apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: middlechild
spec:
  displayName: Middlechild
  resourceID: midchild-${cluster_hash}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: middlechild-server-alloy-client
spec:
  member: serviceAccount:midchild-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/${gcp_project_id}
  role: roles/alloydb.client
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: middlechild-foreman-workload-identity-user
spec:
  member: serviceAccount:${gcp_project_id}.svc.id.goog[middlechild/middlechild]
  resourceRef:
    name: middlechild
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
  role: roles/iam.workloadIdentityUser
---
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubSubscription
metadata:
  name: edge-job-storage-subscription
spec:
  ackDeadlineSeconds: 15
  messageRetentionDuration: 86400s
  retainAckedMessages: false
  topicRef:
    name: edge-job-storage-topic
---
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
metadata:
  name: edge-job-storage-topic
---
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageNotification
metadata:
  name: edge-job-storage-notifications
spec:
  bucketRef:
    external: edge-test-jobs
  eventTypes:
  - "OBJECT_FINALIZE"
  payloadFormat: JSON_API_V1
  topicRef:
    name: edge-job-storage-topic
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: storage-${cluster_hash}-notification-publisher
spec:
  member: serviceAccount:service-${gcp_project_number}@gs-project-accounts.iam.gserviceaccount.com
  resourceRef:
    name: edge-job-storage-topic
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubTopic
  role: roles/pubsub.publisher
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: middlechild-${cluster_hash}-storage-binding
spec:
  member: serviceAccount:midchild-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
    external: edge-test-jobs
    # because we are scoping this to a specific bucket, this role is safe to give
  role: roles/storage.admin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: middlechild-${cluster_hash}-argo-log-binding
spec:
  member: serviceAccount:midchild-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
    external: edge-argo-logs
    # because we are scoping this to a specific bucket, this role is safe to give
  role: roles/storage.admin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: middlechild-${cluster_hash}-bucket-lister
spec:
  member: serviceAccount:midchild-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    name: edge-job-storage-topic
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubTopic
  role: roles/editor
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: middlechild-${cluster_hash}-subscriber
spec:
  member: serviceAccount:midchild-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    name: edge-job-storage-subscription
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubSubscription
  role: roles/pubsub.subscriber
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: middlechild-${cluster_hash}-viewer
spec:
  member: serviceAccount:midchild-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    name: edge-job-storage-subscription
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubSubscription
  role: roles/pubsub.viewer
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ss185994-edge-job-topic-editor
spec:
  member: user:ss185994@ncr.com
  resourceRef:
    name: edge-job-storage-topic
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubTopic
  role: roles/editor
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ss185994-edge-job-subscriber
spec:
  member: user:ss185994@ncr.com
  resourceRef:
    name: edge-job-storage-subscription
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubSubscription
  role: roles/pubsub.subscriber
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ss185994-edge-job-viewer
spec:
  member: user:ss185994@ncr.com
  resourceRef:
    name: edge-job-storage-subscription
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubSubscription
  role: roles/pubsub.viewer