Add read permissions from search Dataform to GA4

The Search Team's Dataform pipelines [1] read from specific
datasets in the GA4 Analytics project. Here we add
those specific permissions, in line with the principle of least
privilege.

Because some of the pipelines include a table wildcard [2], we
need to add a new custom role that includes the list permission.

It seems that previously these permissions were added in the
GCP UI via click-ops.

[1] https://github.com/alphagov/search-api-v2-dataform
[2] e.g. https://github.com/alphagov/search-api-v2-dataform/blob/main/definitions/search-intraday.sqlx#L66

Author: emmalowe

terraform/deployments/ga4-analytics/project_iam_binding.tf

@@ -70,3 +70,23 @@ resource "google_project_iam_binding" "gds_log_alert_writer" {
     "group:govuk-performance-analysts@digital.cabinet-office.gov.uk"
   ]
 }
+
+resource "google_bigquery_dataset_iam_member" "flattened_dataset_reader" {
+   dataset_id = "${google_project.project.project_id}.flattened_dataset"
+   role       = google_project_iam_custom_role.gds_bigquery_read_access.name
+   members = [
+       "serviceAccount:dataform-sa@search-api-v2-integration.iam.gserviceaccount.com",
+       "serviceAccount:dataform-sa@search-api-v2-staging.iam.gserviceaccount.com",
+       "serviceAccount:dataform-sa@search-api-v2-production.iam.gserviceaccount.com",
+   ]
+ }
+
+resource "google_bigquery_dataset_iam_member" "events_reader_and_lister" {
+   dataset_id = "${google_project.project.project_id}.analytics_330577055"
+   role       = google_project_iam_custom_role.gds_bigquery_read_and_list_access.name
+   members = [
+       "serviceAccount:dataform-sa@search-api-v2-integration.iam.gserviceaccount.com",
+       "serviceAccount:dataform-sa@search-api-v2-staging.iam.gserviceaccount.com",
+       "serviceAccount:dataform-sa@search-api-v2-production.iam.gserviceaccount.com",
+   ]
+ }

terraform/deployments/ga4-analytics/project_iam_custom_roles.tf

@@ -10,6 +10,19 @@ resource "google_project_iam_custom_role" "gds_bigquery_read_access" {
   title   = "GDS BQ read access"
 }
 
+resource "google_project_iam_custom_role" "gds_bigquery_read_and_list_access" {
+  description = "Permissions to read and list BigQuery datasets and tables"
+  permissions = [
+    "bigquery.datasets.get",
+    "bigquery.datasets.getIamPolicy",
+    "bigquery.tables.get",
+    "bigquery.tables.getData",
+    "bigquery.tables.list"
+  ]
+  role_id = "GDS_BQ_read_and_list_access"
+  title   = "GDS BQ read and list access"
+}
+
 resource "google_project_iam_custom_role" "gds_bigquery_saved_query_writer" {
   description = "Permissions to create, update and delete BigQuery saved queries"
   permissions = [