fixing exception with iam svc account missing

Author: damienjburks

modules/pipelines/main.tf

@@ -1,10 +1,30 @@
 # Cloud Build Pipeline for gcp-python-fastapi
 # https://github.com/The-DevSec-Blueprint/gcp-python-fastapi/tree/main
+resource "google_service_account" "cloudbuild_service_account" {
+  account_id   = "${var.cloudbuild_trigger_name}-sa"
+  display_name = "${var.cloudbuild_trigger_name}-sa"
+  description  = "Cloud Build Service Account for ${var.cloudbuild_trigger_name}"
+}
+
+resource "google_project_iam_member" "act_as" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountUser"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "logs_writer" {
+  project = var.project_id
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
 resource "google_cloudbuild_trigger" "build_trigger" {
   name        = var.cloudbuild_trigger_name
   description = var.description
   filename    = var.filename
 
+  service_account = google_service_account.cloudbuild_service_account.id
+
   github {
     owner = "The-DevSec-Blueprint"
     name  = var.github_repo_name

modules/pipelines/variable.tf

@@ -17,4 +17,9 @@ variable "filename" {
 variable "github_repo_name" {
   description = "Name of the GitHub repository"
   type        = string
+}
+
+variable "project_id" {
+  description = "ID of the Google Cloud project"
+  type        = string
 }

pipelines.tf

@@ -1,5 +1,7 @@
 module "gcp_python_fastapi_pipeline" {
-  source                  = "./modules/pipelines"
+  source = "./modules/pipelines"
+
+  project_id              = var.project_id
   cloudbuild_trigger_name = "gcp-python-fastapi"
   description             = "Cloud Build Trigger for GCP Python FastAPI"
   github_repo_name        = "gcp-python-fastapi"