-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathservice_account.tf
64 lines (54 loc) · 2.03 KB
/
service_account.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
moved {
from = google_service_account.castai_service_account
to = google_service_account.castai_service_account[0]
}
moved {
from = google_service_account_key.castai_key
to = google_service_account_key.castai_key[0]
}
locals {
service_account_id = "castai-gke-tf-${substr(sha1(var.gke_cluster_name), 0, 8)}"
service_account_email = "${local.service_account_id}@${var.project_id}.iam.gserviceaccount.com"
}
resource "google_service_account" "castai_service_account" {
count = var.create_service_account ? 1 : 0
account_id = local.service_account_id
display_name = "Service account to manage ${var.gke_cluster_name} cluster via CAST"
project = var.project_id
}
resource "google_service_account_key" "castai_key" {
count = var.create_service_account ? 1 : 0
service_account_id = google_service_account.castai_service_account[0].name
public_key_type = "TYPE_X509_PEM_FILE"
}
resource "google_project_iam_member" "project" {
for_each = (
var.create_service_account && length(var.service_accounts_unique_ids) == 0 ?
{ for permission in local.default_permissions : permission => permission } :
{}
)
project = var.project_id
role = each.key
member = "serviceAccount:${local.service_account_email}"
}
resource "google_project_iam_member" "scoped_project" {
for_each = (
var.create_service_account && length(var.service_accounts_unique_ids) > 0 ?
{ for permission in local.scoped_permissions : permission => permission } :
{}
)
project = var.project_id
role = each.key
member = "serviceAccount:${local.service_account_email}"
}
resource "google_project_iam_member" "scoped_service_account_user" {
count = var.create_service_account && length(var.service_accounts_unique_ids) > 0 ? 1 : 0
project = var.project_id
role = "roles/iam.serviceAccountUser"
member = "serviceAccount:${local.service_account_email}"
condition {
title = "iam_condition"
description = "IAM condition with limited scope"
expression = local.condition_expression
}
}