apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: postgrest-workload-identity-user
spec:
  member: serviceAccount:${gcp_project_id}.svc.id.goog[postgrest/postgrest]
  resourceRef:
    name: postgrest
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
  role: roles/iam.workloadIdentityUser
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: postgrest-alloydb-client
spec:
  member: serviceAccount:postgrest-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/${gcp_project_id}
  role: roles/alloydb.client
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: postgrest
spec:
  resourceID: postgrest-${cluster_hash}
---
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeAddress
metadata:
  name: postgrest
  annotations:
    dns.edge.ncr.com/dns-project-id: ${gcp_project_id}
    dns.edge.ncr.com/managed-zone: infra/dev-infra
    dns.edge.ncr.com/name: sovereign.${domain}.
spec:
  location: global
  resourceID: postgrest-ip