Move IAM grant to function level for trigger SA
This commit is contained in:
parent
93b2f9cba2
commit
cc0b278df3
|
@ -24,6 +24,18 @@ locals {
|
||||||
: null
|
: null
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
_iam_run_invoker_members = concat(
|
||||||
|
lookup(var.iam, "roles/run.invoker", []),
|
||||||
|
var.trigger_config == null ? [] :
|
||||||
|
var.trigger_config.service_account_create ? ["serviceAccount:${local.trigger_service_account_email}"] : []
|
||||||
|
)
|
||||||
|
iam = merge(
|
||||||
|
var.iam,
|
||||||
|
length(local._iam_run_invoker_members) == 0 ? {} :
|
||||||
|
{
|
||||||
|
"roles/run.invoker" : local._iam_run_invoker_members
|
||||||
|
},
|
||||||
|
)
|
||||||
prefix = var.prefix == null ? "" : "${var.prefix}-"
|
prefix = var.prefix == null ? "" : "${var.prefix}-"
|
||||||
service_account_email = (
|
service_account_email = (
|
||||||
var.service_account_create
|
var.service_account_create
|
||||||
|
@ -211,12 +223,3 @@ resource "google_service_account" "trigger_service_account" {
|
||||||
account_id = "tf-cf-trigger-${var.name}"
|
account_id = "tf-cf-trigger-${var.name}"
|
||||||
display_name = "Terraform trigger for Cloud Function ${var.name}."
|
display_name = "Terraform trigger for Cloud Function ${var.name}."
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_project_iam_member" "trigger_iam" {
|
|
||||||
count = (
|
|
||||||
try(var.trigger_config.service_account_create, false) == true ? 1 : 0
|
|
||||||
)
|
|
||||||
project = var.project_id
|
|
||||||
member = "serviceAccount:${google_service_account.trigger_service_account[0].email}"
|
|
||||||
role = "roles/run.invoker"
|
|
||||||
}
|
|
||||||
|
|
Loading…
Reference in New Issue