I'm trying to setup a bunch of service accounts for another bunch of pubsub topics and subscriptions. What I'm trying to achieve is that each micro service should only be allowed to write to a specific subject, and/or subscribe to a specific subscription.
I've currently got:
resource "google_service_account" "my_sa" {
account_id = "my-service-account"
display_name = "A service account for ..."
}
resource "google_project_iam_member" "my_pubsub_iam" {
project = var.project
role = "roles/pubsub.publisher"
member = "serviceAccount:${google_service_account.my_sa.email}"
}
Which sets up my_sa as a pubsub.publisher and should allow them to publish to any topic.
For subscribers I have:
# setup account like above but with subscriber
resource "google_pubsub_subscription" "crm_sub" {
name = "my-subscription"
topic = var.topic
}
Setting things up like this would allow each server to subscribe to all subscriptions if they are subscribers, and to write to all topics if they are publishers, right?
I've seen the example at https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic_iam and tried to understand that and https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy but I'm struggling a bit.
Should I simply add
data "google_iam_policy" "admin" {
binding {
role = "roles/editor"
members = [
"serviceAccount:${google_service_account.my_pubsub_iam.email}",
]
}
}
resource "google_pubsub_topic_iam_policy" "policy" {
project = google_pubsub_topic.example.project
topic = google_pubsub_topic.example.name
policy_data = data.google_iam_policy.admin.policy_data
}
To each service?
I've split them up and some topics have multiple writers, so if the above is the solution, how to handle that? A new editor policy per service, or will that overwrite the policy for the topic?