From cc0b278df3d54ff9ded7cec50f19a684db8091ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Wed, 12 Jul 2023 12:25:16 +0000
Subject: [PATCH] Move IAM grant to function level for trigger SA

---
 modules/cloud-function-v2/main.tf | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/modules/cloud-function-v2/main.tf b/modules/cloud-function-v2/main.tf
index 4e8cca36..ec90738b 100644
--- a/modules/cloud-function-v2/main.tf
+++ b/modules/cloud-function-v2/main.tf
@@ -24,6 +24,18 @@ locals {
       : null
     )
   )
+  _iam_run_invoker_members = concat(
+    lookup(var.iam, "roles/run.invoker", []),
+    var.trigger_config == null ? [] :
+    var.trigger_config.service_account_create ? ["serviceAccount:${local.trigger_service_account_email}"] : []
+  )
+  iam = merge(
+    var.iam,
+    length(local._iam_run_invoker_members) == 0 ? {} :
+    {
+      "roles/run.invoker" : local._iam_run_invoker_members
+    },
+  )
   prefix = var.prefix == null ? "" : "${var.prefix}-"
   service_account_email = (
     var.service_account_create
@@ -211,12 +223,3 @@ resource "google_service_account" "trigger_service_account" {
   account_id   = "tf-cf-trigger-${var.name}"
   display_name = "Terraform trigger for Cloud Function ${var.name}."
 }
-
-resource "google_project_iam_member" "trigger_iam" {
-  count = (
-    try(var.trigger_config.service_account_create, false) == true ? 1 : 0
-  )
-  project = var.project_id
-  member  = "serviceAccount:${google_service_account.trigger_service_account[0].email}"
-  role    = "roles/run.invoker"
-}