Skip IAM grants for service agents that are not created on API activation (#3448)

* Skip IAM grants for service agents that are not created on API activation * Fix tests
2025-10-21 16:31:32 +02:00
parent 367184561b
commit 772d064e1c
7 changed files with 284 additions and 21 deletions
--- a/modules/project/service-agents.tf
+++ b/modules/project/service-agents.tf
@@ -116,16 +116,7 @@ locals {
      } if alltrue([
        var.service_agents_config.grant_default_roles,
        agent.role != null,
-        # TODO: improve the detection below
-        # this skips IAM role grants to the non-primary agents listed below
-        # as it's failing, possibly because the agents don't exist
-        # after API activation
-        !contains([
-          "apigateway", "apigateway-mgmt", "bigqueryspark", "bigquerytardis",
-          "firebase", "krmapihosting", "krmapihosting-dataplane", "logging",
-          "networkactions", "prod-bigqueryomni", "scc-notification",
-          "securitycenter"
-        ], agent.name)
+        !agent.skip_iam
    ])
  }
  services = [