Skip to content

another stab at more servicelinker terraform glue #774

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
henrik242 merged 1 commit into from
Feb 19, 2026
+14 −7
Merged

another stab at more servicelinker terraform glue #774

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion terraform/env/kub-ent-dev.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,5 @@ antu_netex_validation_status_queue_topic = "projects/ent-antu-dev/topics/AntuNet
bucket_instance_suffix="dev"
ashur_service_account="serviceAccount:application@ent-ashur-dev.iam.gserviceaccount.com"
marduk_exchange_storage_bucket="marduk-exchange-dev"
servicelinker_service_account="serviceAccount:application@ent-servicelnk-dev.iam.gserviceaccount.com"
servicelinker_service_account="serviceAccount:application@ent-servicelnk-dev.iam.gserviceaccount.com"
servicelinker_terraform_service_account="serviceAccount:gh-servicelinker-5cdd-dev@ent-github-shr.iam.gserviceaccount.com"
1 change: 1 addition & 0 deletions terraform/env/kub-ent-prd.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ bucket_instance_suffix="production"
ashur_service_account="serviceAccount:application@ent-ashur-prd.iam.gserviceaccount.com"
marduk_exchange_storage_bucket="marduk-exchange-production"
servicelinker_service_account="serviceAccount:application@ent-servicelnk-prd.iam.gserviceaccount.com"
servicelinker_terraform_service_account="serviceAccount:gh-servicelinker-5cdd-prd@ent-github-shr.iam.gserviceaccount.com"

labels = {
manager = "terraform"
Expand Down
3 changes: 2 additions & 1 deletion terraform/env/kub-ent-tst.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,5 @@ antu_netex_validation_status_queue_topic = "projects/ent-antu-tst/topics/AntuNet
bucket_instance_suffix="test"
ashur_service_account="serviceAccount:application@ent-ashur-tst.iam.gserviceaccount.com"
marduk_exchange_storage_bucket="marduk-exchange-test"
servicelinker_service_account="serviceAccount:application@ent-servicelnk-tst.iam.gserviceaccount.com"
servicelinker_service_account="serviceAccount:application@ent-servicelnk-tst.iam.gserviceaccount.com"
servicelinker_terraform_service_account="serviceAccount:gh-servicelinker-5cdd-tst@ent-github-shr.iam.gserviceaccount.com"
10 changes: 5 additions & 5 deletions terraform/iam.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,19 +24,19 @@ resource "google_pubsub_topic_iam_member" "ServicelinkerStatusQueuePublisherRole
member = var.servicelinker_service_account
}

# Servicelinker's Terraform SA needs roles/pubsub.subscriber (which includes
# pubsub.topics.attachSubscription) on these topics so it can create
# cross-project subscriptions from ent-servicelnk-* to ent-marduk-*.
# Servicelinker's GitHub Actions Terraform SA (via Workload Identity Federation)
# needs roles/pubsub.subscriber (which includes pubsub.topics.attachSubscription)
# on these topics to create cross-project subscriptions from ent-servicelnk-* to ent-marduk-*.
resource "google_pubsub_topic_iam_member" "ServicelinkerInboundQueueSubscriberRole" {
project = var.gcp_resources_project
topic = google_pubsub_topic.ServicelinkerInboundQueue.name
role = "roles/pubsub.subscriber"
member = var.servicelinker_service_account
member = var.servicelinker_terraform_service_account
}

resource "google_pubsub_topic_iam_member" "ServicelinkerStatusQueueSubscriberRole" {
project = var.gcp_resources_project
topic = google_pubsub_topic.ServicelinkerStatusQueue.name
role = "roles/pubsub.subscriber"
member = var.servicelinker_service_account
member = var.servicelinker_terraform_service_account
}
4 changes: 4 additions & 0 deletions terraform/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,10 @@ variable "servicelinker_service_account" {
description = "The service account of the servicelinker application"
}

variable "servicelinker_terraform_service_account" {
description = "The GitHub Actions Terraform SA for servicelinker (via Workload Identity Federation), needs roles/pubsub.subscriber on Servicelinker topics to create cross-project subscriptions"
}

variable "marduk_exchange_storage_bucket" {
description = "The bucket used to exchange files with Marduk"
}