fix: prevent disabling apis on destroy

matthewdavidson · matthewdavidson · commit 2346e8da52b8 · 2025-03-04T15:42:33.000Z
also use _iam_member over _iam_binding
diff --git a/terraform/infra/apis/main.tf b/terraform/infra/apis/main.tf
@@ -29,6 +29,7 @@ resource "google_project_service" "apis" {
     "pubsub.googleapis.com",
     "run.googleapis.com",
   ])
-  service = each.key
+  service            = each.key
+  disable_on_destroy = false
 }
 
diff --git a/terraform/infra/main.tf b/terraform/infra/main.tf
@@ -63,11 +63,11 @@ resource "google_service_account" "build_service_account" {
   depends_on   = [module.apis]
 }
 
-resource "google_project_iam_binding" "build_iam" {
+resource "google_project_iam_member" "build_iam" {
   for_each = toset(["roles/storage.objectViewer", "roles/logging.logWriter", "roles/artifactregistry.writer"])
   project  = data.google_project.project.project_id
   role     = each.value
-  members  = ["serviceAccount:${google_service_account.build_service_account.email}"]
+  member   = "serviceAccount:${google_service_account.build_service_account.email}"
 }
 
 resource "google_artifact_registry_repository" "repo" {
@@ -83,10 +83,10 @@ resource "google_artifact_registry_repository" "repo" {
 data "google_storage_project_service_account" "gcs_account" {
   depends_on = [module.apis]
 }
-resource "google_project_iam_binding" "gcs_sa_pubsub_publish" {
+resource "google_project_iam_member" "gcs_sa_pubsub_publish" {
   project = data.google_project.project.project_id
   role    = "roles/pubsub.publisher"
-  members = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"]
+  member  = "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"
 }
 
 ## Create configured scanner buckets if requested.
@@ -110,13 +110,11 @@ data "google_storage_bucket" "scanner-buckets" {
   name       = each.value
   depends_on = [module.create_buckets]
 }
-resource "google_storage_bucket_iam_binding" "buckets_sa_binding" {
+resource "google_storage_bucket_iam_member" "buckets_sa_iam" {
   for_each = local.all_buckets
   bucket   = data.google_storage_bucket.scanner-buckets[each.key].name
   role     = "roles/storage.admin"
-  members = [
-    "serviceAccount:${google_service_account.malware_scanner_sa.email}",
-  ]
+  member   = "serviceAccount:${google_service_account.malware_scanner_sa.email}"
 }
 
 ## Create the CVD Mirror bucket and allow service account admin access.
@@ -127,12 +125,10 @@ resource "google_storage_bucket" "cvd_mirror_bucket" {
   uniform_bucket_level_access = var.uniform_bucket_level_access
   depends_on                  = [module.apis]
 }
-resource "google_storage_bucket_iam_binding" "cvd_mirror_bucket_sa_binding" {
+resource "google_storage_bucket_iam_member" "cvd_mirror_bucket_sa_iam" {
   bucket = google_storage_bucket.cvd_mirror_bucket.name
   role   = "roles/storage.admin"
-  members = [
-    "serviceAccount:${google_service_account.malware_scanner_sa.email}",
-  ]
+  member = "serviceAccount:${google_service_account.malware_scanner_sa.email}"
 }
 
 ## Perform an update/initial load of mirror bucket.

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ resource "google_project_service" "apis" {`
`29`	`29`	`"pubsub.googleapis.com",`
`30`	`30`	`"run.googleapis.com",`
`31`	`31`	`])`
`32`		`- service = each.key`
	`32`	`+ service = each.key`
	`33`	`+ disable_on_destroy = false`
`33`	`34`	`}`
`34`	`35`