remove datastore users and roles from tf

chain-signatures/node/src/storage/mod.rs

@@ -6,7 +6,7 @@ pub mod triple_storage;
 #[derive(Debug, Clone, clap::Parser)]
 #[group(id = "storage_options")]
 pub struct Options {
-    /// env used to suffix datastore table names to differentiate among environments.
+    /// env used to differentiate among environments.
     #[clap(long, env("MPC_ENV"))]
     pub env: String,
     /// GCP project ID.

infra/mpc-recovery-dev/main.tf

@@ -64,12 +64,6 @@ resource "google_service_account_iam_binding" "serivce-account-iam" {
   ]
 }
 
-resource "google_project_iam_member" "service-account-datastore-user" {
-  project = var.project
-  role    = "roles/datastore.user"
-  member  = "serviceAccount:${google_service_account.service_account.email}"
-}
-
 /*
  * Ensure service account has access to Secret Manager variables
  */

infra/mpc-recovery-prod/main.tf

@@ -39,13 +39,6 @@ resource "google_service_account" "service_account" {
   display_name = "MPC Recovery mainnet Account"
 }
 
-
-resource "google_project_iam_member" "service-account-datastore-user" {
-  project = var.project
-  role    = "roles/datastore.user"
-  member  = "serviceAccount:${google_service_account.service_account.email}"
-}
-
 /*
  * Ensure service account has access to Secret Manager variables
  */

infra/mpc-recovery-testnet/main.tf

@@ -39,13 +39,6 @@ resource "google_service_account" "service_account" {
   display_name = "MPC Recovery testnet Account"
 }
 
-
-resource "google_project_iam_member" "service-account-datastore-user" {
-  project = var.project
-  role    = "roles/datastore.user"
-  member  = "serviceAccount:${google_service_account.service_account.email}"
-}
-
 /*
  * Ensure service account has access to Secret Manager variables
  */

infra/multichain-dev/main.tf

@@ -98,7 +98,6 @@ resource "google_service_account" "service_account" {
 
 resource "google_project_iam_member" "sa-roles" {
   for_each = toset([
-    "roles/datastore.user",
     "roles/secretmanager.admin",
     "roles/storage.objectAdmin",
     "roles/iam.serviceAccountAdmin",

infra/multichain-mainnet/main.tf

@@ -74,7 +74,7 @@ resource "google_service_account" "service_account" {
 
 resource "google_project_iam_member" "sa-roles" {
   for_each = toset([
-      "roles/datastore.user",
+      "roles/.user",
       "roles/secretmanager.admin",
       "roles/storage.objectAdmin",
       "roles/iam.serviceAccountAdmin",

infra/multichain-testnet/main.tf

@@ -78,7 +78,6 @@ resource "google_service_account" "service_account" {
 
 resource "google_project_iam_member" "sa-roles" {
   for_each = toset([
-      "roles/datastore.user",
       "roles/secretmanager.admin",
       "roles/storage.objectAdmin",
       "roles/iam.serviceAccountAdmin",

infra/partner-mainnet/main.tf

@@ -75,7 +75,6 @@ resource "google_service_account" "service_account" {
 
 resource "google_project_iam_member" "sa-roles" {
   for_each = toset([
-    "roles/datastore.user",
     "roles/secretmanager.admin",
     "roles/storage.objectAdmin",
     "roles/iam.serviceAccountAdmin",

infra/partner-testnet/main.tf

@@ -75,7 +75,6 @@ resource "google_service_account" "service_account" {
 
 resource "google_project_iam_member" "sa-roles" {
   for_each = toset([
-    "roles/datastore.user",
     "roles/secretmanager.admin",
     "roles/storage.objectAdmin",
     "roles/iam.serviceAccountAdmin",

integration-tests/chain-signatures/src/containers.rs

@@ -562,6 +562,7 @@ impl Default for DockerClient {
     }
 }
 
+// TODO: remove or rename this struct and other mentions of datastore
 pub struct Datastore<'a> {
     pub container: Container<'a, GenericImage>,
     pub address: String,