1apiVersion: iam.cnrm.cloud.google.com/v1beta1
2kind: IAMServiceAccount
3metadata:
4 name: middlechild
5spec:
6 displayName: Middlechild
7 resourceID: midchild-${cluster_hash}
8---
9apiVersion: iam.cnrm.cloud.google.com/v1beta1
10kind: IAMPolicyMember
11metadata:
12 name: middlechild-server-alloy-client
13spec:
14 member: serviceAccount:midchild-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
15 resourceRef:
16 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
17 kind: Project
18 external: projects/${gcp_project_id}
19 role: roles/alloydb.client
20---
21apiVersion: iam.cnrm.cloud.google.com/v1beta1
22kind: IAMPolicyMember
23metadata:
24 name: middlechild-foreman-workload-identity-user
25spec:
26 member: serviceAccount:${gcp_project_id}.svc.id.goog[middlechild/middlechild]
27 resourceRef:
28 name: middlechild
29 apiVersion: iam.cnrm.cloud.google.com/v1beta1
30 kind: IAMServiceAccount
31 role: roles/iam.workloadIdentityUser
32---
33apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
34kind: PubSubSubscription
35metadata:
36 name: edge-job-storage-subscription
37spec:
38 ackDeadlineSeconds: 15
39 messageRetentionDuration: 86400s
40 retainAckedMessages: false
41 topicRef:
42 name: edge-job-storage-topic
43---
44apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
45kind: PubSubTopic
46metadata:
47 name: edge-job-storage-topic
48---
49apiVersion: storage.cnrm.cloud.google.com/v1beta1
50kind: StorageNotification
51metadata:
52 name: edge-job-storage-notifications
53spec:
54 bucketRef:
55 external: edge-test-jobs
56 eventTypes:
57 - "OBJECT_FINALIZE"
58 payloadFormat: JSON_API_V1
59 topicRef:
60 name: edge-job-storage-topic
61---
62apiVersion: iam.cnrm.cloud.google.com/v1beta1
63kind: IAMPolicyMember
64metadata:
65 name: storage-${cluster_hash}-notification-publisher
66spec:
67 member: serviceAccount:service-${gcp_project_number}@gs-project-accounts.iam.gserviceaccount.com
68 resourceRef:
69 name: edge-job-storage-topic
70 apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
71 kind: PubSubTopic
72 role: roles/pubsub.publisher
73---
74apiVersion: iam.cnrm.cloud.google.com/v1beta1
75kind: IAMPolicyMember
76metadata:
77 name: middlechild-${cluster_hash}-storage-binding
78spec:
79 member: serviceAccount:midchild-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
80 resourceRef:
81 apiVersion: storage.cnrm.cloud.google.com/v1beta1
82 kind: StorageBucket
83 external: edge-test-jobs
84 # because we are scoping this to a specific bucket, this role is safe to give
85 role: roles/storage.admin
86---
87apiVersion: iam.cnrm.cloud.google.com/v1beta1
88kind: IAMPolicyMember
89metadata:
90 name: middlechild-${cluster_hash}-argo-log-binding
91spec:
92 member: serviceAccount:midchild-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
93 resourceRef:
94 apiVersion: storage.cnrm.cloud.google.com/v1beta1
95 kind: StorageBucket
96 external: edge-argo-logs
97 # because we are scoping this to a specific bucket, this role is safe to give
98 role: roles/storage.admin
99---
100apiVersion: iam.cnrm.cloud.google.com/v1beta1
101kind: IAMPolicyMember
102metadata:
103 name: middlechild-${cluster_hash}-bucket-lister
104spec:
105 member: serviceAccount:midchild-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
106 resourceRef:
107 name: edge-job-storage-topic
108 apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
109 kind: PubSubTopic
110 role: roles/editor
111---
112apiVersion: iam.cnrm.cloud.google.com/v1beta1
113kind: IAMPolicyMember
114metadata:
115 name: middlechild-${cluster_hash}-subscriber
116spec:
117 member: serviceAccount:midchild-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
118 resourceRef:
119 name: edge-job-storage-subscription
120 apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
121 kind: PubSubSubscription
122 role: roles/pubsub.subscriber
123---
124apiVersion: iam.cnrm.cloud.google.com/v1beta1
125kind: IAMPolicyMember
126metadata:
127 name: middlechild-${cluster_hash}-viewer
128spec:
129 member: serviceAccount:midchild-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
130 resourceRef:
131 name: edge-job-storage-subscription
132 apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
133 kind: PubSubSubscription
134 role: roles/pubsub.viewer
135---
136apiVersion: iam.cnrm.cloud.google.com/v1beta1
137kind: IAMPolicyMember
138metadata:
139 name: ss185994-edge-job-topic-editor
140spec:
141 member: user:ss185994@ncr.com
142 resourceRef:
143 name: edge-job-storage-topic
144 apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
145 kind: PubSubTopic
146 role: roles/editor
147---
148apiVersion: iam.cnrm.cloud.google.com/v1beta1
149kind: IAMPolicyMember
150metadata:
151 name: ss185994-edge-job-subscriber
152spec:
153 member: user:ss185994@ncr.com
154 resourceRef:
155 name: edge-job-storage-subscription
156 apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
157 kind: PubSubSubscription
158 role: roles/pubsub.subscriber
159---
160apiVersion: iam.cnrm.cloud.google.com/v1beta1
161kind: IAMPolicyMember
162metadata:
163 name: ss185994-edge-job-viewer
164spec:
165 member: user:ss185994@ncr.com
166 resourceRef:
167 name: edge-job-storage-subscription
168 apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
169 kind: PubSubSubscription
170 role: roles/pubsub.viewer
View as plain text