Archetype: sql_service_account_roles_populate.mustache
Assigns each service account its {{iam_role}}. Output projects/ores.sql/populate/iam/iam_service_account_roles_populate.sql.
See the Template variable reference for the complete list of available variables and their semantics.
Template
The full template source. Edit here and re-tangle with
compass build --direct tangle_codegen_templates to regenerate
library/templates/sql_service_account_roles_populate.mustache.
{{! GENERATED FILE — tangled from projects/ores.codegen/library/templates/sql_service.org. Edit the org source. }}
{{{sql_license}}}
/**
* AUTO-GENERATED FILE - DO NOT EDIT MANUALLY
* Template: sql_service_account_roles_populate.mustache
*
* Service Account Role Assignments
*
* Assigns each domain service account its corresponding NATS RBAC role.
* Must run after iam_service_accounts_populate.sql and iam_roles_populate.sql.
*
* This script is idempotent.
*/
\echo '--- Service Account Role Assignments ---'
{{#service_registry}}
{{#services}}
select ores_iam_account_role_assign_fn(
ores_utility_system_tenant_id_fn(), :'{{psql_var}}_user', '{{iam_role}}');
{{/services}}
{{/service_registry}}
-- Summary
select 'Service Account Role Assignments' as entity, count(*) as count
from ores_iam_account_roles_tbl ar
join ores_iam_accounts_tbl a on a.id = ar.account_id
where a.account_type != 'user'
and ar.valid_to = ores_utility_infinity_timestamp_fn();
See also
- Parent facet: SQL service registry templates
- Template variable reference