From f2c633ec307aa4459ea72a7f29ffb3c3ab8c0961 Mon Sep 17 00:00:00 2001 From: Camie Kim Date: Fri, 13 Dec 2024 16:45:59 -0500 Subject: [PATCH 1/2] docs: Update main.tf Per b/355941670 Associate workflow w/dedicated SA that can write logs --- eventarc/workflows/main.tf | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/eventarc/workflows/main.tf b/eventarc/workflows/main.tf index 02194e2d1..41decf44f 100644 --- a/eventarc/workflows/main.tf +++ b/eventarc/workflows/main.tf @@ -16,18 +16,18 @@ # [START eventarc_workflows_parent_tag] # [START eventarc_terraform_workflows_enableapis] -# Enable Eventarc API -resource "google_project_service" "eventarc" { - service = "eventarc.googleapis.com" - disable_on_destroy = false -} - # Enable Workflows API resource "google_project_service" "workflows" { service = "workflows.googleapis.com" disable_on_destroy = false } +# Enable Eventarc API +resource "google_project_service" "eventarc" { + service = "eventarc.googleapis.com" + disable_on_destroy = false +} + # Enable Pub/Sub API resource "google_project_service" "pubsub" { service = "pubsub.googleapis.com" @@ -45,7 +45,7 @@ resource "google_service_account" "eventarc" { display_name = "Eventarc Workflows Service Account" } -# Grant permission to invoke workflows +# Grant permission to invoke Workflows resource "google_project_iam_member" "workflowsinvoker" { project = data.google_project.project.id role = "roles/workflows.invoker" @@ -58,6 +58,13 @@ resource "google_project_iam_member" "eventreceiver" { role = "roles/eventarc.eventReceiver" member = "serviceAccount:${google_service_account.eventarc.email}" } + +# Grant permission to write logs +resource "google_project_iam_member" "logwriter" { + project = data.google_project.project.id + role = "roles/logging.logWriter" + member = "serviceAccount:${google_service_account.eventarc.email}" +} # [END eventarc_workflows_create_serviceaccount] @@ -92,6 +99,7 @@ resource "google_workflows_workflow" "default" { name = "storage-workflow-tf" region = "us-central1" description = "Workflow that returns information about storage events" + service_account = google_service_account.eventarc.email deletion_protection = false # set to "true" in production From 43ccdf54dfc8b5d9e7ea377d04ce11ce93e26c87 Mon Sep 17 00:00:00 2001 From: Camie Kim Date: Fri, 13 Dec 2024 16:54:00 -0500 Subject: [PATCH 2/2] docs: Update main.tf Apply terraform fmt --- eventarc/workflows/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/eventarc/workflows/main.tf b/eventarc/workflows/main.tf index 41decf44f..a2c37c6da 100644 --- a/eventarc/workflows/main.tf +++ b/eventarc/workflows/main.tf @@ -96,9 +96,9 @@ resource "google_project_iam_member" "pubsubpublisher" { # [START eventarc_workflows_deploy] # Create a workflow resource "google_workflows_workflow" "default" { - name = "storage-workflow-tf" - region = "us-central1" - description = "Workflow that returns information about storage events" + name = "storage-workflow-tf" + region = "us-central1" + description = "Workflow that returns information about storage events" service_account = google_service_account.eventarc.email deletion_protection = false # set to "true" in production