fix: Add necessary IAM permissions to Splunk Sink example (#53)

Author: Jberlinsky

examples/splunk-sink/main.tf

@@ -30,3 +30,28 @@ module "destination" {
   log_sink_writer_identity = module.log_export.writer_identity
   create_subscriber        = true
 }
+
+resource "google_project_iam_custom_role" "consumer" {
+  project     = var.project_id
+  role_id     = "SplunkSink"
+  title       = "Splunk Sink"
+  description = "Grant Splunk Addon for GCP permission to see the project and PubSub Subscription"
+
+  permissions = [
+    "pubsub.subscriptions.list",
+    "resourcemanager.projects.get",
+  ]
+}
+
+resource "google_project_iam_member" "consumer" {
+  project = var.project_id
+  role    = google_project_iam_custom_role.consumer.id
+  member  = "serviceAccount:${module.destination.pubsub_subscriber}"
+}
+
+resource "google_pubsub_subscription_iam_member" "consumer" {
+  project      = var.project_id
+  subscription = module.destination.pubsub_subscription
+  role         = "roles/pubsub.subscriber"
+  member       = "serviceAccount:${module.destination.pubsub_subscriber}"
+}