diff --git a/scripts/post_deploy_tdr.py b/scripts/post_deploy_tdr.py index f1fd34abdf..2923f8a068 100644 --- a/scripts/post_deploy_tdr.py +++ b/scripts/post_deploy_tdr.py @@ -93,9 +93,9 @@ def verify_source(self, ) -> None: source = self.tdr.lookup_source(source_spec) log.info('TDR client is authorized for API access to %s.', source_spec) - require(source.project == source_spec.project, + require(source_spec.project in (source.project, config.google_project()), 'Actual Google project of TDR source differs from configured one', - source.project, source_spec.project) + source.project, source_spec.project, config.google_project()) # Uppercase is standard for multi-regions in the documentation but TDR # returns 'us' in lowercase require(source.location.lower() == config.tdr_source_location.lower(), diff --git a/src/azul/terra.py b/src/azul/terra.py index 6eb5fa75d4..44e827f7f5 100644 --- a/src/azul/terra.py +++ b/src/azul/terra.py @@ -270,7 +270,7 @@ def oauth2_scopes(self) -> Sequence[str]: return [ *super().oauth2_scopes(), 'https://www.googleapis.com/auth/devstorage.read_only', - 'https://www.googleapis.com/auth/bigquery.readonly' + 'https://www.googleapis.com/auth/bigquery' ] diff --git a/terraform/authentication.tf.json.template.py b/terraform/authentication.tf.json.template.py index 782c1581b9..07f29b3c3e 100644 --- a/terraform/authentication.tf.json.template.py +++ b/terraform/authentication.tf.json.template.py @@ -60,6 +60,9 @@ "title": f"azul_{config.deployment_stage}", "permissions": [ "bigquery.jobs.create", + "bigquery.datasets.create", + "bigquery.tables.create", + "bigquery.tables.updateData", *[ f'bigquery.{resource}.{action}' for resource in ('capacityCommitments', 'reservations')