Skip to content

Commit

Permalink
chore: use less privilege roles for ci service account (#965)
Browse files Browse the repository at this point in the history
  • Loading branch information
@q2w
q2w authored Jan 2, 2025
1 parent b3e801f commit c42536c
Show file tree
Hide file tree
Showing 11 changed files with 1 addition and 20 deletions.
1 change: 1 addition & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ docker_test_lint:
.PHONY: docker_generate_docs
docker_generate_docs:
docker run --rm -it \
-e ENABLE_BPMETADATA \
-v "${CURDIR}":/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
Expand Down
2 changes: 0 additions & 2 deletions metadata.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -361,15 +361,13 @@ spec:
- roles/resourcemanager.tagUser
- level: Project
roles:
- roles/owner
- roles/resourcemanager.projectCreator
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.folderIamAdmin
- roles/billing.projectManager
- roles/compute.xpnAdmin
- level: Project
roles:
- roles/owner
- roles/compute.admin
- roles/iam.serviceAccountAdmin
- roles/resourcemanager.projectIamAdmin
Expand Down
2 changes: 0 additions & 2 deletions modules/budget/metadata.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,15 +127,13 @@ spec:
- roles/resourcemanager.tagUser
- level: Project
roles:
- roles/owner
- roles/resourcemanager.projectCreator
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.folderIamAdmin
- roles/billing.projectManager
- roles/compute.xpnAdmin
- level: Project
roles:
- roles/owner
- roles/compute.admin
- roles/iam.serviceAccountAdmin
- roles/resourcemanager.projectIamAdmin
Expand Down
2 changes: 0 additions & 2 deletions modules/essential_contacts/metadata.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,15 +84,13 @@ spec:
- roles/resourcemanager.tagUser
- level: Project
roles:
- roles/owner
- roles/resourcemanager.projectCreator
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.folderIamAdmin
- roles/billing.projectManager
- roles/compute.xpnAdmin
- level: Project
roles:
- roles/owner
- roles/compute.admin
- roles/iam.serviceAccountAdmin
- roles/resourcemanager.projectIamAdmin
Expand Down
2 changes: 0 additions & 2 deletions modules/fabric-project/metadata.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,15 +158,13 @@ spec:
- roles/resourcemanager.tagUser
- level: Project
roles:
- roles/owner
- roles/resourcemanager.projectCreator
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.folderIamAdmin
- roles/billing.projectManager
- roles/compute.xpnAdmin
- level: Project
roles:
- roles/owner
- roles/compute.admin
- roles/iam.serviceAccountAdmin
- roles/resourcemanager.projectIamAdmin
Expand Down
2 changes: 0 additions & 2 deletions modules/gsuite_enabled/metadata.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,15 +255,13 @@ spec:
- roles/resourcemanager.tagUser
- level: Project
roles:
- roles/owner
- roles/resourcemanager.projectCreator
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.folderIamAdmin
- roles/billing.projectManager
- roles/compute.xpnAdmin
- level: Project
roles:
- roles/owner
- roles/compute.admin
- roles/iam.serviceAccountAdmin
- roles/resourcemanager.projectIamAdmin
Expand Down
2 changes: 0 additions & 2 deletions modules/project_services/metadata.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,15 +109,13 @@ spec:
- roles/resourcemanager.tagUser
- level: Project
roles:
- roles/owner
- roles/resourcemanager.projectCreator
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.folderIamAdmin
- roles/billing.projectManager
- roles/compute.xpnAdmin
- level: Project
roles:
- roles/owner
- roles/compute.admin
- roles/iam.serviceAccountAdmin
- roles/resourcemanager.projectIamAdmin
Expand Down
2 changes: 0 additions & 2 deletions modules/quota_manager/metadata.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,15 +84,13 @@ spec:
- roles/resourcemanager.tagUser
- level: Project
roles:
- roles/owner
- roles/resourcemanager.projectCreator
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.folderIamAdmin
- roles/billing.projectManager
- roles/compute.xpnAdmin
- level: Project
roles:
- roles/owner
- roles/compute.admin
- roles/iam.serviceAccountAdmin
- roles/resourcemanager.projectIamAdmin
Expand Down
2 changes: 0 additions & 2 deletions modules/shared_vpc_access/metadata.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,15 +111,13 @@ spec:
- roles/resourcemanager.tagUser
- level: Project
roles:
- roles/owner
- roles/resourcemanager.projectCreator
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.folderIamAdmin
- roles/billing.projectManager
- roles/compute.xpnAdmin
- level: Project
roles:
- roles/owner
- roles/compute.admin
- roles/iam.serviceAccountAdmin
- roles/resourcemanager.projectIamAdmin
Expand Down
2 changes: 0 additions & 2 deletions modules/svpc_service_project/metadata.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -242,15 +242,13 @@ spec:
- roles/resourcemanager.tagUser
- level: Project
roles:
- roles/owner
- roles/resourcemanager.projectCreator
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.folderIamAdmin
- roles/billing.projectManager
- roles/compute.xpnAdmin
- level: Project
roles:
- roles/owner
- roles/compute.admin
- roles/iam.serviceAccountAdmin
- roles/resourcemanager.projectIamAdmin
Expand Down
2 changes: 0 additions & 2 deletions test/setup/iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@

locals {
int_required_project_roles = [
"roles/owner",
"roles/compute.admin",
"roles/iam.serviceAccountAdmin",
"roles/resourcemanager.projectIamAdmin",
Expand All @@ -26,7 +25,6 @@ locals {
]

int_required_folder_roles = [
"roles/owner",
"roles/resourcemanager.projectCreator",
"roles/resourcemanager.folderAdmin",
"roles/resourcemanager.folderIamAdmin",
Expand Down

0 comments on commit c42536c

Please sign in to comment.