Give GCP Cloud Function an explicit service account to build/publish code

BSick7 · BSick7 · commit 32e8c4ff1b2c · 2025-12-12T08:59:46.000-05:00
diff --git a/gcp/tf/builder.tf b/gcp/tf/builder.tf
@@ -0,0 +1,36 @@
+// The builder service account has enough permissions to build the code for the cloud function
+
+locals {
+  truncated_len = min(length(var.name), 28 - length("builder-"))
+  builder_name  = "builder-${substr(var.name, 0, local.truncated_len)}"
+}
+
+resource "google_service_account" "builder" {
+  account_id   = local.builder_name
+  display_name = "Builder for pg db admin ${var.name}"
+}
+
+// Allow cloud builder to impersonate the builder service account
+resource "google_service_account_iam_member" "cloudbuild_impersonate_cf_build" {
+  service_account_id = google_service_account.builder.name
+  role               = "roles/iam.serviceAccountUser"
+  member             = "serviceAccount:${local.project_number}@cloudbuild.gserviceaccount.com"
+}
+
+resource "google_project_iam_member" "builder_build" {
+  project = local.project_id
+  role    = "roles/cloudbuild.builds.builder"
+  member  = "serviceAccount:${google_service_account.builder.email}"
+}
+
+resource "google_project_iam_member" "builder_publish_artifacts" {
+  project = local.project_id
+  role    = "roles/artifactregistry.writer"
+  member  = "serviceAccount:${google_service_account.builder.email}"
+}
+
+resource "google_project_iam_member" "builder_code_access" {
+  project = local.project_id
+  role    = "roles/storage.objectViewer"
+  member  = "serviceAccount:${google_service_account.builder.email}"
+}
diff --git a/gcp/tf/function.tf b/gcp/tf/function.tf
@@ -12,8 +12,9 @@ resource "google_cloudfunctions2_function" "function" {
   labels      = var.labels
 
   build_config {
-    runtime     = "go125"
-    entry_point = "pg-db-admin"
+    runtime         = "go125"
+    entry_point     = "pg-db-admin"
+    service_account = google_service_account.builder.email
 
     environment_variables = {
       "SOURCE_HASH" : filebase64sha256(local.package_filename)
diff --git a/gcp/tf/gcp.tf b/gcp/tf/gcp.tf
@@ -1,9 +1,11 @@
 data "google_client_config" "this" {}
+data "google_project" "this" {}
 
 locals {
-  project_id    = data.google_client_config.this.project
-  region        = data.google_client_config.this.region
-  region_prefix = lower(substr(local.region, 0, 2))
+  project_id     = data.google_client_config.this.project
+  project_number = data.google_project.this.number
+  region         = data.google_client_config.this.region
+  region_prefix  = lower(substr(local.region, 0, 2))
 }
 
 resource "google_project_service" "run" {
