Support using a customer service account to run Cloud Build triggers in the cicd recipe
xingao267 opened this issue · 2 comments
The work needs to be done are roughly
-
Follow this and add necessary resources to our cicd recipe, which includes a new logging bucket, an optional service account (either passed in or created in our recipe, toggled by an input param). The service account will later be used in
google_cloudbuild_triggerresources. -
The feature to use a custom SA in cloud build triggers are still in beta, and Terraform's google beta provider does not seem to support that yet. See pending issue. The code to support that likely should be added here. We can help implement that. Terraform provider has a weekly release schedule. Once the change is approved and merged, it might take 1-2 weeks for it to be available, so need to plan accordingly.
Note: the cloud build's doc suggests that feature is still in beta, but in that issue in terraform provider repo, someone suggests that it's already GA. This is something to look into a bit more and verify.
-
Change the google_cloudbuild_trigger resources in cicd recipe to use the service account. If need to switch to beta provider, we should add google-beta in the resource's
providerfield. The cloudbuild yaml file should be modified to use the custom logging bucket as well. -
Test, add docs for upgrade instructions, etc.