Add support for more services to github-ci-bootstrap (#18)

jwbron · web-flow · commit 1f134f3e0e2a · 2025-09-08T14:21:57.000-07:00
## Summary: This adds support for a few new services that are used by github-actions-runners deployments. Issue: INFRA-10749 ## Test plan: Update github-actions-runners to use this, apply the changes, and test with PR checks. Author: jwbron Reviewers: csilvers Required Reviewers: Approved By: csilvers Checks: ✅ 2 checks were successful Pull Request URL: #18
diff --git a/terraform/modules/github-ci-bootstrap/main.tf b/terraform/modules/github-ci-bootstrap/main.tf
@@ -15,22 +15,30 @@ terraform {
 # Define service-to-role mapping
 locals {
   read_write_roles = {
-    cloudfunctions = "roles/cloudfunctions.admin"
-    storage        = "roles/storage.admin"
-    pubsub         = "roles/pubsub.admin"
-    scheduler      = "roles/cloudscheduler.admin"
-    run            = "roles/run.admin"
-    cloudbuild     = "roles/cloudbuild.builds.builder"
+    cloudfunctions     = "roles/cloudfunctions.admin"
+    storage            = "roles/storage.admin"
+    pubsub             = "roles/pubsub.admin"
+    scheduler          = "roles/cloudscheduler.admin"
+    run                = "roles/run.admin"
+    cloudbuild         = "roles/cloudbuild.admin"
+    artifactregistry   = "roles/artifactregistry.admin"
+    secretmanager      = "roles/secretmanager.admin"
+    logging            = "roles/logging.admin"
+    monitoring         = "roles/monitoring.admin"
   }
 
   # Read-only roles for any branch
   read_only_roles = {
-    cloudfunctions = "roles/cloudfunctions.viewer"
-    storage        = "roles/storage.objectViewer"
-    pubsub         = "roles/pubsub.viewer"
-    scheduler      = "roles/cloudscheduler.viewer"
-    run            = "roles/run.viewer"
-    cloudbuild     = "roles/cloudbuild.builds.builder" # Read-only branches still need build access
+    cloudfunctions     = "roles/cloudfunctions.viewer"
+    storage            = "roles/storage.objectViewer"
+    pubsub             = "roles/pubsub.viewer"
+    scheduler          = "roles/cloudscheduler.viewer"
+    run                = "roles/run.viewer"
+    cloudbuild         = "roles/cloudbuild.viewer" # Read-only branches get viewer access
+    artifactregistry   = "roles/artifactregistry.reader"
+    secretmanager      = "roles/secretmanager.viewer"
+    logging            = "roles/logging.viewer"
+    monitoring         = "roles/monitoring.viewer"
   }
 
   # Parse GitHub repository into org and repo name
diff --git a/terraform/modules/github-ci-bootstrap/variables.tf b/terraform/modules/github-ci-bootstrap/variables.tf
@@ -33,11 +33,15 @@ variable "target_projects" {
           "pubsub",
           "scheduler",
           "run",
-          "cloudbuild"
+          "cloudbuild",
+          "artifactregistry",
+          "secretmanager",
+          "logging",
+          "monitoring"
         ], service)
       ]
     ]))
-    error_message = "Required services must be one of: cloudfunctions, storage, pubsub, scheduler, run, cloudbuild."
+    error_message = "Required services must be one of: cloudfunctions, storage, pubsub, scheduler, run, cloudbuild, artifactregistry, secretmanager, logging, monitoring."
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -33,11 +33,15 @@ variable "target_projects" {`
`33`	`33`	`"pubsub",`
`34`	`34`	`"scheduler",`
`35`	`35`	`"run",`
`36`		`- "cloudbuild"`
	`36`	`+ "cloudbuild",`
	`37`	`+ "artifactregistry",`
	`38`	`+ "secretmanager",`
	`39`	`+ "logging",`
	`40`	`+ "monitoring"`
`37`	`41`	`], service)`
`38`	`42`	`]`
`39`	`43`	`]))`
`40`		`- error_message = "Required services must be one of: cloudfunctions, storage, pubsub, scheduler, run, cloudbuild."`
	`44`	`+ error_message = "Required services must be one of: cloudfunctions, storage, pubsub, scheduler, run, cloudbuild, artifactregistry, secretmanager, logging, monitoring."`
`41`	`45`	`}`
`42`	`46`	`}`
`43`	`47`