Remove support for creating SA for event arc triggers

2025-08-13 10:03:10 +00:00
parent ff85f05669
commit 75fa484730
8 changed files with 56 additions and 382 deletions
--- a/modules/cloud-run-v2/main.tf
+++ b/modules/cloud-run-v2/main.tf
@@ -66,28 +66,6 @@ locals {
    project  = local._resource[var.type].project
    uri      = var.type == "SERVICE" ? local._resource[var.type].uri : ""
  }
-  trigger_sa_create = try(
-    var.service_config.eventarc_triggers.service_account_create, false
-  )
-  trigger_sa_email = try(
-    google_service_account.trigger_service_account[0].email,
-    var.service_config.eventarc_triggers.service_account_email,
-    null
-  )
-}
-
-resource "google_cloud_run_v2_service_iam_member" "default" {
-  # if authoritative invoker role is not present and we create trigger sa
-  # use additive binding to grant it the role
-  count = (
-    lookup(var.iam, "roles/run.invoker", null) == null &&
-    local.trigger_sa_create
-  ) ? 1 : 0
-  project  = google_cloud_run_v2_service.service[0].project
-  location = google_cloud_run_v2_service.service[0].location
-  name     = google_cloud_run_v2_service.service[0].name
-  role     = "roles/run.invoker"
-  member   = "serviceAccount:${local.trigger_sa_email}"
 }

 resource "google_service_account" "service_account" {
@@ -120,7 +98,7 @@ resource "google_eventarc_trigger" "audit_log_triggers" {
      region  = google_cloud_run_v2_service.service[0].location
    }
  }
-  service_account = local.trigger_sa_email
+  service_account = var.eventarc_triggers.service_account_email
 }

 resource "google_eventarc_trigger" "pubsub_triggers" {
@@ -143,7 +121,7 @@ resource "google_eventarc_trigger" "pubsub_triggers" {
      region  = google_cloud_run_v2_service.service[0].location
    }
  }
-  service_account = local.trigger_sa_email
+  service_account = var.eventarc_triggers.service_account_email
 }

 resource "google_eventarc_trigger" "storage_triggers" {
@@ -166,22 +144,5 @@ resource "google_eventarc_trigger" "storage_triggers" {
      path    = try(each.value.path, null)
    }
  }
-  service_account = local.trigger_sa_email
-  depends_on = [
-    google_project_iam_member.trigger_sa_event_receiver
-  ]
-}
-
-resource "google_service_account" "trigger_service_account" {
-  count        = local.trigger_sa_create ? 1 : 0
-  project      = var.project_id
-  account_id   = "tf-cr-trigger-${var.name}"
-  display_name = "Terraform trigger for Cloud Run ${var.name}."
-}
-
-resource "google_project_iam_member" "trigger_sa_event_receiver" {
-  count   = local.trigger_sa_create ? 1 : 0
-  member  = google_service_account.trigger_service_account[0].member
-  project = var.project_id
-  role    = "roles/eventarc.eventReceiver"
+  service_account = var.eventarc_triggers.service_account_email
 }