FIX: Give GHA service account access to bucket

cortadocodes · cortadocodes · commit 93b7f7a074f6 · 2025-03-03T12:24:07.000Z
diff --git a/iam_roles_github_actions.tf b/iam_roles_github_actions.tf
@@ -0,0 +1,26 @@
+resource "google_project_iam_member" "github_actions__roles" {
+  for_each = toset(
+    [
+      "roles/iam.serviceAccountUser",
+      "roles/pubsub.editor",
+      "roles/errorreporting.writer",
+      "roles/artifactregistry.writer",
+      "roles/storage.objectAdmin",
+      # Allows the GHA to call "namespaces get" for Cloud Run to determine the resulting run URLs of the services.
+      # This should also allow a service to get its own name by using:
+      #   https://stackoverflow.com/questions/65628822/google-cloud-run-can-a-service-know-its-own-url/65634104#65634104
+      "roles/run.developer",
+    ]
+  )
+  project    = var.google_cloud_project_id
+  role       = each.value
+  member     = "serviceAccount:${google_service_account.github_actions_service_account.email}"
+  depends_on = [time_sleep.wait_for_google_apis_to_enable]
+}
+
+
+resource "google_storage_bucket_iam_member" "github_actions__default_bucket__storage__object_admin" {
+  bucket   = google_storage_bucket.default.name
+  role     = "roles/storage.objectAdmin"
+  member   = "serviceAccount:${google_service_account.github_actions_service_account.email}"
+}
diff --git a/iam_service_accounts.tf b/iam_service_accounts.tf
@@ -7,27 +7,6 @@ resource "google_service_account" "github_actions_service_account" {
 }
 
 
-resource "google_project_iam_member" "github_actions__roles" {
-  for_each = toset(
-    [
-      "roles/iam.serviceAccountUser",
-      "roles/pubsub.editor",
-      "roles/errorreporting.writer",
-      "roles/artifactregistry.writer",
-      "roles/storage.objectAdmin",
-      # Allows the GHA to call "namespaces get" for Cloud Run to determine the resulting run URLs of the services.
-      # This should also allow a service to get its own name by using:
-      #   https://stackoverflow.com/questions/65628822/google-cloud-run-can-a-service-know-its-own-url/65634104#65634104
-      "roles/run.developer",
-    ]
-  )
-  project    = var.google_cloud_project_id
-  role       = each.value
-  member     = "serviceAccount:${google_service_account.github_actions_service_account.email}"
-  depends_on = [time_sleep.wait_for_google_apis_to_enable]
-}
-
-
 resource "google_service_account" "developers" {
   for_each     = var.developer_service_account_names
   account_id   = each.key
