Introduce default and privileged service accounts

StanfordBDHG · Nov 11, 2024 · 1ec8b54 · 1ec8b54
1 parent 7d075ae
commit 1ec8b54
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 11 deletions.
diff --git a/functions/src/functions/blocking.ts b/functions/src/functions/blocking.ts
@@ -12,11 +12,11 @@ import {
   beforeUserCreated,
   beforeUserSignedIn,
 } from 'firebase-functions/v2/identity'
-import { serviceAccount } from './helpers.js'
+import { privilegedServiceAccount } from './helpers.js'
 import { getServiceFactory } from '../services/factory/getServiceFactory.js'
 
 export const beforeUserCreatedFunction = beforeUserCreated(
-  { serviceAccount: serviceAccount },
+  { serviceAccount: privilegedServiceAccount },
   async (event) => {
     const userId = event.data.uid
 
@@ -70,7 +70,7 @@ export const beforeUserCreatedFunction = beforeUserCreated(
 )
 
 export const beforeUserSignedInFunction = beforeUserSignedIn(
-  { serviceAccount: serviceAccount },
+  { serviceAccount: privilegedServiceAccount },
   async (event) => {
     try {
       const userService = getServiceFactory().user()

diff --git a/functions/src/functions/enrollUser.ts b/functions/src/functions/enrollUser.ts
@@ -8,7 +8,7 @@
 
 import { enrollUserInputSchema } from '@stanfordbdhg/engagehf-models'
 import { https, logger } from 'firebase-functions'
-import { validatedOnCall } from './helpers.js'
+import { privilegedServiceAccount, validatedOnCall } from './helpers.js'
 import { getServiceFactory } from '../services/factory/getServiceFactory.js'
 
 export const enrollUser = validatedOnCall(
@@ -39,4 +39,7 @@ export const enrollUser = validatedOnCall(
 
     logger.debug(`setupUser: User '${userId}' enrollment triggers finished`)
   },
+  {
+    serviceAccount: privilegedServiceAccount,
+  },
 )
diff --git a/functions/src/functions/helpers.ts b/functions/src/functions/helpers.ts
@@ -18,15 +18,16 @@ import {
 } from 'firebase-functions/v2/https'
 import { z } from 'zod'
 
-export const serviceAccount = `cloudfunctionsserviceaccount@${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`
+export const privilegedServiceAccount = `cloudfunctionsserviceaccount@${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`
+export const defaultServiceAccount = `limited-cloudfunctions-sa@${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`
 
 export function validatedOnCall<Schema extends z.ZodTypeAny, Return>(
   name: string,
   schema: Schema,
   handler: (request: CallableRequest<z.output<Schema>>) => Promise<Return>,
   options: CallableOptions = {
     invoker: 'public',
-    serviceAccount: serviceAccount,
+    serviceAccount: defaultServiceAccount,
   },
 ): CallableFunction<z.input<Schema>, Promise<Return>> {
   return onCall(options, async (request) => {
@@ -62,7 +63,7 @@ export function validatedOnRequest<Schema extends z.ZodTypeAny>(
   ) => void | Promise<void>,
   options: https.HttpsOptions = {
     invoker: 'public',
-    serviceAccount: serviceAccount,
+    serviceAccount: defaultServiceAccount,
   },
 ): https.HttpsFunction {
   return onRequest(options, async (request, response) => {

diff --git a/functions/src/functions/onSchedule.ts b/functions/src/functions/onSchedule.ts
@@ -7,14 +7,14 @@
 //
 
 import { onSchedule } from 'firebase-functions/v2/scheduler'
-import { serviceAccount } from './helpers.js'
+import { defaultServiceAccount } from './helpers.js'
 import { getServiceFactory } from '../services/factory/getServiceFactory.js'
 
 export const onScheduleEveryMorning = onSchedule(
   {
     schedule: '0 8 * * *',
     timeZone: 'America/Los_Angeles',
-    serviceAccount: serviceAccount,
+    serviceAccount: defaultServiceAccount,
   },
   async () => getServiceFactory().trigger().everyMorning(),
 )
@@ -23,7 +23,7 @@ export const onScheduleEvery15Minutes = onSchedule(
   {
     schedule: '*/15 * * * *',
     timeZone: 'America/Los_Angeles',
-    serviceAccount: serviceAccount,
+    serviceAccount: defaultServiceAccount,
   },
   async () => getServiceFactory().trigger().every15Minutes(),
 )
@@ -32,7 +32,7 @@ export const onScheduleUpdateMedicationRecommendations = onSchedule(
   {
     schedule: '0 0 * * *',
     timeZone: 'America/Los_Angeles',
-    serviceAccount: serviceAccount,
+    serviceAccount: defaultServiceAccount,
   },
   async () =>
     getServiceFactory().trigger().updateRecommendationsForAllPatients(),