Move `bq` robot service account into the robot service account project output (#262)

CHANGELOG.md

@@ -3,7 +3,8 @@
 All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
- - Fix `message_retention_duration` variable type in `pubsub` module 
+ - Fix `message_retention_duration` variable type in `pubsub` module
+ - Move `bq` robot service account into the robot service account project output 
 
 ## [4.9.0] - 2021-06-04
 

data-solutions/gcs-to-bq-with-dataflow/main.tf

@@ -134,7 +134,7 @@ module "kms" {
     },
     key-bq = {
       "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
-        "serviceAccount:${module.project-service.service_accounts.default.bq}",
+        "serviceAccount:${module.project-service.service_accounts.robots.bq}",
         #"serviceAccount:${data.google_bigquery_default_service_account.bq_sa.email}",
       ]
     },

modules/project/service_accounts.tf

@@ -17,12 +17,11 @@
 locals {
   service_account_cloud_services = "${local.project.number}@cloudservices.gserviceaccount.com"
   service_accounts_default = {
-    # TODO: Find a better place to store BQ service account
-    bq      = "bq-${local.project.number}@bigquery-encryption.iam.gserviceaccount.com"
     compute = "${local.project.number}-compute@developer.gserviceaccount.com"
     gae     = "${local.project.project_id}@appspot.gserviceaccount.com"
   }
   service_accounts_robot_services = {
+    bq                = "bigquery-encryption"
     cloudasset        = "gcp-sa-cloudasset"
     cloudbuild        = "gcp-sa-cloudbuild"
     compute           = "compute-system"
@@ -37,6 +36,6 @@ locals {
   }
   service_accounts_robots = {
     for service, name in local.service_accounts_robot_services :
-    service => "service-${local.project.number}@${name}.iam.gserviceaccount.com"
+    service => "${service == "bq" ? "bq" : "service"}-${local.project.number}@${name}.iam.gserviceaccount.com"
   }
 }