From 206a49709dce9fd6329fd9f436bc79865722e811 Mon Sep 17 00:00:00 2001
From: amaury ravanel <amaury.ravanel@kiln.fi>
Date: Mon, 6 Jan 2025 18:25:06 +0100
Subject: [PATCH 1/2] fix(velero): fix iam creation declaration (#3160)

Signed-off-by: Amaury Ravanel <amaury.ravanel@kiln.fi>
---
 modules/google/velero.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/google/velero.tf b/modules/google/velero.tf
index b42d9da0f..387b3e59e 100644
--- a/modules/google/velero.tf
+++ b/modules/google/velero.tf
@@ -64,7 +64,7 @@ VALUES
 }
 
 resource "google_project_iam_custom_role" "velero" {
-  count       = (local.velero["enabled"] && local.velero["create_iam_account"]) ? 1 : 0
+  count       = (local.velero["enabled"] && local.velero["create_iam_resources"]) ? 1 : 0
   role_id     = replace(local.velero["service_account_name"], "-", "_")
   title       = "${var.cluster-name} - velero"
   description = "IAM role used by velero on ${var.cluster-name} to perform backup operations"
@@ -89,7 +89,7 @@ resource "google_project_iam_custom_role" "velero" {
 }
 
 resource "google_project_iam_member" "velero" {
-  count   = (local.velero["enabled"] && local.velero["create_iam_account"]) ? 1 : 0
+  count   = (local.velero["enabled"] && local.velero["create_iam_resources"]) ? 1 : 0
   project = data.google_project.current.project_id
   role    = google_project_iam_custom_role.velero[0].id
   member  = "serviceAccount:${module.iam_assumable_sa_velero[0].gcp_service_account_email}"

From 976fd6f16061f556327f07bee754442e82f03a05 Mon Sep 17 00:00:00 2001
From: Joel Rousseau <v4lproik@users.noreply.github.com>
Date: Mon, 6 Jan 2025 17:25:16 +0000
Subject: [PATCH 2/2] Add role storage.objectUser to loki-stack (allowing
 deletion) (#3159)

---
 modules/google/README.md     | 2 +-
 modules/google/loki-stack.tf | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/google/README.md b/modules/google/README.md
index aeae0f94b..2a4487182 100644
--- a/modules/google/README.md
+++ b/modules/google/README.md
@@ -88,7 +88,7 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
 | [google_storage_bucket_iam_member.kube_prometheus_stack_thanos_bucket_objectAdmin_iam_permission](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [google_storage_bucket_iam_member.kube_prometheus_stack_thanos_bucket_objectViewer_iam_permission](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [google_storage_bucket_iam_member.loki-stack_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
-| [google_storage_bucket_iam_member.loki-stack_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
+| [google_storage_bucket_iam_member.loki-stack_gcs_iam_objectUser_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [google_storage_bucket_iam_member.thanos-receive-receive_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [google_storage_bucket_iam_member.thanos-receive_compactor_gcs_iam_legacyBucketWriter_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [google_storage_bucket_iam_member.thanos-receive_compactor_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
diff --git a/modules/google/loki-stack.tf b/modules/google/loki-stack.tf
index cf89d76a0..55f3fdf82 100644
--- a/modules/google/loki-stack.tf
+++ b/modules/google/loki-stack.tf
@@ -188,20 +188,20 @@ module "loki-stack_bucket" {
   }
 }
 
-resource "google_storage_bucket_iam_member" "loki-stack_gcs_iam_objectViewer_permissions" {
+resource "google_storage_bucket_iam_member" "loki-stack_gcs_iam_objectCreator_permissions" {
   count  = local.loki-stack["enabled"] ? 1 : 0
   bucket = local.loki-stack["bucket"]
-  role   = "roles/storage.objectViewer"
+  role   = "roles/storage.objectCreator"
   member = "serviceAccount:${module.iam_assumable_sa_loki-stack[0].gcp_service_account_email}"
   depends_on = [
     module.loki-stack_bucket
   ]
 }
 
-resource "google_storage_bucket_iam_member" "loki-stack_gcs_iam_objectCreator_permissions" {
+resource "google_storage_bucket_iam_member" "loki-stack_gcs_iam_objectUser_permissions" {
   count  = local.loki-stack["enabled"] ? 1 : 0
   bucket = local.loki-stack["bucket"]
-  role   = "roles/storage.objectCreator"
+  role   = "roles/storage.objectUser"
   member = "serviceAccount:${module.iam_assumable_sa_loki-stack[0].gcp_service_account_email}"
   depends_on = [
     module.loki-stack_bucket