tomlarkworthy/security.tf

## security.tf
# Policy to allow public access to Cloud Run endpoint
data "google_iam_policy" "noauth" {
  binding {
    role    = "roles/run.invoker"
    members = ["allUsers"]
  }
}

# Bind public policy to our Camunda Cloud Run service
resource "google_cloud_run_service_iam_policy" "noauth" {
  location    = google_cloud_run_service.camunda.location
  project     = google_cloud_run_service.camunda.project
  service     = google_cloud_run_service.camunda.name
  policy_data = data.google_iam_policy.noauth.policy_data
}

# Create service account to run service
resource "google_service_account" "camunda" {
  account_id   = "camunda-worker"
  display_name = "Camunda Worker"
}

# Give the service account access to Cloud SQL
resource "google_project_iam_member" "project" {
  role   = "roles/cloudsql.client"
  member = "serviceAccount:${google_service_account.camunda.email}"
}
	# Policy to allow public access to Cloud Run endpoint
	data "google_iam_policy" "noauth" {
	binding {
	role = "roles/run.invoker"
	members = ["allUsers"]
	}
	}

	# Bind public policy to our Camunda Cloud Run service
	resource "google_cloud_run_service_iam_policy" "noauth" {
	location = google_cloud_run_service.camunda.location
	project = google_cloud_run_service.camunda.project
	service = google_cloud_run_service.camunda.name
	policy_data = data.google_iam_policy.noauth.policy_data
	}

	# Create service account to run service
	resource "google_service_account" "camunda" {
	account_id = "camunda-worker"
	display_name = "Camunda Worker"
	}

	# Give the service account access to Cloud SQL
	resource "google_project_iam_member" "project" {
	role = "roles/cloudsql.client"
	member = "serviceAccount:${google_service_account.camunda.email}"
	}