From f661b2bbcc0dee3f0d8c733d9924edfcd9061afb Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Wed, 6 Mar 2024 11:38:06 +0200
Subject: [PATCH] modules/tuf: Add legacyBucketReader role for TUF SA

root-signing-staging uses "gcloud rsync" to upload files. This
apparently fails without "storage.buckets.get":
https://github.com/sigstore/root-signing-staging/issues/67

The root cause is likely a gcloud SDK bug
(https://issuetracker.google.com/issues/323465176) but adding
legacyBucketReader as a workaround seems harmless.

I'm not a terraform wizard but this "for each" mechanism seems to be
used elsewhere for similar purposes.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 terraform/gcp/modules/tuf/tuf.tf | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/terraform/gcp/modules/tuf/tuf.tf b/terraform/gcp/modules/tuf/tuf.tf
index 73c9835bb..28f62ebdf 100644
--- a/terraform/gcp/modules/tuf/tuf.tf
+++ b/terraform/gcp/modules/tuf/tuf.tf
@@ -129,9 +129,13 @@ resource "google_storage_bucket_iam_member" "public_tuf_preprod_member" {
 }
 
 resource "google_storage_bucket_iam_member" "tuf_sa_preprod_editor" {
+  for_each = toset([
+    "roles/storage.objectUser",
+    "roles/storage.legacyBucketReader"
+  ])
+
   bucket = google_storage_bucket.tuf_preprod.name
-  role   = "roles/storage.objectUser"
+  role   = each.key
   member = format("serviceAccount:%s@%s.iam.gserviceaccount.com", var.tuf_service_account_name, var.project_id)
-
   depends_on = [google_storage_bucket.tuf_preprod, google_service_account.tuf-sa]
 }
\ No newline at end of file