stacklet · hiteshmck · Jun 23, 2025 · Jun 23, 2025 · Jun 24, 2025 · Jun 25, 2025
@@ -33,10 +33,11 @@ resource "google_cloudfunctions2_function" "asset_change_relay" {
   }
 
   event_trigger {
-    trigger_region = var.location
-    event_type     = "google.cloud.pubsub.topic.v1.messagePublished"
-    pubsub_topic   = google_pubsub_topic.asset_feed[0].id
-    retry_policy   = "RETRY_POLICY_RETRY"
+    trigger_region        = var.location
+    event_type            = "google.cloud.pubsub.topic.v1.messagePublished"
+    pubsub_topic          = google_pubsub_topic.asset_feed[0].id
+    retry_policy          = "RETRY_POLICY_RETRY"
+    service_account_email = var.service_account
   }
 }
 resource "google_cloudfunctions2_function_iam_member" "asset_change_relay_invoker" {

@@ -33,10 +33,11 @@ resource "google_cloudfunctions2_function" "audit_log_relay" {
   }
 
   event_trigger {
-    trigger_region = var.location
-    event_type     = "google.cloud.pubsub.topic.v1.messagePublished"
-    pubsub_topic   = google_pubsub_topic.audit_feed[0].id
-    retry_policy   = "RETRY_POLICY_RETRY"
+    trigger_region        = var.location
+    event_type            = "google.cloud.pubsub.topic.v1.messagePublished"
+    pubsub_topic          = google_pubsub_topic.audit_feed[0].id
+    retry_policy          = "RETRY_POLICY_RETRY"
+    service_account_email = var.service_account
   }
 }
 

@@ -101,6 +101,24 @@ resource "google_service_account" "service_account" {
   depends_on = [google_project_service.iam]
 }
 
+# Get project data
+data "google_project" "gcp_project" {
+  project_id = local.project_id
+}
+
+# Grant Cloud Build service account Artifact Registry permissions
+resource "google_project_iam_member" "cloud_build_artifact_registry" {
+  for_each = var.create_project ? toset([
+    "roles/artifactregistry.writer",
+    "roles/logging.logWriter", 
+    "roles/storage.objectViewer"
+  ]) : toset([])
+
+  project = local.project_id
+  role    = each.value
+  member  = "serviceAccount:${data.google_project.gcp_project.number}-compute@developer.gserviceaccount.com"
 resource "google_project" "stacklet_relay" { 
   count           = var.create_project ? 1 : 0 
   name            = var.project_name 
   project_id      = var.project_id 
   folder_id       = var.folder_id 
   billing_account = var.billing_account 
   tags            = var.project_tags 
   deletion_policy = "DELETE" 
 } 
 resource "google_project" "stacklet_relay" { 
   count           = var.create_project ? 1 : 0 
   name            = var.project_name 
   project_id      = var.project_id 
   folder_id       = var.folder_id 
   billing_account = var.billing_account 
   tags            = var.project_tags 
  
   deletion_policy = "DELETE" 
 } 
+}
+
 output "project_id" {
   value = local.project_id
 }

@@ -33,10 +33,11 @@ resource "google_cloudfunctions2_function" "scc_finding_relay" {
   }
 
   event_trigger {
-    trigger_region = var.location
-    event_type     = "google.cloud.pubsub.topic.v1.messagePublished"
-    pubsub_topic   = google_pubsub_topic.scc_findings_feed[0].id
-    retry_policy   = "RETRY_POLICY_RETRY"
+    trigger_region        = var.location
+    event_type            = "google.cloud.pubsub.topic.v1.messagePublished"
+    pubsub_topic          = google_pubsub_topic.scc_findings_feed[0].id
+    retry_policy          = "RETRY_POLICY_RETRY"
+    service_account_email = var.service_account
   }
 }