-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathworkload_identity.tf
42 lines (35 loc) · 1.46 KB
/
workload_identity.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
locals {
workload_identity_namespace = var.workload_identity_namespace != "" ? var.workload_identity_namespace : "${var.project_id}.svc.id.goog"
workload_identity_sa = "serviceAccount:${local.workload_identity_namespace}[${var.cloud_proxy_service_account_namespace}/${var.cloud_proxy_service_account_name}]"
}
resource "google_project_iam_member" "workload_identity_project" {
for_each = (
var.setup_cloud_proxy_workload_identity && length(var.service_accounts_unique_ids) == 0 ?
{ for permission in local.default_permissions : permission => permission } :
{}
)
project = var.project_id
role = each.key
member = local.workload_identity_sa
}
resource "google_project_iam_member" "workload_identity_scoped_project" {
for_each = (
var.setup_cloud_proxy_workload_identity && length(var.service_accounts_unique_ids) > 0 ?
{ for permission in local.scoped_permissions : permission => permission } :
{}
)
project = var.project_id
role = each.key
member = local.workload_identity_sa
}
resource "google_project_iam_member" "workload_identity_scoped_service_account_user" {
count = var.setup_cloud_proxy_workload_identity && length(var.service_accounts_unique_ids) > 0 ? 1 : 0
project = var.project_id
role = "roles/iam.serviceAccountUser"
member = local.workload_identity_sa
condition {
title = "iam_condition"
description = "IAM condition with limited scope"
expression = local.condition_expression
}
}