add cloud run invoker to cloud run service account

datakind · Jan 30, 2025 · 8b45123 · 8b45123
1 parent 7eded96
commit 8b45123
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -31,6 +31,7 @@ module "network" {
 module "iam" {
   source = "./modules/iam"
 
+  project     = var.project
   environment = var.environment
 }
 

diff --git a/terraform/modules/iam/main.tf b/terraform/modules/iam/main.tf
@@ -5,6 +5,10 @@ variable "required_services" {
   ]
 }
 
+variable "project" {
+  type = string
+}
+
 variable "environment" {
   type = string
 }
@@ -21,6 +25,13 @@ resource "google_service_account" "cloudrun_sa" {
   display_name = "${var.environment} Cloud Run Service Account"
 }
 
+# Add the cloud run invoker role to the service account
+resource "google_project_iam_member" "cloudrun_sa_invoker" {
+  project = var.project
+  role    = "roles/run.invoker"
+  member  = "serviceAccount:${google_service_account.cloudrun_sa.email}"
+}
+
 output "cloud_run_service_account_email" {
   value = google_service_account.cloudrun_sa.email
 }