From 6663302a54534ed5bf596dd86198c312e15684ac Mon Sep 17 00:00:00 2001
From: Aditya Choudhari <adityachoudhari26@gmail.com>
Date: Thu, 23 Oct 2025 11:01:05 -0700
Subject: [PATCH] chore: Add bucket rw iam binding

---
 examples/basic/main.tf                | 5 +++++
 main.tf                               | 4 +++-
 modules/service_accounts/main.tf      | 7 +++++++
 modules/service_accounts/variables.tf | 5 +++++
 modules/storage/outputs.tf            | 4 ++++
 5 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 modules/storage/outputs.tf

diff --git a/examples/basic/main.tf b/examples/basic/main.tf
index a70dac0..da1f5db 100644
--- a/examples/basic/main.tf
+++ b/examples/basic/main.tf
@@ -24,4 +24,9 @@ module "ctrlplane" {
   source    = "../../"
   namespace = var.namespace
   domains   = ["example.com"]
+  fqdn      = "example.com"
+  google_auth = {
+    client_id     = "1234567890"
+    client_secret = "1234567890"
+  }
 }
diff --git a/main.tf b/main.tf
index dea5d88..0a1f774 100644
--- a/main.tf
+++ b/main.tf
@@ -72,7 +72,9 @@ module "service_accounts" {
   source    = "./modules/service_accounts"
   namespace = var.namespace
 
-  depends_on = [module.gke]
+  bucket_name = module.storage.bucket_name
+
+  depends_on = [module.gke, module.storage]
 }
 
 resource "google_compute_global_address" "this" {
diff --git a/modules/service_accounts/main.tf b/modules/service_accounts/main.tf
index 3490b08..abeb8e2 100644
--- a/modules/service_accounts/main.tf
+++ b/modules/service_accounts/main.tf
@@ -19,6 +19,7 @@ locals {
     "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-migrations]",
     "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-event-worker]",
     "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-event-queue]",
+    "serviceAccount:${local.project_id}.svc.id.goog[${local.gke_namespace}/ctrlplane-workspace-engine]",
   ]
 }
 
@@ -59,3 +60,9 @@ resource "google_project_iam_member" "gke_sa_token_creator" {
   role    = "roles/iam.serviceAccountTokenCreator"
   member  = local.sa_member
 }
+
+resource "google_storage_bucket_iam_member" "gke_sa_bucket_rw" {
+  bucket = var.bucket_name
+  role   = "roles/storage.objectAdmin"
+  member = local.sa_member
+}
diff --git a/modules/service_accounts/variables.tf b/modules/service_accounts/variables.tf
index 7bb50c6..4762d34 100644
--- a/modules/service_accounts/variables.tf
+++ b/modules/service_accounts/variables.tf
@@ -2,3 +2,8 @@ variable "namespace" {
   description = "Namespace for the service accounts"
   type        = string
 }
+
+variable "bucket_name" {
+  description = "The GCS bucket name to grant access to"
+  type        = string
+}
diff --git a/modules/storage/outputs.tf b/modules/storage/outputs.tf
new file mode 100644
index 0000000..7fee2b3
--- /dev/null
+++ b/modules/storage/outputs.tf
@@ -0,0 +1,4 @@
+output "bucket_name" {
+  value       = google_storage_bucket.this.name
+  description = "The name of the bucket."
+}