Allow additive IAM grants by robots name

Regreatablly member name will be known after apply, hence changes in the tests
2023-02-11 12:53:28 +00:00
parent 36a7347744
commit e64e8db20d
4 changed files with 35 additions and 8 deletions
--- a/modules/project/iam.tf
+++ b/modules/project/iam.tf
@@ -47,7 +47,18 @@ locals {
  }
  iam_additive = {
    for pair in concat(local._iam_additive_pairs, local._iam_additive_member_pairs) :
-    "${pair.role}-${pair.member}" => pair
+    "${pair.role}-${pair.member}" => {
+      role = pair.role
+      member = (
+        pair.member == "cloudservices"
+        ? "serviceAccount:${local.service_account_cloud_services}"
+        : pair.member == "default-compute"
+        ? "serviceAccount:${local.service_accounts_default.compute}"
+        : pair.member == "default-gae"
+        ? "serviceAccount:${local.service_accounts_default.gae}"
+        : try("serviceAccount:${local.service_accounts_robots[pair.member]}", pair.member)
+      )
+    }
  }
 }