Add roles required for ops-agent

backend/README.md

@@ -31,6 +31,8 @@ No modules.
 | [google_compute_firewall.ssh](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
 | [google_compute_instance.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) | resource |
 | [google_compute_instance_group.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_group) | resource |
+| [google_project_iam_member.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_service_account.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
 | [google_compute_image.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_image) | data source |
 
 ## Inputs

backend/main.tf

@@ -3,6 +3,13 @@ data "google_compute_image" "this" {
   project = var.project
 }
 
+locals {
+  roles = [
+    "roles/logging.logWriter",
+    "roles/monitoring.metricWriter"
+  ]
+}
+
 resource "google_compute_instance" "this" {
   name = var.name
   boot_disk {
@@ -45,3 +52,16 @@ resource "google_compute_instance_group" "this" {
   project = var.project
   zone    = "${var.region}-${var.region_zone}"
 }
+
+resource "google_service_account" "this" {
+  account_id   = "backend"
+  display_name = "Roles for Backend"
+  project      = var.project
+}
+
+resource "google_project_iam_member" "this" {
+  for_each = toset(local.roles)
+  member   = "serviceAccount:${google_service_account.this.email}"
+  project  = var.project
+  role     = each.value
+}