apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: edge-bsl
spec:
  displayName: ${cluster_hash} Edge BSL
  resourceID: edge-bsl
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: edge-bsl-banners-secretadmin
spec:
  member: serviceAccount:edge-bsl@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/${gcp_project_id}
  role: roles/secretmanager.admin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: bsl-sql-user-role
spec:
  member: serviceAccount:edge-bsl@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/${gcp_project_id}
  role: roles/cloudsql.instanceUser
---
apiVersion: sql.cnrm.cloud.google.com/v1beta1
kind: SQLUser
metadata:
  name: edge-bsl-sql-user
  annotations:
    cnrm.cloud.google.com/deletion-policy: abandon
spec:
  type: CLOUD_IAM_SERVICE_ACCOUNT
  instanceRef:
    name: ${edge_sql_db_name}-migrated
    namespace: edge-system
  resourceID: edge-bsl@${gcp_project_id}.iam
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: bsl-sql-client-role
spec:
  member: serviceAccount:edge-bsl@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/${gcp_project_id}
  role: roles/cloudsql.client