-sakey-admin-tenants
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Folder
    external: ${tenants_gcp_folder_id}
  role: roles/iam.serviceAccountKeyAdmin
---
#folder access needed for creating iam in tenant projects when bootstrapping a cluster
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-iam-admin-tenants
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Folder
    external: ${tenants_gcp_folder_id}
  role: roles/iam.securityAdmin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-k8s-viewer-foreman
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/container.clusterViewer
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-sql-client-foreman
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/cloudsql.client
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-compute-viewer
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/compute.viewer
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-k8s-metrics
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/monitoring.admin
---
#folder access needed for managing secrets in tenant projects
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-k8s-secret-manager-tenants
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Folder
    external: ${tenants_gcp_folder_id}
  role: roles/secretmanager.admin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-k8s-secret-manager-foreman
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/secretmanager.admin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-big-query-job-user
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/bigquery.jobUser
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-big-query-data-viewer
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/bigquery.dataViewer
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-pubsub-publisher
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/pubsub.publisher
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-edge-agent-tenants-pubsub-publisher
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Folder
    external: ${tenants_gcp_folder_id}
  role: roles/pubsub.publisher
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-edge-agent-tenants-pubsubview
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Folder
    external: ${tenants_gcp_folder_id}
  role: roles/pubsub.viewer
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-pubsub-subscriber
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/pubsub.subscriber
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-edge-db-instance-viewer
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/cloudsql.instanceUser
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-api-artifact-read
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: artifactregistry.cnrm.cloud.google.com/v1beta1
    kind: ArtifactRegistryRepository
    external: projects/${foreman_gcp_project_id}/locations/${gcp_region}/repositories/warehouse
  role: roles/artifactregistry.reader
---
apiVersion: sql.cnrm.cloud.google.com/v1beta1
kind: SQLUser
metadata:
  name: edge-backend-sa-sql-user
  namespace: edge-system
  annotations:
    cnrm.cloud.google.com/deletion-policy: abandon
spec:
  type: CLOUD_IAM_SERVICE_ACCOUNT
  instanceRef:
    name: ${edge_sql_db_name}-migrated
    namespace: edge-system
  resourceID: bff-sa@${gcp_project_id}.iam
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-iam-admin-foreman
spec:
  member: serviceAccount:bff-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${foreman_gcp_project_id}
  role: roles/iam.securityAdmin