chore: use less privileged roles for deploying bigquery module

ayushmjain · ayushmjain · commit 0821f24fe2ee · 2025-03-03T10:00:41.000Z
diff --git a/metadata.display.yaml b/metadata.display.yaml
@@ -22,7 +22,7 @@ spec:
   info:
     title: terraform-google-bigquery
     source:
-      repo: https://github.com/ayushmjain/terraform-google-bigquery
+      repo: https://github.com/terraform-google-modules/terraform-google-bigquery
       sourceType: git
   ui:
     input:
diff --git a/metadata.yaml b/metadata.yaml
@@ -22,9 +22,9 @@ spec:
   info:
     title: terraform-google-bigquery
     source:
-      repo: https://github.com/ayushmjain/terraform-google-bigquery
+      repo: https://github.com/terraform-google-modules/terraform-google-bigquery
       sourceType: git
-    version: 1.0.4
+    version: 9.0.0
     actuationTool:
       flavor: Terraform
       version: ">= 1.3"
@@ -382,8 +382,6 @@ spec:
       - level: Project
         roles:
           - roles/bigquery.admin
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/owner
     services:
       - cloudkms.googleapis.com
       - cloudresourcemanager.googleapis.com
diff --git a/modules/authorization/metadata.yaml b/modules/authorization/metadata.yaml
@@ -94,8 +94,6 @@ spec:
       - level: Project
         roles:
           - roles/bigquery.admin
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/owner
     services:
       - cloudkms.googleapis.com
       - cloudresourcemanager.googleapis.com
diff --git a/modules/data_warehouse/metadata.yaml b/modules/data_warehouse/metadata.yaml
@@ -136,8 +136,6 @@ spec:
       - level: Project
         roles:
           - roles/bigquery.admin
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/owner
     services:
       - cloudkms.googleapis.com
       - cloudresourcemanager.googleapis.com
diff --git a/modules/scheduled_queries/metadata.yaml b/modules/scheduled_queries/metadata.yaml
@@ -60,8 +60,6 @@ spec:
       - level: Project
         roles:
           - roles/bigquery.admin
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/owner
     services:
       - cloudkms.googleapis.com
       - cloudresourcemanager.googleapis.com
diff --git a/modules/udf/metadata.yaml b/modules/udf/metadata.yaml
@@ -64,8 +64,6 @@ spec:
       - level: Project
         roles:
           - roles/bigquery.admin
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/owner
     services:
       - cloudkms.googleapis.com
       - cloudresourcemanager.googleapis.com
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
@@ -16,9 +16,7 @@
 
 locals {
   int_required_roles = [
-    "roles/bigquery.admin",
-    "roles/cloudkms.cryptoKeyEncrypterDecrypter",
-    "roles/owner" // TODO: Descope
+    "roles/bigquery.admin"
   ]
 }
 

Original file line number	Diff line number	Diff line change
`@@ -16,9 +16,7 @@`
`16`	`16`
`17`	`17`	`locals {`
`18`	`18`	`int_required_roles = [`
`19`		`- "roles/bigquery.admin",`
`20`		`- "roles/cloudkms.cryptoKeyEncrypterDecrypter",`
`21`		`- "roles/owner" // TODO: Descope`
	`19`	`+ "roles/bigquery.admin"`
`22`	`20`	`]`
`23`	`21`	`}`
`24`	`22`