fix roles and propagation

renato-rudnicki · renato-rudnicki · commit 0a81171e7f6e · 2025-09-10T15:19:23.000-03:00
diff --git a/4-projects/business_unit_1/shared/example_infra_pipeline.tf b/4-projects/business_unit_1/shared/example_infra_pipeline.tf
@@ -65,19 +65,18 @@ resource "google_storage_bucket_iam_member" "cloudbuild_storage_read" {
   member = "serviceAccount:${module.app_infra_cloudbuild_project[0].sa}"
 }
 
-resource "google_storage_bucket_iam_member" "bucket_object_admin" {
-  bucket = "${local.cloudbuild_project_id}_cloudbuild"
-  role   = "roles/storage.objectAdmin"
-  member = "serviceAccount:${module.app_infra_cloudbuild_project[0].sa}"
+resource "google_storage_bucket_iam_member" "cloudbuild_sa_storage_admin" {
+  bucket = module.infra_pipelines[0].log_buckets["bu1-example-app"]
+  role   = "roles/storage.admin"
+  member = "serviceAccount:tf-cb-builder-sa@${local.cloudbuild_project_id}.iam.gserviceaccount.com"
 }
 
-resource "google_storage_bucket_iam_member" "bucket_object_viewer" {
+resource "google_storage_bucket_iam_member" "cloudbuild_bucket_admin" {
   bucket = "${local.cloudbuild_project_id}_cloudbuild"
-  role   = "roles/storage.objectViewer"
+  role   = "roles/storage.admin"
   member = "serviceAccount:${module.app_infra_cloudbuild_project[0].sa}"
 }
 
-
 module "app_infra_cloudbuild_project" {
   source = "../../modules/single_project"
   count  = local.enable_cloudbuild_deploy ? 1 : 0
@@ -133,8 +132,8 @@ resource "time_sleep" "wait_iam_propagation" {
     google_storage_bucket_iam_member.cloudbuild_storage_read,
     google_artifact_registry_repository_iam_member.builder_on_artifact_registry,
     google_project_iam_member.cloudbuild_logging,
-    google_storage_bucket_iam_member.bucket_object_viewer,
-    google_storage_bucket_iam_member.bucket_object_admin,
+    google_storage_bucket_iam_member.cloudbuild_sa_storage_admin,
+    google_storage_bucket_iam_member.cloudbuild_bucket_admin,
   ]
 }
 
diff --git a/5-app-infra/modules/confidential_space/main.tf b/5-app-infra/modules/confidential_space/main.tf
@@ -134,9 +134,21 @@ module "confidential_compute_instance" {
   resource_manager_tags = local.resource_manager_tags
 }
 
+resource "time_sleep" "wait_workload_pool_propagation" {
+  create_duration = "60s"
+
+  depends_on = [
+    google_iam_workload_identity_pool.confidential_space_pool
+  ]
+}
+
 resource "google_service_account_iam_member" "workload_identity_binding" {
   service_account_id = "projects/${local.env_project_id}/serviceAccounts/${local.confidential_space_workload_sa}"
   role               = "roles/iam.workloadIdentityUser"
   member             = "principalSet://iam.googleapis.com/projects/${local.confidential_space_project_number}/locations/global/workloadIdentityPools/confidential-space-pool/*"
+
+  depends_on = [
+    time_sleep.wait_workload_pool_propagation
+  ]
 }
 
