From 3d84897b4b96c488ee2290998dbb7ed1f1c1d278 Mon Sep 17 00:00:00 2001
From: lcaggio <lcaggioni@google.com>
Date: Fri, 25 Jun 2021 09:26:33 +0200
Subject: [PATCH] Create pubsub service identity if service is enabled (#270)

* Create  service identity if service is enabled

* remove dry run mode

* fix tests

* Improve for_each logic
---
 CHANGELOG.md                                           |  1 +
 modules/project/main.tf                                |  5 +++--
 modules/project/service_accounts.tf                    | 10 +++++++---
 .../scheduled_asset_inventory_export_bq/test_plan.py   |  2 +-
 .../data_platform_foundations/test_plan.py             |  2 +-
 5 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3fb15cc6..76be0561 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
+- Create `pubsub` service identity if service is enabled 
 
 ## [5.0.0] - 2021-06-17
 
diff --git a/modules/project/main.tf b/modules/project/main.tf
index 08bf0e00..e17f6f0a 100644
--- a/modules/project/main.tf
+++ b/modules/project/main.tf
@@ -70,7 +70,7 @@ locals {
       for key in var.service_encryption_key_ids[service] : {
         service = service
         key     = key
-      }
+      } if key != null
     ]
   ])
 }
@@ -367,7 +367,7 @@ resource "google_access_context_manager_service_perimeter_resource" "service-per
 
 resource "google_kms_crypto_key_iam_member" "crypto_key" {
   for_each = {
-    for service_key in local.service_encryption_key_ids : "${service_key.service}.${service_key.key}" => service_key
+    for service_key in local.service_encryption_key_ids : "${service_key.service}.${service_key.key}" => service_key if service_key != service_key.key
   }
   crypto_key_id = each.value.key
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
@@ -375,6 +375,7 @@ resource "google_kms_crypto_key_iam_member" "crypto_key" {
   depends_on = [
     google_project.project,
     google_project_service.project_services,
+    google_project_service_identity.jit_si,
     data.google_bigquery_default_service_account.bq_sa,
     data.google_project.project,
     data.google_storage_project_service_account.gcs_sa,
diff --git a/modules/project/service_accounts.tf b/modules/project/service_accounts.tf
index 5c7f12b7..9a179cce 100644
--- a/modules/project/service_accounts.tf
+++ b/modules/project/service_accounts.tf
@@ -39,6 +39,10 @@ locals {
     for service, name in local.service_accounts_robot_services :
     service => "${service == "bq" ? "bq" : "service"}-${local.project.number}@${name}.iam.gserviceaccount.com"
   }
+  jit_services = [
+    "secretmanager.googleapis.com",
+    "pubsub.googleapis.com"
+  ]
 }
 
 data "google_storage_project_service_account" "gcs_sa" {
@@ -54,10 +58,10 @@ data "google_bigquery_default_service_account" "bq_sa" {
 }
 
 # Secret Manager SA created just in time, we need to trigger the creation.
-resource "google_project_service_identity" "sm_sa" {
+resource "google_project_service_identity" "jit_si" {
+  for_each   = setintersection(var.services, local.jit_services)
   provider   = google-beta
-  count      = contains(var.services, "secretmanager.googleapis.com") ? 1 : 0
   project    = local.project.project_id
-  service    = "secretmanager.googleapis.com"
+  service    = each.value
   depends_on = [google_project_service.project_services]
 }
diff --git a/tests/cloud_operations/scheduled_asset_inventory_export_bq/test_plan.py b/tests/cloud_operations/scheduled_asset_inventory_export_bq/test_plan.py
index a8766f48..47efbff8 100644
--- a/tests/cloud_operations/scheduled_asset_inventory_export_bq/test_plan.py
+++ b/tests/cloud_operations/scheduled_asset_inventory_export_bq/test_plan.py
@@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
   "Test that plan works and the numbers of resources is as expected."
   modules, resources = e2e_plan_runner(FIXTURES_DIR)
   assert len(modules) == 5
-  assert len(resources) == 18
+  assert len(resources) == 19
diff --git a/tests/data_solutions/data_platform_foundations/test_plan.py b/tests/data_solutions/data_platform_foundations/test_plan.py
index 80f29733..a17e74cd 100644
--- a/tests/data_solutions/data_platform_foundations/test_plan.py
+++ b/tests/data_solutions/data_platform_foundations/test_plan.py
@@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
   "Test that plan works and the numbers of resources is as expected."
   modules, resources = e2e_plan_runner(FIXTURES_DIR)
   assert len(modules) == 6
-  assert len(resources) == 32
+  assert len(resources) == 35