feat: add serviceUsageConsumer to SA for GCFS

Author: apeabody

autogen/main/sa.tf.tmpl

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2022-2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -80,6 +80,13 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
+  for_each = var.create_service_account {% if autopilot_cluster != true %}&& var.enable_gcfs {% endif %}? toset(local.registry_projects_list) : []
+  project  = each.key
+  role     = "roles/serviceusage.serviceUsageConsumer"
+  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
 {% if beta_cluster %}
 
 resource "google_project_service_identity" "fleet_project" {

modules/beta-autopilot-private-cluster/sa.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2022-2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -81,6 +81,13 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
+  for_each = var.create_service_account ? toset(local.registry_projects_list) : []
+  project  = each.key
+  role     = "roles/serviceusage.serviceUsageConsumer"
+  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
+
 resource "google_project_service_identity" "fleet_project" {
   count    = var.fleet_project_grant_service_agent ? 1 : 0
   provider = google-beta

modules/beta-autopilot-public-cluster/sa.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2022-2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -81,6 +81,13 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
+  for_each = var.create_service_account ? toset(local.registry_projects_list) : []
+  project  = each.key
+  role     = "roles/serviceusage.serviceUsageConsumer"
+  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
+
 resource "google_project_service_identity" "fleet_project" {
   count    = var.fleet_project_grant_service_agent ? 1 : 0
   provider = google-beta

modules/beta-private-cluster-update-variant/sa.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2022-2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -81,6 +81,13 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
+  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  project  = each.key
+  role     = "roles/serviceusage.serviceUsageConsumer"
+  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
+
 resource "google_project_service_identity" "fleet_project" {
   count    = var.fleet_project_grant_service_agent ? 1 : 0
   provider = google-beta

modules/beta-private-cluster/sa.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2022-2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -81,6 +81,13 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
+  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  project  = each.key
+  role     = "roles/serviceusage.serviceUsageConsumer"
+  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
+
 resource "google_project_service_identity" "fleet_project" {
   count    = var.fleet_project_grant_service_agent ? 1 : 0
   provider = google-beta

modules/beta-public-cluster-update-variant/sa.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2022-2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -81,6 +81,13 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
+  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  project  = each.key
+  role     = "roles/serviceusage.serviceUsageConsumer"
+  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
+
 resource "google_project_service_identity" "fleet_project" {
   count    = var.fleet_project_grant_service_agent ? 1 : 0
   provider = google-beta

modules/beta-public-cluster/sa.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2022-2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -81,6 +81,13 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
+  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  project  = each.key
+  role     = "roles/serviceusage.serviceUsageConsumer"
+  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
+
 resource "google_project_service_identity" "fleet_project" {
   count    = var.fleet_project_grant_service_agent ? 1 : 0
   provider = google-beta

modules/private-cluster-update-variant/sa.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2022-2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -80,3 +80,10 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
+  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  project  = each.key
+  role     = "roles/serviceusage.serviceUsageConsumer"
+  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}

modules/private-cluster/sa.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2022-2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -80,3 +80,10 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
+  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  project  = each.key
+  role     = "roles/serviceusage.serviceUsageConsumer"
+  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}

sa.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2022-2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -80,3 +80,10 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
+  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  project  = each.key
+  role     = "roles/serviceusage.serviceUsageConsumer"
+  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}