chore: use less privileged roles for deploying bigquery module (#376)

Author: ayushmjain

metadata.yaml

@@ -382,8 +382,19 @@ spec:
       - level: Project
         roles:
           - roles/bigquery.admin
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/owner
+          - roles/aiplatform.admin
+          - roles/cloudfunctions.admin
+          - roles/dataform.admin
+          - roles/datalineage.viewer
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountTokenCreator
+          - roles/iam.serviceAccountUser
+          - roles/logging.configWriter
+          - roles/resourcemanager.projectIamAdmin
+          - roles/run.invoker
+          - roles/serviceusage.serviceUsageAdmin
+          - roles/storage.admin
+          - roles/workflows.admin
     services:
       - cloudkms.googleapis.com
       - cloudresourcemanager.googleapis.com

modules/authorization/metadata.yaml

@@ -94,8 +94,19 @@ spec:
       - level: Project
         roles:
           - roles/bigquery.admin
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/owner
+          - roles/aiplatform.admin
+          - roles/cloudfunctions.admin
+          - roles/dataform.admin
+          - roles/datalineage.viewer
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountTokenCreator
+          - roles/iam.serviceAccountUser
+          - roles/logging.configWriter
+          - roles/resourcemanager.projectIamAdmin
+          - roles/run.invoker
+          - roles/serviceusage.serviceUsageAdmin
+          - roles/storage.admin
+          - roles/workflows.admin
     services:
       - cloudkms.googleapis.com
       - cloudresourcemanager.googleapis.com

modules/data_warehouse/metadata.yaml

@@ -136,8 +136,19 @@ spec:
       - level: Project
         roles:
           - roles/bigquery.admin
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/owner
+          - roles/aiplatform.admin
+          - roles/cloudfunctions.admin
+          - roles/dataform.admin
+          - roles/datalineage.viewer
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountTokenCreator
+          - roles/iam.serviceAccountUser
+          - roles/logging.configWriter
+          - roles/resourcemanager.projectIamAdmin
+          - roles/run.invoker
+          - roles/serviceusage.serviceUsageAdmin
+          - roles/storage.admin
+          - roles/workflows.admin
     services:
       - cloudkms.googleapis.com
       - cloudresourcemanager.googleapis.com

modules/scheduled_queries/metadata.yaml

@@ -60,8 +60,19 @@ spec:
       - level: Project
         roles:
           - roles/bigquery.admin
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/owner
+          - roles/aiplatform.admin
+          - roles/cloudfunctions.admin
+          - roles/dataform.admin
+          - roles/datalineage.viewer
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountTokenCreator
+          - roles/iam.serviceAccountUser
+          - roles/logging.configWriter
+          - roles/resourcemanager.projectIamAdmin
+          - roles/run.invoker
+          - roles/serviceusage.serviceUsageAdmin
+          - roles/storage.admin
+          - roles/workflows.admin
     services:
       - cloudkms.googleapis.com
       - cloudresourcemanager.googleapis.com

modules/udf/metadata.yaml

@@ -64,8 +64,19 @@ spec:
       - level: Project
         roles:
           - roles/bigquery.admin
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/owner
+          - roles/aiplatform.admin
+          - roles/cloudfunctions.admin
+          - roles/dataform.admin
+          - roles/datalineage.viewer
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountTokenCreator
+          - roles/iam.serviceAccountUser
+          - roles/logging.configWriter
+          - roles/resourcemanager.projectIamAdmin
+          - roles/run.invoker
+          - roles/serviceusage.serviceUsageAdmin
+          - roles/storage.admin
+          - roles/workflows.admin
     services:
       - cloudkms.googleapis.com
       - cloudresourcemanager.googleapis.com

test/setup/iam.tf

@@ -17,8 +17,19 @@
 locals {
   int_required_roles = [
     "roles/bigquery.admin",
-    "roles/cloudkms.cryptoKeyEncrypterDecrypter",
-    "roles/owner" // TODO: Descope
+    "roles/aiplatform.admin",
+    "roles/cloudfunctions.admin",
+    "roles/dataform.admin",
+    "roles/datalineage.viewer",
+    "roles/iam.serviceAccountAdmin",
+    "roles/iam.serviceAccountTokenCreator",
+    "roles/iam.serviceAccountUser",
+    "roles/logging.configWriter",
+    "roles/resourcemanager.projectIamAdmin",
+    "roles/run.invoker",
+    "roles/serviceusage.serviceUsageAdmin",
+    "roles/storage.admin",
+    "roles/workflows.admin"
   ]
 }