apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: chariot2
spec:
  displayName: chariot2
  resourceID: chariot2-${cluster_hash}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: chariot2-banners-storage
spec:
  member: serviceAccount:chariot2-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Folder
    external: ${tenants_gcp_folder_id}
  role: roles/storage.objectAdmin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: chariot2-foreman-storage
spec:
  member: serviceAccount:chariot2-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/storage.objectAdmin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: chariot-rides-deadletter-publisher-policy
spec:
  member: serviceAccount:service-${gcp_project_number}@gcp-sa-pubsub.iam.gserviceaccount.com
  resourceRef:
    name: chariot-rides-deadletter
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubTopic
  role: roles/pubsub.publisher
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: chariot-sub-deadletter-subscriber-policy
spec:
  member: serviceAccount:service-${gcp_project_number}@gcp-sa-pubsub.iam.gserviceaccount.com
  resourceRef:
    name: chariot-sub
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubSubscription
  role: roles/pubsub.subscriber
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: chariot2-foreman-pubsubsub
spec:
  member: serviceAccount:chariot2-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/pubsub.subscriber
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: chariot2-foreman-pubsubview
spec:
  member: serviceAccount:chariot2-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/pubsub.viewer
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: chariot2-foreman-pubsubpub
spec:
  member: serviceAccount:chariot2-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/pubsub.publisher
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: chariot2-edge-agent-tenants-pubsubpub
spec:
  member: serviceAccount:chariot2-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Folder
    external: ${tenants_gcp_folder_id}
  role: roles/pubsub.publisher
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: chariot2-edge-agent-tenants-pubsubview
spec:
  member: serviceAccount:chariot2-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Folder
    external: ${tenants_gcp_folder_id}
  role: roles/pubsub.viewer