From a0ff973a72d6ae9d757a7ece52a519db46e51943 Mon Sep 17 00:00:00 2001
From: Jona <jona.raphael@gmail.com>
Date: Wed, 25 Oct 2023 08:27:44 -0400
Subject: [PATCH] Add permissions to enqueue

---
 stack/cloud_run_orchestrator.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/stack/cloud_run_orchestrator.py b/stack/cloud_run_orchestrator.py
index 9e06813c..c3f94f93 100644
--- a/stack/cloud_run_orchestrator.py
+++ b/stack/cloud_run_orchestrator.py
@@ -14,11 +14,29 @@
 from utils import construct_name
 
 config = pulumi.Config()
+stack = pulumi.get_stack()
 
 repo = git.Repo(search_parent_directories=True)
 git_sha = repo.head.object.hexsha
 git_tag = next((tag.name for tag in repo.tags if tag.commit == repo.head.commit), None)
 
+
+# Assign access to cloud SQL
+cloud_function_service_account = gcp.serviceaccount.Account(
+    construct_name("cloud-run-orchestrator"),
+    account_id=f"{stack}-cloud-run-orchestrator",
+    display_name="Service Account for cloud run.",
+)
+
+cloud_function_service_account_iam = gcp.projects.IAMMember(
+    construct_name("cloud-run-orchestrator"),
+    project=pulumi.Config("gcp").require("project"),
+    role="projects/cerulean-338116/roles/cloudtasks.enqueuer",
+    member=cloud_function_service_account.email.apply(
+        lambda email: f"serviceAccount:{email}"
+    ),
+)
+
 service_name = construct_name("cloud-run-orchestrator")
 default = gcp.cloudrun.Service(
     service_name,
@@ -26,6 +44,7 @@
     location=pulumi.Config("gcp").require("region"),
     template=gcp.cloudrun.ServiceTemplateArgs(
         spec=gcp.cloudrun.ServiceTemplateSpecArgs(
+            service_account_name=cloud_function_service_account.email,
             containers=[
                 gcp.cloudrun.ServiceTemplateSpecContainerArgs(
                     image=cloud_run_images.cloud_run_orchestrator_image.name,