chore: Add billingetl and atlantis service account wg to bugzilla_met…#9633
chore: Add billingetl and atlantis service account wg to bugzilla_met…#9633jasonthomas wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
This PR adds two workgroups (finops/billingetl-bq-scheduled and platform/platform-tf) to the roles/bigquery.dataViewer access list of bugzilla_metrics.users so that billingetl scheduled jobs and Atlantis can read the table. The change itself is a small, well-scoped access grant. My one comment concerns keeping the access list in sync with the downstream authorized view person_mozilla_com, per the maintenance note that already exists in that view's metadata.
| members: | ||
| - workgroup:finops/billingetl-bq-scheduled | ||
| - workgroup:platform/access-events | ||
| - workgroup:platform/platform-tf |
There was a problem hiding this comment.
issue: taskclusteretl/person_mozilla_com/metadata.yaml selects from this view and carries an explicit note that "workgroup_access updates to bugzilla_metrics.users need to match the access here" because the authorization logic only resolves one layer of references. With this change users grants three members (finops/billingetl-bq-scheduled, platform/access-events, platform/platform-tf) while person_mozilla_com still grants only platform/access-events, so the two lists no longer match. If billingetl-bq-scheduled and platform-tf need to read through person_mozilla_com, add them to taskclusteretl/person_mozilla_com/metadata.yaml as well; if they only need direct access to users, that's consistent but worth confirming against the sync note.
Integration report
|
…rics.user table
Description
Enable billingetl scheduled jobs and atlantis to read these tables. Related to https://github.com/mozilla/private-bigquery-etl/pull/1416
Related Tickets & Documents
Reviewer, please follow this checklist