diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl index 07b189cde0..69a895640f 100644 --- a/autogen/main/sa.tf.tmpl +++ b/autogen/main/sa.tf.tmpl @@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry" } resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" { - for_each = var.create_service_account {% if autopilot_cluster != true %}&& var.enable_gcfs {% endif %}? toset(local.registry_projects_list) : [] + for_each = var.create_service_account && var.grant_registry_access {% if autopilot_cluster != true %}&& var.enable_gcfs {% endif %}? toset(local.registry_projects_list) : [] project = each.key role = "roles/serviceusage.serviceUsageConsumer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" diff --git a/modules/beta-autopilot-private-cluster/sa.tf b/modules/beta-autopilot-private-cluster/sa.tf index 832e2665a3..b08b4e3bb9 100644 --- a/modules/beta-autopilot-private-cluster/sa.tf +++ b/modules/beta-autopilot-private-cluster/sa.tf @@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry" } resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" { - for_each = var.create_service_account ? toset(local.registry_projects_list) : [] + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] project = each.key role = "roles/serviceusage.serviceUsageConsumer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" diff --git a/modules/beta-autopilot-public-cluster/sa.tf b/modules/beta-autopilot-public-cluster/sa.tf index 832e2665a3..b08b4e3bb9 100644 --- a/modules/beta-autopilot-public-cluster/sa.tf +++ b/modules/beta-autopilot-public-cluster/sa.tf @@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry" } resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" { - for_each = var.create_service_account ? toset(local.registry_projects_list) : [] + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] project = each.key role = "roles/serviceusage.serviceUsageConsumer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf index 620c70ce3a..2e57cf5b1f 100644 --- a/modules/beta-private-cluster-update-variant/sa.tf +++ b/modules/beta-private-cluster-update-variant/sa.tf @@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry" } resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" { - for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : [] + for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : [] project = each.key role = "roles/serviceusage.serviceUsageConsumer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index 620c70ce3a..2e57cf5b1f 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry" } resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" { - for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : [] + for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : [] project = each.key role = "roles/serviceusage.serviceUsageConsumer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf index 620c70ce3a..2e57cf5b1f 100644 --- a/modules/beta-public-cluster-update-variant/sa.tf +++ b/modules/beta-public-cluster-update-variant/sa.tf @@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry" } resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" { - for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : [] + for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : [] project = each.key role = "roles/serviceusage.serviceUsageConsumer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index 620c70ce3a..2e57cf5b1f 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry" } resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" { - for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : [] + for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : [] project = each.key role = "roles/serviceusage.serviceUsageConsumer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf index ec2e71332f..bc99b303f9 100644 --- a/modules/private-cluster-update-variant/sa.tf +++ b/modules/private-cluster-update-variant/sa.tf @@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry" } resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" { - for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : [] + for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : [] project = each.key role = "roles/serviceusage.serviceUsageConsumer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf index ec2e71332f..bc99b303f9 100644 --- a/modules/private-cluster/sa.tf +++ b/modules/private-cluster/sa.tf @@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry" } resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" { - for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : [] + for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : [] project = each.key role = "roles/serviceusage.serviceUsageConsumer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" diff --git a/sa.tf b/sa.tf index ec2e71332f..bc99b303f9 100644 --- a/sa.tf +++ b/sa.tf @@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry" } resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" { - for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : [] + for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : [] project = each.key role = "roles/serviceusage.serviceUsageConsumer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"