feat: Grant roles/artifactregistry.reader to created service account when grant_registry_access is true (#748)

davidholsgrove · web-flow · commit 166fb2422095 · 2020-11-30T00:29:54.000-05:00
diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
diff --git a/sa.tf b/sa.tf
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}

Original file line number	Diff line number	Diff line change
`@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {`
`76`	`76`	`member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"`
`77`	`77`	`}`
`78`	`78`
	`79`	`+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {`
	`80`	`+ count = var.create_service_account && var.grant_registry_access ? 1 : 0`
	`81`	`+ project = var.registry_project_id == "" ? var.project_id : var.registry_project_id`
	`82`	`+ role = "roles/artifactregistry.reader"`
	`83`	`+ member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"`
	`84`	`+}`