From 126fb315eafe5882612a65176dc5d2539fd3fb88 Mon Sep 17 00:00:00 2001
From: Christian Sutter <git@doublesignal.com>
Date: Thu, 28 Nov 2024 16:09:51 +0000
Subject: [PATCH] Search API v2: Add permissions to API service account

These are needed as we move some tasks from running as GCP Cloud
Functions to being Rake tasks in the API app itself.
---
 terraform/deployments/search-api-v2/service_accounts.tf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/terraform/deployments/search-api-v2/service_accounts.tf b/terraform/deployments/search-api-v2/service_accounts.tf
index 81c22e9dc..48990a9f7 100644
--- a/terraform/deployments/search-api-v2/service_accounts.tf
+++ b/terraform/deployments/search-api-v2/service_accounts.tf
@@ -26,6 +26,9 @@ resource "google_project_iam_custom_role" "api" {
     "discoveryengine.documents.list",
     "discoveryengine.documents.update",
     "discoveryengine.operations.get",
+    "discoveryengine.suggestionDenyListEntries.import",
+    "discoveryengine.suggestionDenyListEntries.purge",
+    "discoveryengine.userEvents.import",
   ]
 }