apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeAddress metadata: name: gridbug-ip annotations: dns.edge.ncr.com/dns-project-id: ${gcp_project_id} dns.edge.ncr.com/managed-zone: infra/dev-infra dns.edge.ncr.com/name: gridbug.${domain}. spec: location: global --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: name: gridbug spec: displayName: Gridbug resourceID: gridbug-${cluster_hash} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: gridbug-server-alloy-client spec: member: serviceAccount:gridbug-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: projects/${gcp_project_id} role: roles/alloydb.client --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: gridbug-${cluster_hash}-bucket-access spec: member: serviceAccount:gridbug-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket external: edge-test-jobs role: roles/storage.objectViewer --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: gridbug-${cluster_hash}-bucket-lister spec: member: serviceAccount:gridbug-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket external: edge-test-jobs # because we are scoping this to a specific bucket, this role is safe to give role: roles/storage.admin