Merge pull request #58 from cerebrotech/steved-iam-fix

Revert "remove docker-registry service account binding"
dominodatalab · Apr 28, 2020 · 978943c · 978943c
2 parents f3f7231 + 2edaf25
commit 978943c
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/service-accounts.tf b/service-accounts.tf
@@ -76,3 +76,11 @@ resource "google_project_iam_member" "platform_monitoring" {
   role    = "roles/monitoring.metricWriter"
   member  = "serviceAccount:${google_service_account.platform.email}"
 }
+
+resource "google_service_account_iam_binding" "platform_docker_registry" {
+  service_account_id = google_service_account.platform.name
+  role               = "roles/iam.workloadIdentityUser"
+  members = [
+    "serviceAccount:${var.project}.svc.id.goog[${var.platform_namespace}/docker-registry]",
+  ]
+}
diff --git a/variables.tf b/variables.tf
@@ -194,3 +194,9 @@ variable "platform_node_type" {
   type    = string
   default = "n1-standard-8"
 }
+
+variable "platform_namespace" {
+  type        = string
+  description = "Platform namespace that is used for generating the service account binding for docker-registry"
+  default     = "domino-platform"
+}