Update workflow and service account

.github/workflows/terraform-validation.yml

@@ -43,8 +43,10 @@ jobs:
 
       - uses: 'google-github-actions/auth@v2'
         with:
+          create_credentials_file: 'true'
           project_id: cal-itp-data-infra-staging
           workload_identity_provider: 'projects/473674835135/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
+          service_account: 'github-actions-terraform@cal-itp-data-infra-staging.iam.gserviceaccount.com'
 
       - uses: google-github-actions/setup-gcloud@v2
 
@@ -86,8 +88,10 @@ jobs:
 
       - uses: 'google-github-actions/auth@v2'
         with:
+          create_credentials_file: 'true'
           project_id: cal-itp-data-infra
           workload_identity_provider: 'projects/1005246706141/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
+          service_account: 'github-actions-terraform@cal-itp-data-infra.iam.gserviceaccount.com'
 
       - uses: google-github-actions/setup-gcloud@v2
 

iac/cal-itp-data-infra-staging/iam/us/iam_worklkoad_identity.tf → iac/cal-itp-data-infra-staging/iam/us/iam_workload_identity.tf

@@ -1,3 +1,7 @@
+locals {
+  github_repository_name = "cal-itp/data-infra"
+}
+
 resource "google_iam_workload_identity_pool" "github-actions--pool" {
   workload_identity_pool_id = "github-actions-pool"
 }
@@ -22,5 +26,5 @@ resource "google_iam_workload_identity_pool_provider" "github-actions--provider"
 resource "google_service_account_iam_member" "github-actions--service-account" {
   service_account_id = google_service_account.tfer--terraform.id
   role               = "roles/iam.workloadIdentityUser"
-  member             = "principalSet://iam.googleapis.com/projects/473674835135/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.github-actions--pool.workload_identity_pool_id}/attribute.repository/cal-itp/data-infra"
+  member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github-actions--pool.name}/attribute.repository/${local.github_repository_name}"
 }

iac/cal-itp-data-infra-staging/iam/us/outputs.tf

@@ -165,3 +165,11 @@ output "google_service_account_tfer--111824761856041678305_id" {
 output "google_service_account_tfer--111881979116192190399_id" {
   value = google_service_account.tfer--111881979116192190399.id
 }
+
+output "google_service_account_tfer--terraform_email" {
+  value = google_service_account.tfer--terraform.email
+}
+
+output "google_iam_workload_identity_pool_provider_github-actions--provider_name" {
+  value = google_iam_workload_identity_pool_provider.github-actions--provider.name
+}

iac/cal-itp-data-infra-staging/iam/us/project_iam_member.tf

@@ -219,3 +219,13 @@ resource "google_project_iam_member" "tfer--roles-002F-storage-002E-objectViewer
   project = "cal-itp-data-infra-staging"
   role    = "roles/storage.objectViewer"
 }
+
+resource "google_project_iam_member" "tfer--terraform-membership" {
+  for_each = toset([
+    "roles/resourcemanager.projectIamAdmin",
+    "roles/editor"
+  ])
+  role    = each.key
+  member  = "serviceAccount:${google_service_account.tfer--terraform.email}"
+  project = "cal-itp-data-infra-staging"
+}

iac/cal-itp-data-infra/iam/us/iam_workload_identity.tf

@@ -1,3 +1,7 @@
+locals {
+  github_repository_name = "cal-itp/data-infra"
+}
+
 resource "google_iam_workload_identity_pool" "github-actions--pool" {
   workload_identity_pool_id = "github-actions-pool"
 }
@@ -20,7 +24,7 @@ resource "google_iam_workload_identity_pool_provider" "github-actions--provider"
 }
 
 resource "google_service_account_iam_member" "github-actions--service-account" {
-  service_account_id = google_service_account.terraform.id
+  service_account_id = google_service_account.tfer--terraform.id
   role               = "roles/iam.workloadIdentityUser"
-  member             = "principalSet://iam.googleapis.com/projects/1005246706141/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.github-actions--pool.workload_identity_pool_id}/attribute.repository/cal-itp/data-infra"
+  member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github-actions--pool.name}/attribute.repository/${local.github_repository_name}"
 }

iac/cal-itp-data-infra/iam/us/outputs.tf

@@ -505,3 +505,11 @@ output "google_service_account_tfer--117956330948086473326_id" {
 output "google_service_account_tfer--118350215382382143206_id" {
   value = google_service_account.tfer--118350215382382143206.id
 }
+
+output "google_service_account_terraform_email" {
+  value = google_service_account.tfer--terraform.email
+}
+
+output "google_iam_workload_identity_pool_provider_github-actions--provider_name" {
+  value = google_iam_workload_identity_pool_provider.github-actions--provider.name
+}

iac/cal-itp-data-infra/iam/us/project_iam_member.tf

@@ -537,3 +537,13 @@ resource "google_project_iam_member" "tfer--roles-002F-viewerserviceAccount-003A
   project = "cal-itp-data-infra"
   role    = "roles/viewer"
 }
+
+resource "google_project_iam_member" "tfer--terraform-membership" {
+  for_each = toset([
+    "roles/resourcemanager.projectIamAdmin",
+    "roles/editor"
+  ])
+  role    = each.key
+  member  = "serviceAccount:${google_service_account.tfer--terraform.email}"
+  project = "cal-itp-data-infra"
+}

iac/cal-itp-data-infra/iam/us/service_account.tf

@@ -248,7 +248,7 @@ resource "google_service_account" "tfer--118350215382382143206" {
   project      = "cal-itp-data-infra"
 }
 
-resource "google_service_account" "terraform" {
+resource "google_service_account" "tfer--terraform" {
   account_id   = "github-actions-terraform"
   description  = "Service account for Github Actions to run Terraform"
   disabled     = "false"