From 368c264e3cac9e4b45a20246a07729b922224174 Mon Sep 17 00:00:00 2001
From: Lai Jiang <jianglai@google.com>
Date: Fri, 21 Jun 2019 15:59:01 -0400
Subject: [PATCH] Update IAM binding to restrict proxy service account's access
 to GCS (#125)

Per
https://cloud.google.com/container-registry/docs/access-control#granting_users_and_other_projects_access_to_a_registry,
for a service account to access GCR, it does not need reader access to *all*
buckets in a project, but just the specific one.

This is duped from cl/254092941.
---
 proxy/terraform/modules/gcs.tf | 8 +++++++-
 proxy/terraform/modules/iam.tf | 6 ------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/proxy/terraform/modules/gcs.tf b/proxy/terraform/modules/gcs.tf
index 808a015a3..c2ede78d9 100644
--- a/proxy/terraform/modules/gcs.tf
+++ b/proxy/terraform/modules/gcs.tf
@@ -3,8 +3,14 @@ resource "google_storage_bucket" "proxy_certificate" {
   storage_class = "MULTI_REGIONAL"
 }
 
-resource "google_storage_bucket_iam_member" "member" {
+resource "google_storage_bucket_iam_member" "certificate_viewer" {
   bucket = "${google_storage_bucket.proxy_certificate.name}"
   role   = "roles/storage.objectViewer"
   member = "serviceAccount:${google_service_account.proxy_service_account.email}"
 }
+
+resource "google_storage_bucket_iam_member" "gcr_viewer" {
+  bucket = "artifacts.${var.gcr_project_name}.appspot.com"
+  role   = "roles/storage.objectViewer"
+  member = "serviceAccount:${google_service_account.proxy_service_account.email}"
+}
diff --git a/proxy/terraform/modules/iam.tf b/proxy/terraform/modules/iam.tf
index 1e346a562..09a298f27 100644
--- a/proxy/terraform/modules/iam.tf
+++ b/proxy/terraform/modules/iam.tf
@@ -3,12 +3,6 @@ resource "google_service_account" "proxy_service_account" {
   display_name = "Nomulus proxy service account"
 }
 
-resource "google_project_iam_member" "gcr_storage_viewer" {
-  project = "${var.gcr_project_name}"
-  role    = "roles/storage.objectViewer"
-  member  = "serviceAccount:${google_service_account.proxy_service_account.email}"
-}
-
 resource "google_project_iam_member" "metric_writer" {
   role   = "roles/monitoring.metricWriter"
   member = "serviceAccount:${google_service_account.proxy_service_account.email}"