Skip to content

Commit c804959

Browse files
cmurphycmurphy
authored
Move custom role out of module (#71)
Ensure this role isn't recreated by new instantiations of the module. Signed-off-by: Colleen Murphy <[email protected]>
1 parent 711c3f2 commit c804959

File tree

3 files changed

+12
-23
lines changed

3 files changed

+12
-23
lines changed

gcp/modules/tiles_tlog/monitoring.tf

Lines changed: 1 addition & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -14,20 +14,10 @@
1414
* limitations under the License.
1515
*/
1616

17-
resource "google_project_iam_custom_role" "monitoring_metrics_descriptors" {
18-
project = var.project_id
19-
role_id = "OTelMetrics"
20-
title = "OTel metrics management"
21-
description = "grant permissions on project for OTel metrics management"
22-
permissions = [
23-
"monitoring.metricDescriptors.create",
24-
]
25-
}
26-
2717
resource "google_project_iam_member" "tessera_metric_descriptors_creator" {
2818
count = var.freeze_shard ? 0 : 1
2919
project = var.project_id
30-
role = "projects/${var.project_id}/roles/${google_project_iam_custom_role.monitoring_metrics_descriptors.role_id}"
20+
role = "projects/${var.project_id}/roles/${var.monitoring_role_id}"
3121
member = local.workload_iam_member_id
3222
depends_on = [google_project_iam_custom_role.monitoring_metrics_descriptors]
3323
}

gcp/modules/tiles_tlog/spanner.tf

Lines changed: 1 addition & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -56,21 +56,10 @@ resource "google_spanner_instance_iam_member" "tiles_spanner_db_admin" {
5656
depends_on = [google_spanner_instance.tessera]
5757
}
5858

59-
resource "google_project_iam_custom_role" "monitoring_timeseries" {
60-
project = var.project_id
61-
role_id = "SpannerMonitoringTimeseries"
62-
title = "spanner monitoring timeseries"
63-
description = "grant permissions on project for spanner database-related timeseries creation"
64-
permissions = [
65-
"monitoring.timeSeries.create",
66-
"monitoring.timeSeries.list"
67-
]
68-
}
69-
7059
resource "google_project_iam_member" "tiles_project_timeseries_creator" {
7160
count = var.freeze_shard ? 0 : 1
7261
project = var.project_id
73-
role = "projects/${var.project_id}/roles/${google_project_iam_custom_role.monitoring_timeseries.role_id}"
62+
role = "projects/${var.project_id}/roles/${var.spanner_timeseries_role_id}"
7463
member = local.workload_iam_member_id
7564
depends_on = [google_project_iam_custom_role.monitoring_timeseries]
7665
}

gcp/modules/tiles_tlog/variables.tf

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -211,3 +211,13 @@ variable "enable_backend_service_logging" {
211211
type = bool
212212
default = true
213213
}
214+
215+
variable "spanner_timeseries_role_id" {
216+
description = "name of the project role for managing timeseries entries for Spanner - role must include permissions `monitoring.timeSeries.create` and `monitoring.timeSeries.list`"
217+
type = string
218+
}
219+
220+
variable "monitoring_role_id" {
221+
description = "name of the project role for managing metrics - role must include permissions `monitoring.metricDescriptors.create`"
222+
type = string
223+
}

0 commit comments

Comments
 (0)