Merge pull request #757 from lsst/tickets/DM-53738

stvoutsin · web-flow · commit 5fcb083fdcc5 · 2026-01-06T11:12:54.000-07:00
DM-53738: Create bigquery-kafka account with access to BigQuery
diff --git a/environment/deployments/science-platform/cloudsql/main.tf b/environment/deployments/science-platform/cloudsql/main.tf
@@ -434,6 +434,7 @@ module "service_accounts" {
   display_name = "PostgreSQL client"
   description  = "Terraform-managed service account for PostgreSQL access"
   names = [
+    "bigquery-kafka",
     "gafaelfawr",
     "grafana",
     "nublado",
@@ -530,6 +531,12 @@ resource "google_service_account_iam_member" "ppdbtap_sa_wi" {
   member             = "serviceAccount:${var.project_id}.svc.id.goog[ppdbtap/ppdbtap]"
 }
 
+resource "google_service_account_iam_member" "bigquery_kafka_sa_wi" {
+  service_account_id = module.service_accounts.service_accounts_map["bigquery-kafka"].name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[bigquery-kafka/bigquery-kafka]"
+}
+
 resource "google_project_iam_member" "ppdbtap_bigquery_data_viewer" {
   project = "ppdb-dev-438721"
   role    = "roles/bigquery.dataViewer"
@@ -548,6 +555,24 @@ resource "google_project_iam_member" "ppdbtap_bigquery_read_session_user" {
   member  = module.service_accounts.service_accounts_map["ppdbtap"].member
 }
 
+resource "google_project_iam_member" "bigquery_kafka_bigquery_data_viewer" {
+  project = "ppdb-dev-438721"
+  role    = "roles/bigquery.dataViewer"
+  member  = module.service_accounts.service_accounts_map["bigquery-kafka"].member
+}
+
+resource "google_project_iam_member" "bigquery_kafka_bigquery_job_user" {
+  project = "ppdb-dev-438721"
+  role    = "roles/bigquery.jobUser"
+  member  = module.service_accounts.service_accounts_map["bigquery-kafka"].member
+}
+
+resource "google_project_iam_member" "bigquery_kafka_bigquery_read_session_user" {
+  project = "ppdb-dev-438721"
+  role    = "roles/bigquery.readSessionUser"
+  member  = module.service_accounts.service_accounts_map["bigquery-kafka"].member
+}
+
 # The vo-cutouts service account must be granted the ability to generate
 # tokens for itself so that it can generate signed GCS URLs starting from
 # the GKE service account token without requiring an exported secret key
diff --git a/environment/deployments/science-platform/env/dev-cloudsql.tfvars b/environment/deployments/science-platform/env/dev-cloudsql.tfvars
@@ -24,4 +24,4 @@ science_platform_db_maintenance_window_update_track = "canary"
 science_platform_backups_enabled                    = true
 
 # Increase this number to force Terraform to update the dev environment.
-# Serial: 37
+# Serial: 38
diff --git a/environment/deployments/science-platform/env/dev.tfvars b/environment/deployments/science-platform/env/dev.tfvars
@@ -124,6 +124,7 @@ netapp_definitions = [
 # and Cloud SQL Admin (required for the Cloud SQL Auth Proxy) in addition to
 # our standard APIs.
 activate_apis = [
+  "bigquery.googleapis.com",
   "compute.googleapis.com",
   "container.googleapis.com",
   "containerfilesystem.googleapis.com",
