chore: Add bucket rw iam binding

adityachoudhari26 · adityachoudhari26 · commit 6663302a5453 · 2025-10-23T11:09:00.000-07:00
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -24,4 +24,9 @@ module "ctrlplane" {
   source    = "../../"
   namespace = var.namespace
   domains   = ["example.com"]
+  fqdn      = "example.com"
+  google_auth = {
+    client_id     = "1234567890"
+    client_secret = "1234567890"
+  }
 }
diff --git a/main.tf b/main.tf
@@ -72,7 +72,9 @@ module "service_accounts" {
   source    = "./modules/service_accounts"
   namespace = var.namespace
 
-  depends_on = [module.gke]
+  bucket_name = module.storage.bucket_name
+
+  depends_on = [module.gke, module.storage]
 }
 
 resource "google_compute_global_address" "this" {
diff --git a/modules/service_accounts/main.tf b/modules/service_accounts/main.tf
@@ -19,6 +19,7 @@ locals {
     "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-migrations]",
     "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-event-worker]",
     "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-event-queue]",
+    "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-workspace-engine]",
   ]
 }
 
@@ -59,3 +60,9 @@ resource "google_project_iam_member" "gke_sa_token_creator" {
   role    = "roles/iam.serviceAccountTokenCreator"
   member  = local.sa_member
 }
+
+resource "google_storage_bucket_iam_member" "gke_sa_bucket_rw" {
+  bucket = var.bucket_name
+  role   = "roles/storage.objectAdmin"
+  member = local.sa_member
+}
diff --git a/modules/service_accounts/variables.tf b/modules/service_accounts/variables.tf
@@ -2,3 +2,8 @@ variable "namespace" {
   description = "Namespace for the service accounts"
   type        = string
 }
+
+variable "bucket_name" {
+  description = "The GCS bucket name to grant access to"
+  type        = string
+}
diff --git a/modules/storage/outputs.tf b/modules/storage/outputs.tf
@@ -0,0 +1,4 @@
+output "bucket_name" {
+  value       = google_storage_bucket.this.name
+  description = "The name of the bucket."
+}

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,9 @@ module "service_accounts" {`
`72`	`72`	`source = "./modules/service_accounts"`
`73`	`73`	`namespace = var.namespace`
`74`	`74`
`75`		`- depends_on = [module.gke]`
	`75`	`+ bucket_name = module.storage.bucket_name`
	`76`	`+`
	`77`	`+ depends_on = [module.gke, module.storage]`
`76`	`78`	`}`
`77`	`79`
`78`	`80`	`resource "google_compute_global_address" "this" {`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ locals {`
`19`	`19`	`"serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-migrations]",`
`20`	`20`	`"serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-event-worker]",`
`21`	`21`	`"serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-event-queue]",`
	`22`	`+ "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-workspace-engine]",`
`22`	`23`	`]`
`23`	`24`	`}`
`24`	`25`
`@@ -59,3 +60,9 @@ resource "google_project_iam_member" "gke_sa_token_creator" {`
`59`	`60`	`role = "roles/iam.serviceAccountTokenCreator"`
`60`	`61`	`member = local.sa_member`
`61`	`62`	`}`
	`63`	`+`
	`64`	`+resource "google_storage_bucket_iam_member" "gke_sa_bucket_rw" {`
	`65`	`+ bucket = var.bucket_name`
	`66`	`+ role = "roles/storage.objectAdmin"`
	`67`	`+ member = local.sa_member`
	`68`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -2,3 +2,8 @@ variable "namespace" {`
`2`	`2`	`description = "Namespace for the service accounts"`
`3`	`3`	`type = string`
`4`	`4`	`}`
	`5`	`+`
	`6`	`+variable "bucket_name" {`
	`7`	`+ description = "The GCS bucket name to grant access to"`
	`8`	`+ type = string`
	`9`	`+}`