[services] Add cloudprofile.agent role to service accounts in terrafo…

…rm (#13978)
hail-is · Nov 13, 2023 · 21c6a40 · 21c6a40
1 parent 0af3d31
commit 21c6a40
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/infra/gcp-broad/main.tf b/infra/gcp-broad/main.tf
@@ -384,6 +384,10 @@ resource "google_sql_database_instance" "db" {
     }
   }
 
+  lifecycle {
+     ignore_changes = [settings.0.tier]
+  }
+
   timeouts {}
 }
 
@@ -412,6 +416,11 @@ resource "google_artifact_registry_repository" "repository" {
   format = "DOCKER"
   repository_id = "hail"
   location = var.artifact_registry_location
+
+  # https://github.com/hashicorp/terraform-provider-azurerm/issues/7396
+  lifecycle {
+    ignore_changes = [cleanup_policies, timeouts, cleanup_policy_dry_run]
+  }
 }
 
 resource "google_service_account" "gcr_push" {
@@ -458,6 +467,7 @@ module "auth_gsa_secret" {
   iam_roles = [
     "iam.serviceAccountAdmin",
     "iam.serviceAccountKeyAdmin",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -467,6 +477,7 @@ module "testns_auth_gsa_secret" {
   project = var.gcp_project
   iam_roles = [
     "iam.serviceAccountViewer",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -478,6 +489,7 @@ module "batch_gsa_secret" {
     "compute.instanceAdmin.v1",
     "iam.serviceAccountUser",
     "logging.viewer",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -495,6 +507,7 @@ module "testns_batch_gsa_secret" {
     "compute.instanceAdmin.v1",
     "iam.serviceAccountUser",
     "logging.viewer",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -508,6 +521,9 @@ module "ci_gsa_secret" {
   source = "./gsa"
   name = "ci"
   project = var.gcp_project
+  iam_roles = [
+    "cloudprofiler.agent",
+  ]
 }
 
 resource "google_artifact_registry_repository_iam_member" "artifact_registry_viewer" {

diff --git a/infra/gcp/main.tf b/infra/gcp/main.tf
@@ -437,6 +437,7 @@ module "auth_gsa_secret" {
   iam_roles = [
     "iam.serviceAccountAdmin",
     "iam.serviceAccountKeyAdmin",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -446,6 +447,7 @@ module "testns_auth_gsa_secret" {
   project = var.gcp_project
   iam_roles = [
     "iam.serviceAccountViewer",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -458,6 +460,7 @@ module "batch_gsa_secret" {
     "iam.serviceAccountUser",
     "logging.viewer",
     "storage.admin",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -475,6 +478,7 @@ module "testns_batch_gsa_secret" {
     "compute.instanceAdmin.v1",
     "iam.serviceAccountUser",
     "logging.viewer",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -488,12 +492,18 @@ module "ci_gsa_secret" {
   source = "./gsa_k8s_secret"
   name = "ci"
   project = var.gcp_project
+  iam_roles = [
+    "cloudprofiler.agent",
+  ]
 }
 
 module "testns_ci_gsa_secret" {
   source = "./gsa_k8s_secret"
   name = "testns-ci"
   project = var.gcp_project
+  iam_roles = [
+    "cloudprofiler.agent",
+  ]
 }
 
 resource "google_storage_bucket_iam_member" "testns_ci_bucket_admin" {