terraform/modules/service_accounts/main.tf (76 lines of code) (raw):
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
locals {
default_sa_list = [
"serviceAccount:${data.google_project.project.number}@cloudbuild.gserviceaccount.com",
"serviceAccount:${data.google_project.project.number}@cloudservices.gserviceaccount.com",
"serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com",
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-aiplatform.iam.gserviceaccount.com",
]
}
data "google_project" "project" {}
module "service_accounts" {
source = "terraform-google-modules/service-accounts/google"
version = "~> 3.0"
project_id = var.project_id
names = ["deployment-${var.env}"]
display_name = "deployment-${var.env}"
description = "Deployment SA for ${var.env}"
project_roles = [for i in [
"roles/aiplatform.admin",
"roles/artifactregistry.admin",
"roles/cloudbuild.builds.builder",
"roles/cloudtrace.agent",
"roles/compute.admin",
"roles/container.admin",
"roles/containerregistry.ServiceAgent",
"roles/datastore.owner",
"roles/eventarc.admin",
"roles/eventarc.eventReceiver",
"roles/eventarc.serviceAgent",
"roles/firebase.admin",
"roles/iam.serviceAccountTokenCreator",
"roles/iam.serviceAccountUser",
"roles/iam.workloadIdentityUser",
"roles/logging.admin",
"roles/logging.viewer",
"roles/run.admin",
"roles/run.invoker",
"roles/secretmanager.secretAccessor",
"roles/storage.admin",
"roles/viewer",
] : "${var.project_id}=>${i}"]
generate_keys = false
}
module "default_sa_iam_bindings" {
source = "terraform-google-modules/iam/google//modules/service_accounts_iam"
project = var.project_id
mode = "additive"
bindings = {
"roles/compute.admin" = local.default_sa_list
"roles/compute.serviceAgent" = local.default_sa_list
"roles/eventarc.admin" = local.default_sa_list
"roles/eventarc.eventReceiver" = local.default_sa_list
"roles/eventarc.serviceAgent" = local.default_sa_list
"roles/iam.serviceAccountTokenCreator" = local.default_sa_list
"roles/iam.serviceAccountUser" = local.default_sa_list
"roles/run.admin" = local.default_sa_list
"roles/run.invoker" = local.default_sa_list
"roles/serviceusage.serviceUsageConsumer" = local.default_sa_list
"roles/storage.admin" = local.default_sa_list
}
}