Commit f62bffe6 authored by Adam Robinson's avatar Adam Robinson
Browse files

fix IAM roles for service accounts and users

parent 62b33aa4
......@@ -86,6 +86,26 @@ resource "google_project_iam_custom_role" "BigQueryDataViewer_NO_Export" {
for_each = { for v in local.projects_storing_data : v => v }
role_id = "BigQueryDataViewer_NO_Export"
title = "BigQuery Data Viewer - No Export"
description = "BigQuery Data Viewer minus bigquery.tables.export and resourcemanager.projects.list"
project = google_project.hipaa_project[each.key].project_id
stage = "GA"
permissions = [
"bigquery.datasets.get",
"bigquery.datasets.getIamPolicy",
"bigquery.routines.get",
"bigquery.routines.list",
"bigquery.tables.get",
"bigquery.tables.getData",
"bigquery.tables.list",
"resourcemanager.projects.get",
//"resourcemanager.projects.list", not supported roles created in a project
]
}
resource "google_project_iam_custom_role" "BigQuerySchemaViewer" {
for_each = { for v in local.projects_storing_data : v => v }
role_id = "BigQuerySchemaViewer"
title = "BigQuery Schema Viewer"
description = "BigQuery Data Viewer minus bigquery.tables.export, bigquery.tables.getData, and resourcemanager.projects.list"
project = google_project.hipaa_project[each.key].project_id
stage = "GA"
......@@ -118,7 +138,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = each.key == "data" ? [local.read-only_group_email] : []
content {
role = google_project_iam_custom_role.BigQueryDataViewer_NO_Export[each.key].id
role = google_project_iam_custom_role.BigQuerySchemaViewer[each.key].id
group_by_email = access.value
}
}
......@@ -145,7 +165,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = each.key != "data" ? [local.worker_project_email[each.key]] : []
content {
role = google_project_iam_custom_role.BigQueryDataViewer_NO_Export[each.key].id
role = google_project_iam_custom_role.BigQuerySchemaViewer[each.key].id
group_by_email = access.value
}
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment