apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubSubscription
metadata:
  name: sub.${cluster_uuid}.dsds-ea-response
spec:
  enableMessageOrdering: true
  filter: attributes.storeId="${cluster_uuid}"
  resourceID: sub.${cluster_uuid}.dsds-ea-response
  topicRef:
    external: projects/${gcp_project_id}/topics/topic.dsds-ea-response
---
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubSubscription
metadata:
  name: sub.${cluster_uuid}.dsds-ea-request
spec:
  enableMessageOrdering: true
  filter: attributes.storeId="${cluster_uuid}"
  resourceID: sub.${cluster_uuid}.dsds-ea-request
  topicRef:
    external: projects/${gcp_project_id}/topics/topic.dsds-ea-request
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: service-account.${cluster_uuid}.dsds-ea
spec:
  description: "Remote Agent Emergency Access Service Account. (${cluster_uuid})"
  resourceID: dsds-ea-${cluster_hash}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
  name: subscription-policy.${cluster_uuid}.dsds-ea-sa
spec:
  bindings:
  - members:
    - memberFrom:
        serviceAccountRef:
          name: service-account.${cluster_uuid}.dsds-ea
    role: roles/pubsub.subscriber
  resourceRef:
    name: sub.${cluster_uuid}.dsds-ea-request
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubSubscription
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
  name: response-topic-policy.${cluster_uuid}.dsds-ea-sa
spec:
  bindings:
  - members:
    - memberFrom:
        serviceAccountRef:
          name: service-account.${cluster_uuid}.dsds-ea
    role: roles/pubsub.publisher
  resourceRef:
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubTopic
    external: projects/${gcp_project_id}/topics/topic.dsds-ea-response
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
  name: ea-response-sub-policy.dsds-ea-sa
spec:
  bindings:
  - members:
    - member: serviceAccount:ea-pubsub-sa@${foreman_gcp_project_id}.iam.gserviceaccount.com
    role: roles/pubsub.subscriber
  resourceRef:
    name: sub.${cluster_uuid}.dsds-ea-response
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubSubscription
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccountKey
metadata:
  name: remotecli-${cluster_uuid}-gcp-api-key
spec:
  serviceAccountRef:
    name: service-account.${cluster_uuid}.dsds-ea
---
apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
kind: SecretManagerSecret
metadata:
  name: remotecli-${cluster_uuid}-gcp-api-key
spec:
  replication:
    automatic: true
---
apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
kind: SecretManagerSecretVersion
metadata:
  name: secret-manager-secret-version.${cluster_uuid}.dsds-ea-sa
spec:
  secretRef:
    name: remotecli-${cluster_uuid}-gcp-api-key
  enabled: true
  secretData:
    valueFrom:
      secretKeyRef:
        name: remotecli-${cluster_uuid}-gcp-api-key
        key: key.json