diff --git a/modules/iam-service-account/README.md b/modules/iam-service-account/README.md
index f12542edb..fb1449b76 100644
--- a/modules/iam-service-account/README.md
+++ b/modules/iam-service-account/README.md
@@ -41,6 +41,7 @@ module "myproject-default-service-accounts" {
| *iam_project_roles* | Project roles granted to the service account, by project id. | map(list(string)) | | {} |
| *iam_storage_roles* | Storage roles granted to the service account, by bucket name. | map(list(string)) | | {} |
| *prefix* | Prefix applied to service account names. | string | | null |
+| *service_account_create* | Create service account. When set to false, uses a data source to reference an existing service account. | bool | | true |
## Outputs
diff --git a/modules/iam-service-account/main.tf b/modules/iam-service-account/main.tf
index 071d7a14a..2095ec5a1 100644
--- a/modules/iam-service-account/main.tf
+++ b/modules/iam-service-account/main.tf
@@ -57,10 +57,23 @@ locals {
: map("", null)
, {})
prefix = var.prefix != null ? "${var.prefix}-" : ""
- resource_iam_email = "serviceAccount:${google_service_account.service_account.email}"
+ resource_iam_email = "serviceAccount:${local.service_account.email}"
+ service_account = (
+ var.service_account_create
+ ? try(google_service_account.service_account.0, null)
+ : try(data.google_service_account.service_account.0, null)
+ )
+}
+
+
+data "google_service_account" "service_account" {
+ count = var.service_account_create ? 0 : 1
+ project = var.project_id
+ account_id = "${local.prefix}${var.name}"
}
resource "google_service_account" "service_account" {
+ count = var.service_account_create ? 1 : 0
project = var.project_id
account_id = "${local.prefix}${var.name}"
display_name = var.display_name
@@ -68,12 +81,12 @@ resource "google_service_account" "service_account" {
resource "google_service_account_key" "key" {
for_each = var.generate_key ? { 1 = 1 } : {}
- service_account_id = google_service_account.service_account.email
+ service_account_id = local.service_account.email
}
resource "google_service_account_iam_binding" "roles" {
for_each = var.iam
- service_account_id = google_service_account.service_account.name
+ service_account_id = local.service_account.name
role = each.key
members = each.value
}
diff --git a/modules/iam-service-account/outputs.tf b/modules/iam-service-account/outputs.tf
index 2b53cc6f7..642cbb89a 100644
--- a/modules/iam-service-account/outputs.tf
+++ b/modules/iam-service-account/outputs.tf
@@ -16,12 +16,12 @@
output "service_account" {
description = "Service account resource."
- value = google_service_account.service_account
+ value = local.service_account
}
output "email" {
description = "Service account email."
- value = google_service_account.service_account.email
+ value = local.service_account.email
}
output "iam_email" {
diff --git a/modules/iam-service-account/variables.tf b/modules/iam-service-account/variables.tf
index ed32f6167..f3106e884 100644
--- a/modules/iam-service-account/variables.tf
+++ b/modules/iam-service-account/variables.tf
@@ -77,3 +77,9 @@ variable "project_id" {
description = "Project id where service account will be created."
type = string
}
+
+variable "service_account_create" {
+ description = "Create service account. When set to false, uses a data source to reference an existing service account."
+ type = bool
+ default = true
+}