feat: Follow least privilege principal for backup service account (#597)

Co-authored-by: Imran Nayer <[email protected]>

Author: ps-occrp

modules/backup/main.tf

@@ -19,6 +19,7 @@ locals {
   create_service_account = var.service_account == null || var.service_account == "" ? true : false
   service_account        = local.create_service_account ? google_service_account.sql_backup_serviceaccount[0].email : var.service_account
   backup_name            = "sql-backup-${var.sql_instance}${var.unique_suffix}"
+  role_name              = var.enable_export_backup ? "roles/cloudsql.editor" : "roles/cloudsql.viewer"
   export_name            = var.use_sql_instance_replica_in_exporter ? "sql-export-${var.sql_instance_replica}${var.unique_suffix}" : "sql-export-${var.sql_instance}${var.unique_suffix}"
 }
 
@@ -38,8 +39,15 @@ resource "google_service_account" "sql_backup_serviceaccount" {
 resource "google_project_iam_member" "sql_backup_serviceaccount_sql_admin" {
   count   = local.create_service_account ? 1 : 0
   member  = "serviceAccount:${google_service_account.sql_backup_serviceaccount[0].email}"
-  role    = "roles/cloudsql.admin"
+  role    = local.role_name
   project = var.project_id
+  condition {
+    title      = "Limit access to instance ${var.sql_instance}"
+    expression = <<-EOT
+      (resource.type == "sqladmin.googleapis.com/Instance" &&
+       resource.name == "projects/${var.project_id}/instances/${var.sql_instance}")
+    EOT
+  }
 }
 
 resource "google_project_iam_member" "sql_backup_serviceaccount_workflow_invoker" {