From 5d7ada5de074f8f96a4d9da46f7bd3962e2855b6 Mon Sep 17 00:00:00 2001
From: Adam Ross <adamross@google.com>
Date: Mon, 24 Apr 2023 15:49:16 -0700
Subject: [PATCH 1/2] fix: use google_project_iam_member to manage IAM
 permissions

---
 infra/iam.tf | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/infra/iam.tf b/infra/iam.tf
index 715378b2..b7edcc54 100644
--- a/infra/iam.tf
+++ b/infra/iam.tf
@@ -49,7 +49,7 @@ resource "google_service_account" "compute" {
 }
 
 # Both the server and Cloud Build can access the database
-resource "google_project_iam_binding" "server_permissions" {
+resource "google_project_iam_member" "server_permissions" {
   project    = var.project_id
   role       = "roles/cloudsql.client"
   members    = [local.server_SA, local.automation_SA]
@@ -58,7 +58,7 @@ resource "google_project_iam_binding" "server_permissions" {
 
 
 # Server needs introspection permissions
-resource "google_project_iam_binding" "server_introspection" {
+resource "google_project_iam_member" "server_introspection" {
   project    = var.project_id
   role       = "roles/run.viewer"
   members    = [local.server_SA, local.client_SA]
@@ -66,7 +66,7 @@ resource "google_project_iam_binding" "server_introspection" {
 }
 
 # Client may need permission to deploy the front end
-resource "google_project_iam_binding" "client_permissions" {
+resource "google_project_iam_member" "client_permissions" {
   project    = var.project_id
   role       = "roles/firebasehosting.admin"
   members    = [local.client_SA]
@@ -74,7 +74,7 @@ resource "google_project_iam_binding" "client_permissions" {
 }
 
 # GCE instance needs access to start Jobs
-resource "google_project_iam_binding" "computestartup_permissions" {
+resource "google_project_iam_member" "computestartup_permissions" {
   project    = var.project_id
   role       = "roles/run.developer"
   members    = ["serviceAccount:${google_service_account.compute[0].email}"]
@@ -83,7 +83,7 @@ resource "google_project_iam_binding" "computestartup_permissions" {
 }
 
 # Server needs to write to Cloud Trace
-resource "google_project_iam_binding" "server_traceagent" {
+resource "google_project_iam_member" "server_traceagent" {
   project    = var.project_id
   role       = "roles/cloudtrace.agent"
   members    = [local.server_SA]

From 1b3b7078b46d9fbd3a2e434ce263d4a070f62906 Mon Sep 17 00:00:00 2001
From: Adam Ross <adamross@google.com>
Date: Mon, 24 Apr 2023 16:01:14 -0700
Subject: [PATCH 2/2] fix: members => member and split resources per sa

---
 infra/iam.tf | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/infra/iam.tf b/infra/iam.tf
index b7edcc54..fcf331ec 100644
--- a/infra/iam.tf
+++ b/infra/iam.tf
@@ -48,28 +48,43 @@ resource "google_service_account" "compute" {
   count        = var.init ? 1 : 0
 }
 
-# Both the server and Cloud Build can access the database
+# The Cloud Run server can access the database
 resource "google_project_iam_member" "server_permissions" {
   project    = var.project_id
   role       = "roles/cloudsql.client"
-  members    = [local.server_SA, local.automation_SA]
-  depends_on = [google_service_account.server, google_service_account.automation]
+  member     = local.server_SA
+  depends_on = [google_service_account.server]
 }
 
+# Cloud Build can access the database
+resource "google_project_iam_member" "build_permissions" {
+  project    = var.project_id
+  role       = "roles/cloudsql.client"
+  member     = local.automation_SA
+  depends_on = [google_service_account.automation]
+}
 
 # Server needs introspection permissions
 resource "google_project_iam_member" "server_introspection" {
   project    = var.project_id
   role       = "roles/run.viewer"
-  members    = [local.server_SA, local.client_SA]
-  depends_on = [google_service_account.server, google_service_account.client]
+  member     = local.server_SA
+  depends_on = [google_service_account.server]
+}
+
+# Client needs introspection permissions
+resource "google_project_iam_member" "client_introspection" {
+  project    = var.project_id
+  role       = "roles/run.viewer"
+  member     = local.client_SA
+  depends_on = [google_service_account.client]
 }
 
 # Client may need permission to deploy the front end
 resource "google_project_iam_member" "client_permissions" {
   project    = var.project_id
   role       = "roles/firebasehosting.admin"
-  members    = [local.client_SA]
+  member     = local.client_SA
   depends_on = [google_service_account.client]
 }
 
@@ -77,7 +92,7 @@ resource "google_project_iam_member" "client_permissions" {
 resource "google_project_iam_member" "computestartup_permissions" {
   project    = var.project_id
   role       = "roles/run.developer"
-  members    = ["serviceAccount:${google_service_account.compute[0].email}"]
+  member     = "serviceAccount:${google_service_account.compute[0].email}"
   depends_on = [google_service_account.compute]
   count      = var.init ? 1 : 0
 }
@@ -86,6 +101,6 @@ resource "google_project_iam_member" "computestartup_permissions" {
 resource "google_project_iam_member" "server_traceagent" {
   project    = var.project_id
   role       = "roles/cloudtrace.agent"
-  members    = [local.server_SA]
+  member     = local.server_SA
   depends_on = [google_service_account.server]
 }