From 21c6a40ccafd5b1b8f126fce81c070d3b58b33fe Mon Sep 17 00:00:00 2001
From: jigold <jigold@users.noreply.github.com>
Date: Mon, 13 Nov 2023 11:28:41 -0500
Subject: [PATCH] [services] Add cloudprofile.agent role to service accounts in
 terraform (#13978)

---
 infra/gcp-broad/main.tf | 16 ++++++++++++++++
 infra/gcp/main.tf       | 10 ++++++++++
 2 files changed, 26 insertions(+)

diff --git a/infra/gcp-broad/main.tf b/infra/gcp-broad/main.tf
index 573f33239a1..a9c495f9af2 100644
--- a/infra/gcp-broad/main.tf
+++ b/infra/gcp-broad/main.tf
@@ -384,6 +384,10 @@ resource "google_sql_database_instance" "db" {
     }
   }
 
+  lifecycle {
+     ignore_changes = [settings.0.tier]
+  }
+
   timeouts {}
 }
 
@@ -412,6 +416,11 @@ resource "google_artifact_registry_repository" "repository" {
   format = "DOCKER"
   repository_id = "hail"
   location = var.artifact_registry_location
+
+  # https://github.com/hashicorp/terraform-provider-azurerm/issues/7396
+  lifecycle {
+    ignore_changes = [cleanup_policies, timeouts, cleanup_policy_dry_run]
+  }
 }
 
 resource "google_service_account" "gcr_push" {
@@ -458,6 +467,7 @@ module "auth_gsa_secret" {
   iam_roles = [
     "iam.serviceAccountAdmin",
     "iam.serviceAccountKeyAdmin",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -467,6 +477,7 @@ module "testns_auth_gsa_secret" {
   project = var.gcp_project
   iam_roles = [
     "iam.serviceAccountViewer",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -478,6 +489,7 @@ module "batch_gsa_secret" {
     "compute.instanceAdmin.v1",
     "iam.serviceAccountUser",
     "logging.viewer",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -495,6 +507,7 @@ module "testns_batch_gsa_secret" {
     "compute.instanceAdmin.v1",
     "iam.serviceAccountUser",
     "logging.viewer",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -508,6 +521,9 @@ module "ci_gsa_secret" {
   source = "./gsa"
   name = "ci"
   project = var.gcp_project
+  iam_roles = [
+    "cloudprofiler.agent",
+  ]
 }
 
 resource "google_artifact_registry_repository_iam_member" "artifact_registry_viewer" {
diff --git a/infra/gcp/main.tf b/infra/gcp/main.tf
index 8a28a21fdeb..3bfdafc32f5 100644
--- a/infra/gcp/main.tf
+++ b/infra/gcp/main.tf
@@ -437,6 +437,7 @@ module "auth_gsa_secret" {
   iam_roles = [
     "iam.serviceAccountAdmin",
     "iam.serviceAccountKeyAdmin",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -446,6 +447,7 @@ module "testns_auth_gsa_secret" {
   project = var.gcp_project
   iam_roles = [
     "iam.serviceAccountViewer",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -458,6 +460,7 @@ module "batch_gsa_secret" {
     "iam.serviceAccountUser",
     "logging.viewer",
     "storage.admin",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -475,6 +478,7 @@ module "testns_batch_gsa_secret" {
     "compute.instanceAdmin.v1",
     "iam.serviceAccountUser",
     "logging.viewer",
+    "cloudprofiler.agent",
   ]
 }
 
@@ -488,12 +492,18 @@ module "ci_gsa_secret" {
   source = "./gsa_k8s_secret"
   name = "ci"
   project = var.gcp_project
+  iam_roles = [
+    "cloudprofiler.agent",
+  ]
 }
 
 module "testns_ci_gsa_secret" {
   source = "./gsa_k8s_secret"
   name = "testns-ci"
   project = var.gcp_project
+  iam_roles = [
+    "cloudprofiler.agent",
+  ]
 }
 
 resource "google_storage_bucket_iam_member" "testns_ci_bucket_admin" {