From 8d105d71d8962005c7aee64a588f97e15ede5a30 Mon Sep 17 00:00:00 2001
From: Jesus Perez Rey <jprey@bluemetrix.com>
Date: Fri, 1 Sep 2023 13:04:39 +0200
Subject: [PATCH] Move listing cross account keys to teardown playbook.

That task requires privileges that may be restricted and it's only used during the teardown phase.

Signed-off-by: Jesus Perez Rey <jprey@bluemetrix.com>
---
 roles/platform/tasks/initialize_gcp.yml       | 19 -----------------
 .../tasks/initialize_teardown_gcp.yml         | 21 ++++++++++++++++++-
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/roles/platform/tasks/initialize_gcp.yml b/roles/platform/tasks/initialize_gcp.yml
index 2db164d6..4d43d64d 100644
--- a/roles/platform/tasks/initialize_gcp.yml
+++ b/roles/platform/tasks/initialize_gcp.yml
@@ -52,22 +52,3 @@
   loop: "{{ __gcp_subnets_discovered.resources }}"
   loop_control:
     loop_var: __gcp_subnet_item
-
-- name: Discover GCP Cross Account Service Account Keys
-  register: __gcp_xaccount_sa_discovered
-  failed_when:
-    - __gcp_xaccount_sa_discovered.rc == 1
-    - "'NOT_FOUND:' not in __gcp_xaccount_sa_discovered.stderr"
-    - "'Permission iam.serviceAccountKeys.list' not in __gcp_xaccount_sa_discovered.stderr"
-  command: >
-    gcloud iam service-accounts keys list
-    --iam-account "{{ plat__gcp_xaccount_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
-    --format="json"
-
-- name: Set discovered Cross Account Service Account keys if exists
-  when:
-    - __gcp_xaccount_sa_discovered is defined
-    - __gcp_xaccount_sa_discovered.stdout is defined
-    - __gcp_xaccount_sa_discovered.stdout | length > 0
-  ansible.builtin.set_fact:
-    plat__gcp_xaccount_keys: "{{ __gcp_xaccount_sa_discovered.stdout | from_json }}"
\ No newline at end of file
diff --git a/roles/platform/tasks/initialize_teardown_gcp.yml b/roles/platform/tasks/initialize_teardown_gcp.yml
index 97642f8f..a8a3bb54 100644
--- a/roles/platform/tasks/initialize_teardown_gcp.yml
+++ b/roles/platform/tasks/initialize_teardown_gcp.yml
@@ -12,4 +12,23 @@
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
-# limitations under the License.
\ No newline at end of file
+# limitations under the License.
+
+- name: Discover GCP Cross Account Service Account Keys
+  register: __gcp_xaccount_sa_discovered
+  failed_when:
+    - __gcp_xaccount_sa_discovered.rc == 1
+    - "'NOT_FOUND:' not in __gcp_xaccount_sa_discovered.stderr"
+    - "'Permission iam.serviceAccountKeys.list' not in __gcp_xaccount_sa_discovered.stderr"
+  command: >
+    gcloud iam service-accounts keys list
+    --iam-account "{{ plat__gcp_xaccount_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
+    --format="json"
+
+- name: Set discovered Cross Account Service Account keys if exists
+  when:
+    - __gcp_xaccount_sa_discovered is defined
+    - __gcp_xaccount_sa_discovered.stdout is defined
+    - __gcp_xaccount_sa_discovered.stdout | length > 0
+  ansible.builtin.set_fact:
+    plat__gcp_xaccount_keys: "{{ __gcp_xaccount_sa_discovered.stdout | from_json }}"