From 9feb7475d2b158b713a1678f8f20cc1f529f0438 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Tue, 2 Jul 2024 15:37:14 -0700 Subject: [PATCH] Allow rekor service account to post to metrics The rekor service account was assigned the cloudsql.client to allow it to connect to MySQL, but it was not given permission to report metrics for doing so. Copy the permissions that the trillian logserver user has to post to Stackdriver. Signed-off-by: Colleen Murphy --- terraform/gcp/modules/rekor/service_accounts.tf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/terraform/gcp/modules/rekor/service_accounts.tf b/terraform/gcp/modules/rekor/service_accounts.tf index 510460df4..25fd5dc1a 100644 --- a/terraform/gcp/modules/rekor/service_accounts.tf +++ b/terraform/gcp/modules/rekor/service_accounts.tf @@ -62,3 +62,17 @@ resource "google_project_iam_member" "db_admin_member_rekor" { member = "serviceAccount:${google_service_account.rekor-sa.email}" depends_on = [google_service_account.rekor-sa] } + +resource "google_project_iam_member" "logserver_iam" { + # // Give rekor permission to export metrics to Stackdriver + for_each = toset([ + "roles/logging.logWriter", + "roles/monitoring.metricWriter", + "roles/stackdriver.resourceMetadata.writer", + "roles/cloudtrace.agent" + ]) + project = var.project_id + role = each.key + member = "serviceAccount:${google_service_account.rekor-sa.email}" + depends_on = [google_service_account.rekor-sa] +}