From 99be88a9437e461add9aea3fed3b19d86f295be2 Mon Sep 17 00:00:00 2001
From: Henrik Brautaset Aronsen <henrik.brautaset.aronsen@entur.org>
Date: Wed, 18 Feb 2026 14:57:20 +0100
Subject: [PATCH] more servicelinker terraform glue

---
 terraform/iam.tf | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/terraform/iam.tf b/terraform/iam.tf
index 4eb70840..f260ba92 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -22,4 +22,21 @@ resource "google_pubsub_topic_iam_member" "ServicelinkerStatusQueuePublisherRole
   topic   = google_pubsub_topic.ServicelinkerStatusQueue.name
   role    = "roles/pubsub.publisher"
   member  = var.servicelinker_service_account
+}
+
+# Servicelinker's Terraform SA needs roles/pubsub.subscriber (which includes
+# pubsub.topics.attachSubscription) on these topics so it can create
+# cross-project subscriptions from ent-servicelnk-* to ent-marduk-*.
+resource "google_pubsub_topic_iam_member" "ServicelinkerInboundQueueSubscriberRole" {
+  project = var.gcp_resources_project
+  topic   = google_pubsub_topic.ServicelinkerInboundQueue.name
+  role    = "roles/pubsub.subscriber"
+  member  = var.servicelinker_service_account
+}
+
+resource "google_pubsub_topic_iam_member" "ServicelinkerStatusQueueSubscriberRole" {
+  project = var.gcp_resources_project
+  topic   = google_pubsub_topic.ServicelinkerStatusQueue.name
+  role    = "roles/pubsub.subscriber"
+  member  = var.servicelinker_service_account
 }
\ No newline at end of file