bindToRole.ts

import * as pulumi from '@pulumi/pulumi'
import * as gcp from '@pulumi/gcp'

export function bindToRole(
  name: string,
  sa: gcp.serviceAccount.Account,
  args: { project: pulumi.Input<string>; role: pulumi.Input<string> },
): gcp.projects.IAMBinding {
  return new gcp.projects.IAMBinding(name, {
    project: args.project,
    role: args.role,
    members: [sa.email.apply(email => `serviceAccount:${email}`)],
  })
}

ciInf.ts

import * as gcp from '@pulumi/gcp'
import { project } from './gcpConfig'
import { bindToRole, createServiceAccountKey, clientSecret } from '@alienfast/pulumi'

//
// Assign infrastructure CI service account Cloud SQL and GKE cluster admin privileges -- i.e.,
// privileges to add/delete these things, but not privileges to change apps inside.
//
const name = 'ciInfrastructure'

export const ciInfrastructure = new gcp.serviceAccount.Account(name, {
  project,
  accountId: 'ci-infrastructure',
  displayName: 'CI infrastructure account',
})

bindToRole(`${name}ClusterAdmin`, ciInfrastructure, {
  project,
  role: 'roles/container.clusterAdmin',
})

bindToRole(`${name}CloudSqlAdmin`, ciInfrastructure, {
  project,
  role: 'roles/cloudsql.admin',
})

// for deploying new services/deployments
bindToRole(`${name}ContainerDeveloper`, ciInfrastructure, {
  project,
  role: 'roles/container.developer',
})

bindToRole(`${name}StorageAdmin`, ciInfrastructure, {
  project,
  role: 'roles/storage.admin',
})

const key = createServiceAccountKey(`${name}Key`, ciInfrastructure)

// Export client secret so that CI/CD systems can authenticate as this service account.
export const ciInfrastructureClientSecret = clientSecret(key)