apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeAddress
metadata:
  name: jack-bot-ip
  annotations:
    dns.edge.ncr.com/dns-project-id: ${gcp_project_id}
    dns.edge.ncr.com/managed-zone: infra/dev-infra
    dns.edge.ncr.com/name: jack-bot.${domain}.
spec:
  location: global
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: jack-bot
spec:
  displayName: jack-bot
  resourceID: jack-bot-${cluster_hash}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: jack-cloudsql-editor
spec:
  member: serviceAccount:jack-bot-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/ret-edge-pltf-infra
  role: roles/cloudsql.editor
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: jack-instance-access
spec:
  member: serviceAccount:jack-bot-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/ret-edge-pltf-infra
  role: roles/cloudsql.instanceUser
---
# apiVersion: iam.cnrm.cloud.google.com/v1beta1
# kind: IAMPolicyMember
# metadata:
#   name: overlook-publisher
# spec:
#   member: serviceAccount:jack-bot-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
#   resourceRef:
#     name: overlook-topic
#     apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
#     kind: PubSubTopic
#   role: roles/pubsub.publisher
# ---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: jack-storage-binding
spec:
  member: serviceAccount:jack-bot-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
    external: edge-test-jobs
  # because we are scoping this to a specific bucket, this role is safe to give
  role: roles/storage.admin