From efb52eeb6ca129916cb7f9206fc42e60b41820c5 Mon Sep 17 00:00:00 2001
From: lcaggio <lcaggioni@google.com>
Date: Fri, 11 Jun 2021 13:02:30 +0200
Subject: [PATCH] Move `bq` robot service account into the robot service
 account project output (#262)

---
 CHANGELOG.md                                   | 3 ++-
 data-solutions/gcs-to-bq-with-dataflow/main.tf | 2 +-
 modules/project/service_accounts.tf            | 5 ++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 43d9ef75..2486183c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,7 +3,8 @@
 All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
- - Fix `message_retention_duration` variable type in `pubsub` module 
+ - Fix `message_retention_duration` variable type in `pubsub` module
+ - Move `bq` robot service account into the robot service account project output 
 
 ## [4.9.0] - 2021-06-04
 
diff --git a/data-solutions/gcs-to-bq-with-dataflow/main.tf b/data-solutions/gcs-to-bq-with-dataflow/main.tf
index 647cf6d3..39c13122 100644
--- a/data-solutions/gcs-to-bq-with-dataflow/main.tf
+++ b/data-solutions/gcs-to-bq-with-dataflow/main.tf
@@ -134,7 +134,7 @@ module "kms" {
     },
     key-bq = {
       "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
-        "serviceAccount:${module.project-service.service_accounts.default.bq}",
+        "serviceAccount:${module.project-service.service_accounts.robots.bq}",
         #"serviceAccount:${data.google_bigquery_default_service_account.bq_sa.email}",
       ]
     },
diff --git a/modules/project/service_accounts.tf b/modules/project/service_accounts.tf
index b0a64017..a801a8e0 100644
--- a/modules/project/service_accounts.tf
+++ b/modules/project/service_accounts.tf
@@ -17,12 +17,11 @@
 locals {
   service_account_cloud_services = "${local.project.number}@cloudservices.gserviceaccount.com"
   service_accounts_default = {
-    # TODO: Find a better place to store BQ service account
-    bq      = "bq-${local.project.number}@bigquery-encryption.iam.gserviceaccount.com"
     compute = "${local.project.number}-compute@developer.gserviceaccount.com"
     gae     = "${local.project.project_id}@appspot.gserviceaccount.com"
   }
   service_accounts_robot_services = {
+    bq                = "bigquery-encryption"
     cloudasset        = "gcp-sa-cloudasset"
     cloudbuild        = "gcp-sa-cloudbuild"
     compute           = "compute-system"
@@ -37,6 +36,6 @@ locals {
   }
   service_accounts_robots = {
     for service, name in local.service_accounts_robot_services :
-    service => "service-${local.project.number}@${name}.iam.gserviceaccount.com"
+    service => "${service == "bq" ? "bq" : "service"}-${local.project.number}@${name}.iam.gserviceaccount.com"
   }
 }