feat: Add Service Agent substitution for Buckets and iam_by_principal in project-factory (#3246)

* feat: Add Service Agent substitution for `iam_by_principals`, just like the other `iam*` attributes * feat: Add Service Agent substitution for Buckets created via `project-factory` * fix: Service Account lookups in IAM assignments of Buckets, created by `project-factory` --------- Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
2025-07-29 10:26:49 +02:00
parent f2c0dce081
commit 97f63fcc52
1 changed files with 24 additions and 12 deletions
--- a/modules/project-factory/main.tf
+++ b/modules/project-factory/main.tf
@@ -237,6 +237,9 @@ module "projects-iam" {
      module.service-accounts[k].iam_email,
      # other automation service account (project/automation/rw)
      local.context.iam_principals[k],
+      # project's service identities
+      local.service_agents_email["${each.key}/${k}"],
+      local.service_agents_email[k],
      # passthrough + error handling using tonumber until Terraform gets fail/raise function
      (
        strcontains(k, ":")
@@ -343,13 +346,16 @@ module "buckets" {
        module.service-accounts[vv].iam_email,
        # other automation service account (project/automation/rw)
        local.context.iam_principals[vv],
+        # project's service identities
+        local.service_agents_email["${each.value.project_key}/${vv}"],
+        local.service_agents_email[vv],
        # passthrough + error handling using tonumber until Terraform gets fail/raise function
        (
          strcontains(vv, ":")
          ? templatestring(
-            vv, { project_number = module.projects[each.key].number }
+            vv, { project_number = module.projects[each.value.project_key].number }
          )
-          : tonumber("[Error] Invalid member: '${vv}' in project '${each.value.project_key}'")
+          : tonumber("[Error] Invalid member: '${vv}' in bucket '${each.key}'")
        )
      )
    ]
@@ -359,22 +365,25 @@ module "buckets" {
      members = [
        for vv in v.members : try(
          # project service accounts (sa)
-          module.service-accounts["${each.value.project}/${vv}"].iam_email,
+          module.service-accounts["${each.value.project_key}/${vv}"].iam_email,
          # automation service account (rw)
-          local.context.iam_principals["${each.value.project}/automation/${vv}"],
+          local.context.iam_principals["${each.value.project_key}/automation/${vv}"],
          # automation service account (automation/rw)
-          local.context.iam_principals["${each.value.project}/${vv}"],
+          local.context.iam_principals["${each.value.project_key}/${vv}"],
          # other projects service accounts (project/sa)
          module.service-accounts[vv].iam_email,
          # other automation service account (project/automation/rw)
          local.context.iam_principals[vv],
+          # project's service identities
+          local.service_agents_email["${each.value.project_key}/${vv}"],
+          local.service_agents_email[vv],
          # passthrough + error handling using tonumber until Terraform gets fail/raise function
          (
            strcontains(vv, ":")
            ? templatestring(
-              vv, { project_number = module.projects[each.key].number }
+              vv, { project_number = module.projects[each.value.project_key].number }
            )
-            : tonumber("[Error] Invalid member: '${vv}' in project '${each.value.project}'")
+            : tonumber("[Error] Invalid member: '${vv}' in bucket '${each.key}'")
          )
        )
      ]
@@ -384,22 +393,25 @@ module "buckets" {
    for k, v in each.value.iam_bindings_additive : k => merge(v, {
      member = try(
        # project service accounts (sa)
-        module.service-accounts["${each.value.project}/${v.member}"].iam_email,
+        module.service-accounts["${each.value.project_key}/${v.member}"].iam_email,
        # automation service account (rw)
-        local.context.iam_principals["${each.value.project}/automation/${v.member}"],
+        local.context.iam_principals["${each.value.project_key}/automation/${v.member}"],
        # automation service account (automation/rw)
-        local.context.iam_principals["${each.value.project}/${v.member}"],
+        local.context.iam_principals["${each.value.project_key}/${v.member}"],
        # other projects service accounts (project/sa)
        module.service-accounts[v.member].iam_email,
        # other automation service account (project/automation/rw)
        local.context.iam_principals[v.member],
+        # project's service identities
+        local.service_agents_email["${each.value.project_key}/${v.member}"],
+        local.service_agents_email[v.member],
        # passthrough + error handling using tonumber until Terraform gets fail/raise function
        (
          strcontains(v.member, ":")
          ? templatestring(
-            v.member, { project_number = module.projects[each.key].number }
+            v.member, { project_number = module.projects[each.value.project_key].number }
          )
-          : tonumber("[Error] Invalid member: '${v.member}' in project '${each.value.project}'")
+          : tonumber("[Error] Invalid member: '${v.member}' in bucket '${each.key}'")
        )
      )
    })