Add Pytest Service Account to Staging (#3733)

* Add Pytest Service Account to Staging
* Allow terraform plan to write a pull request comment

---------

Signed-off-by: Erika Pacheco <erika@ministryofvelocity.com>

.github/workflows/terraform-plan.yml

@@ -37,6 +37,7 @@ jobs:
     permissions:
       contents: 'read'
       id-token: 'write'
+      pull-requests: 'write'
 
     strategy:
       fail-fast: false
@@ -84,6 +85,7 @@ jobs:
     permissions:
       contents: 'read'
       id-token: 'write'
+      pull-requests: 'write'
 
     strategy:
       fail-fast: false

iac/README.md

@@ -31,7 +31,7 @@ Initialize Terraform:
 $ terraform init
 ```
 
-Run `terraform init` against each nested resource using `make plan`:
+Run `terraform init` against each nested resource using `make init`:
 
 ```bash
 $ cd iac/

iac/cal-itp-data-infra-staging/iam/us/project_iam_member.tf

@@ -229,3 +229,9 @@ resource "google_project_iam_member" "tfer--terraform-membership" {
   member  = "serviceAccount:${google_service_account.tfer--terraform.email}"
   project = "cal-itp-data-infra-staging"
 }
+
+resource "google_project_iam_member" "tfer--pytest-membership" {
+  member  = "serviceAccount:${google_service_account.tfer--pytest.email}"
+  project = "cal-itp-data-infra-staging"
+  role    = "roles/storage.objectViewer"
+}

iac/cal-itp-data-infra-staging/iam/us/service_account.tf

@@ -33,3 +33,11 @@ resource "google_service_account" "tfer--terraform" {
   display_name = "Terraform"
   project      = "cal-itp-data-infra-staging"
 }
+
+resource "google_service_account" "tfer--pytest" {
+  account_id   = "github-actions-pytest"
+  description  = "Service account for Github Actions to run tests"
+  disabled     = "false"
+  display_name = "pytest"
+  project      = "cal-itp-data-infra-staging"
+}