shortcake-dev · BryceBeagle · Apr 4, 2022 · Apr 4, 2022 · Apr 4, 2022 · Apr 4, 2022
diff --git a/modules/docker_image/main.tf b/modules/docker_image/main.tf
@@ -18,19 +18,8 @@ locals {
   ghcr_registry = "ghcr.io/${var.ghcr_repo}"
 }
 
-resource "google_service_account" "artifact_registry_image_sa" {
-  account_id   = "terraform-artifact-registry-sa"
-  display_name = "terraform-artifact-registry-sa"
-}
-
-resource "google_project_iam_member" "artifact_registry_image_sa" {
-  project = var.project
-  role    = "roles/artifactregistry.repoAdmin"
-  member  = "serviceAccount:${google_service_account.artifact_registry_image_sa.email}"
-}
-
 data "google_service_account_access_token" "artifact_registry_image_sa_token" {
-  target_service_account = google_service_account.artifact_registry_image_sa.email
+  target_service_account = var.docker_registry_service_account.email
   scopes                 = ["cloud-platform"]
 }
 

diff --git a/modules/docker_image/variables.tf b/modules/docker_image/variables.tf
@@ -2,6 +2,13 @@ variable "project" {
   type = string
 }
 
+variable "docker_registry_service_account" {
+  type = object({
+    name = string
+    email = string
+  })
+}
+
 variable "ghcr_repo" {
   type = string
 }

diff --git a/modules/docker_registry/main.tf b/modules/docker_registry/main.tf
@@ -1,3 +1,15 @@
+module "service_account" {
+  source = "../service_account"
+
+  project = var.project
+  deployment_name = var.deployment_name
+
+  name = "artifact-registry"
+  roles = [
+    "roles/artifactregistry.repoAdmin"
+  ]
+}
+
 resource "google_artifact_registry_repository" "docker_registry" {
   provider = google-beta
 

diff --git a/modules/docker_registry/outputs.tf b/modules/docker_registry/outputs.tf
@@ -1,3 +1,7 @@
 output "docker_registry" {
   value = google_artifact_registry_repository.docker_registry
 }
+
+output "service_account" {
+  value = module.service_account.service_account
+}
diff --git a/modules/docker_registry/variables.tf b/modules/docker_registry/variables.tf
@@ -1,3 +1,11 @@
+variable "project" {
+  type = string
+}
+
+variable "deployment_name" {
+  type = string
+}
+
 variable "region" {
   type = string
 }

diff --git a/modules/service_account/main.tf b/modules/service_account/main.tf
@@ -0,0 +1,15 @@
+resource "random_uuid" "account_id" {
+}
+
+resource "google_service_account" "service_account" {
+  account_id   = "sa-${substr(random_uuid.account_id.result, -8, -1)}-${var.deployment_name}"
+  display_name = "${var.name}-${var.deployment_name}"
+}
+
+resource "google_project_iam_member" "service_account_iam_member" {
+  for_each = var.roles
+
+  project = var.project
+  role = each.value
+  member  = "serviceAccount:${google_service_account.service_account.email}"
+}
diff --git a/modules/service_account/outputs.tf b/modules/service_account/outputs.tf
@@ -0,0 +1,3 @@
+output "service_account" {
+  value = google_service_account.service_account
+}
diff --git a/modules/service_account/variables.tf b/modules/service_account/variables.tf
@@ -0,0 +1,15 @@
+variable "project" {
+  type = string
+}
+
+variable "deployment_name" {
+  type = string
+}
+
+variable "name" {
+  type = string
+}
+
+variable "roles" {
+  type = set(string)
+}
diff --git a/shortcake-backend.tf b/shortcake-backend.tf
@@ -7,6 +7,9 @@ module "network" {
 module "docker_registry" {
   source = "./modules/docker_registry"
 
+  project = local.project_id
+  deployment_name = var.deployment_name
+
   region        = local.region
   repository_id = local.deployment_name
 }
@@ -15,6 +18,7 @@ module "docker_image" {
   source = "./modules/docker_image"
 
   project = local.project_id
+  docker_registry_service_account = module.docker_registry.service_account
 
   ghcr_repo = local.ghcr_repo