1# Copyright 2022 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: iam.cnrm.cloud.google.com/v1beta1
16kind: IAMPolicy
17metadata:
18 annotations:
19 # Abandon without deletion because:
20 # 1. The same initial policy is required for the next test run to succeed.
21 # 2. The ephemeral testing GSA will have already lost permission when it
22 # tries to delete the IAMPolicy, thus will fail the test.
23 cnrm.cloud.google.com/deletion-policy: "abandon"
24 name: iamexternalonlyref-${uniqueId}
25spec:
26 resourceRef:
27 apiVersion: billing.cnrm.cloud.google.com/v1beta1
28 kind: BillingAccount
29 external: ${IAM_INTEGRATION_TESTS_BILLING_ACCOUNT_ID}
30 bindings:
31 # Never remove below bindings. We need these bindings because they will:
32 # 1. Ensure kcc-eng group has admin access to the billing account.
33 # 2. Make sure our integration test service account can run tests against this billing account.
34 # 3. Ensure the default admin account john@configconnector.joonix.net is kept unchanged.
35 - role: roles/billing.admin
36 members:
37 - group:kcc-eng@google.com
38 - serviceAccount:cnrm-eap-prow@cnrm-eap.iam.gserviceaccount.com
39 - user:john@configconnector.joonix.net
View as plain text