apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: service-account.${cluster_uuid}.edge-agent
spec:
  description: "Edge Agent Service Account. (${cluster_uuid})"
  resourceID: edge-agt-${cluster_hash}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
  name: subscription-policy.${cluster_uuid}.edge-agent
spec:
  bindings:
  - members:
    - memberFrom:
        serviceAccountRef:
          name: service-account.${cluster_uuid}.edge-agent
    role: roles/pubsub.subscriber
  - members:
    - memberFrom:
        serviceAccountRef:
          name: service-account.${cluster_uuid}.edge-agent
    role: roles/pubsub.viewer
  resourceRef:
    name: sub.${cluster_uuid}.edge-agent
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubSubscription
---
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubSubscription
metadata:
  name: sub.${cluster_uuid}.edge-agent
spec:
  ackDeadlineSeconds: 60
  expirationPolicy:
    ttl: "" # never expire.
  filter: attributes.cluster_edge_id="${cluster_uuid}"
  resourceID: sub.${cluster_uuid}.edge-agent
  retainAckedMessages: false
  topicRef:
    external: projects/${gcp_project_id}/topics/edge-agent