diff --git a/examples/kms/main.tf b/examples/kms/main.tf index 43d2cd2..49525f3 100644 --- a/examples/kms/main.tf +++ b/examples/kms/main.tf @@ -38,10 +38,16 @@ resource "google_project_service_identity" "secretmanager_identity" { service = "secretmanager.googleapis.com" } +resource "time_sleep" "wait_service_identity_propagation" { + depends_on = [google_project_service_identity.secretmanager_identity] + create_duration = "180s" +} + resource "google_kms_crypto_key_iam_member" "sm_sa_encrypter_decrypter" { role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" member = "serviceAccount:${google_project_service_identity.secretmanager_identity.email}" crypto_key_id = google_kms_crypto_key.crypto_key.id + depends_on = [time_sleep.wait_service_identity_propagation] } module "secret-manager" { diff --git a/metadata.yaml b/metadata.yaml index a794c8b..9ff36ae 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -96,7 +96,9 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/secretmanager.admin + - roles/cloudkms.admin + - roles/pubsub.admin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com diff --git a/modules/simple-secret/metadata.yaml b/modules/simple-secret/metadata.yaml index 50be32a..73dfc91 100644 --- a/modules/simple-secret/metadata.yaml +++ b/modules/simple-secret/metadata.yaml @@ -125,7 +125,9 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/secretmanager.admin + - roles/cloudkms.admin + - roles/pubsub.admin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 9255735..04dbbeb 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -16,7 +16,9 @@ locals { int_required_roles = [ - "roles/owner" + "roles/secretmanager.admin", + "roles/cloudkms.admin", + "roles/pubsub.admin", ] }