Add cloud build viewer IAM member.

GoogleCloudPlatform · Apr 21, 2020 · ddefb52 · ddefb52
1 parent 690cc0f
commit ddefb52
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 1 deletion.
diff --git a/Terraform/cicd/main.tf b/Terraform/cicd/main.tf
@@ -84,7 +84,18 @@ resource "google_project_service" "devops_apis" {
   disable_on_destroy = false
 }
 
-# Cloud Build - IAM permissions
+# IAM permissions to allow approvers and contributors to view the build results.
+resource "google_project_iam_member" "cloudbuild_viewers" {
+  for_each = toset(var.build_viewers)
+  project  = var.devops_project_id
+  role     = "roles/cloudbuild.builds.viewer"
+  member   = each.value
+  depends_on = [
+    google_project_service.devops_apis,
+  ]
+}
+
+# Cloud Build - Cloud Build Service Account IAM permissions
 # IAM permissions to allow Cloud Build SA to access state.
 resource "google_storage_bucket_iam_member" "cloudbuild_state_iam" {
   bucket = var.state_bucket

diff --git a/Terraform/cicd/terraform.tfvars b/Terraform/cicd/terraform.tfvars
@@ -21,3 +21,6 @@ branch_regex                  = "terraform"
 continuous_deployment_enabled = true
 trigger_enabled               = true
 terraform_root                = "Terraform"
+build_viewers = [
+  "group:rocketturtle-gcp-admin@rocketturtle.net",
+]
diff --git a/Terraform/cicd/variables.tf b/Terraform/cicd/variables.tf
@@ -58,3 +58,9 @@ variable "terraform_root" {
   description = "Path of the directory relative to the repo root containing the Terraform configs"
   default     = "."
 }
+
+variable "build_viewers" {
+  type        = list(string)
+  description = "List of IAM members to grant cloudbuild.builds.viewer role in the devops project to see CICD results"
+  default     = []
+}