From 0385e46a54645822d217149672b2157f22575760 Mon Sep 17 00:00:00 2001
From: Jessica Jones <jessica.jones@digital.cabinet-office.gov.uk>
Date: Tue, 3 Feb 2026 16:06:12 +0000
Subject: [PATCH 1/2] Assign role to the existing Dataform Service Account

It looks like a Dataform service account already exists, but it has not been
assigned any roles.

This commit defines a new google_service_account_iam_member policy that assigns
the service account the Service Account User role [1]

Why?

Starting January 19, 2026, security enhancements in the Dataform API will change how workflows
are run and what service accounts users can use. This update enforces a new access control model known as strict act-as mode [2]

Switch all workflows using the Dataform service agent to use a custom service account.

Ensure that the appropriate principals have the Service Account User role (roles/iam.serviceAccountUser)
granted on the custom service accounts in Identity and Access Management (IAM).

[1] https://docs.cloud.google.com/iam/docs/service-account-permissions#user-role
[2] https://docs.cloud.google.com/dataform/docs/strict-act-as-mode
---
 terraform/deployments/search-api-v2/dataform.tf | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/terraform/deployments/search-api-v2/dataform.tf b/terraform/deployments/search-api-v2/dataform.tf
index 9ed48fa57..10f5f8a5d 100644
--- a/terraform/deployments/search-api-v2/dataform.tf
+++ b/terraform/deployments/search-api-v2/dataform.tf
@@ -24,6 +24,13 @@ resource "google_service_account" "dataform_service_account" {
   project      = var.gcp_project_id
 }
 
+# Grant the dataform service account the predefined Service Account User role
+resource "google_service_account_iam_member" "dataform_sa_user_role" {
+  service_account_id = google_service_account.dataform_service_account.id
+  role               = "roles/iam.serviceAccountUser"
+  member             = "serviceAccount:${google_service_account.dataform_service_account.email}"
+}
+
 # Create Dataform repository with GitHub integration
 resource "google_dataform_repository" "search_api_v2" {
   provider = google-beta

From 7087885ffe6573056f68d04e3a6f9c89dc72a2cb Mon Sep 17 00:00:00 2001
From: Jessica Jones <jessica.jones@digital.cabinet-office.gov.uk>
Date: Tue, 3 Feb 2026 17:00:47 +0000
Subject: [PATCH 2/2] Assign analytics write role to Dataform service account

---
 terraform/deployments/search-api-v2/events_ingestion.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/terraform/deployments/search-api-v2/events_ingestion.tf b/terraform/deployments/search-api-v2/events_ingestion.tf
index 9659a51de..c6e32b1b7 100644
--- a/terraform/deployments/search-api-v2/events_ingestion.tf
+++ b/terraform/deployments/search-api-v2/events_ingestion.tf
@@ -24,7 +24,8 @@ resource "google_project_iam_binding" "analytics_write" {
   project = var.gcp_project_id
   members = [
     google_service_account.analytics_events_pipeline.member,
-    "serviceAccount:service-${var.gcp_dataform_project_number}@gcp-sa-dataform.iam.gserviceaccount.com"
+    "serviceAccount:service-${var.gcp_dataform_project_number}@gcp-sa-dataform.iam.gserviceaccount.com",
+    google_service_account.dataform_service_account.member
   ]
 }