Disable SA creation option, sa name override option, SA additional roles

README.md

@@ -31,6 +31,7 @@ Truefoundry Google Cloud platform features module
 | [google_project_iam_custom_role.truefoundry_platform_feature_cluster_integration_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
 | [google_project_iam_custom_role.truefoundry_platform_feature_gcs_bucket_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
 | [google_project_iam_custom_role.truefoundry_platform_feature_secret_manager_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
+| [google_project_iam_member.truefoundry_platform_feature_additional_roles_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.truefoundry_platform_feature_artifact_registry_role_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.truefoundry_platform_feature_cluster_integration_role_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.truefoundry_platform_feature_gcs_role_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
@@ -58,6 +59,10 @@ Truefoundry Google Cloud platform features module
 | <a name="input_feature_secrets_enabled"></a> [feature\_secrets\_enabled](#input\_feature\_secrets\_enabled) | Enable secrets manager feature in the platform | `bool` | `true` | no |
 | <a name="input_project"></a> [project](#input\_project) | GCP Project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | region | `string` | n/a | yes |
+| <a name="input_service_account_additional_roles"></a> [service\_account\_additional\_roles](#input\_service\_account\_additional\_roles) | List of additional IAM roles to be added to the service account | `list(string)` | `[]` | no |
+| <a name="input_service_account_enable_override"></a> [service\_account\_enable\_override](#input\_service\_account\_enable\_override) | Enable overriding name of service account. This will only be used if service\_account\_enabled is enabled. You need to pass service\_account\_override\_name to pass the service account name | `bool` | `false` | no |
+| <a name="input_service_account_enabled"></a> [service\_account\_enabled](#input\_service\_account\_enabled) | Enable service account feature in the platform | `bool` | `true` | no |
+| <a name="input_service_account_override_name"></a> [service\_account\_override\_name](#input\_service\_account\_override\_name) | Service account name. Only used if service\_account\_enable\_override is enabled | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 
 ## Outputs

iam.tf

@@ -1,14 +1,15 @@
 // service account for truefoundry platform feature
 resource "google_service_account" "truefoundry_platform_feature_service_account" {
-  account_id   = local.serviceaccount_name
+  count        = var.service_account_enabled ? 1 : 0
+  account_id   = var.service_account_enable_override ? var.service_account_override_name : local.serviceaccount_name
   project      = var.project
   display_name = "Terraform-managed truefoundry platform service account"
   description  = "Truefoundry platform user with access to artifact registry, blob storage and secrets manager"
 }
 
 // custom role for secret manager
 resource "google_project_iam_custom_role" "truefoundry_platform_feature_secret_manager_role" {
-  count       = var.feature_secrets_enabled ? 1 : 0
+  count       = var.service_account_enabled && var.feature_secrets_enabled ? 1 : 0
   project     = var.project
   role_id     = trimsuffix(substr(replace("${local.truefoundry_platform_resources}_bucket_secret_manager_role", "-", "_"), 0, 64), "_")
   title       = trimsuffix(substr("truefoundry/${var.cluster_name}/platform-features/${local.truefoundry_platform_resources}_bucket_secret_manager_role", 0, 100), "_")
@@ -29,11 +30,11 @@ resource "google_project_iam_custom_role" "truefoundry_platform_feature_secret_m
 }
 
 resource "google_project_iam_member" "truefoundry_platform_feature_secret_manager_role_binding" {
-  count = var.feature_secrets_enabled ? 1 : 0
+  count = var.service_account_enabled && var.feature_secrets_enabled ? 1 : 0
 
   project = var.project
   role    = google_project_iam_custom_role.truefoundry_platform_feature_secret_manager_role[count.index].id
-  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
+  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account[0].email}"
 
   condition {
     title       = "Condition to allow access to secrets starting with 'tfy'"
@@ -48,7 +49,7 @@ resource "google_project_iam_member" "truefoundry_platform_feature_secret_manage
 
 // custom role for GCS bucket
 resource "google_project_iam_custom_role" "truefoundry_platform_feature_gcs_bucket_role" {
-  count       = var.feature_blob_storage_enabled ? 1 : 0
+  count       = var.service_account_enabled && var.feature_blob_storage_enabled ? 1 : 0
   project     = var.project
   role_id     = trimsuffix(substr(replace("${local.truefoundry_platform_resources}_bucket_gcs_role", "-", "_"), 0, 64), "_")
   title       = trimsuffix(substr("truefoundry/${var.cluster_name}/platform-features/${local.truefoundry_platform_resources}_bucket-gcs-role", 0, 100), "_")
@@ -73,11 +74,11 @@ resource "google_project_iam_custom_role" "truefoundry_platform_feature_gcs_buck
 }
 
 resource "google_project_iam_member" "truefoundry_platform_feature_gcs_role_binding" {
-  count = var.feature_blob_storage_enabled ? 1 : 0
+  count = var.service_account_enabled && var.feature_blob_storage_enabled ? 1 : 0
 
   project = var.project
   role    = google_project_iam_custom_role.truefoundry_platform_feature_gcs_bucket_role[count.index].id
-  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
+  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account[0].email}"
 
   condition {
     title       = "Condition to allow access to truefoundry bucket"
@@ -88,7 +89,7 @@ resource "google_project_iam_member" "truefoundry_platform_feature_gcs_role_bind
 
 // cluster integration role
 resource "google_project_iam_custom_role" "truefoundry_platform_feature_cluster_integration_role" {
-  count       = var.feature_cluster_integration_enabled ? 1 : 0
+  count       = var.service_account_enabled && var.feature_cluster_integration_enabled ? 1 : 0
   project     = var.project
   role_id     = trimsuffix(substr(replace("${local.truefoundry_platform_resources}_cluster_integration_role", "-", "_"), 0, 64), "_")
   title       = trimsuffix(substr("truefoundry/${var.cluster_name}/platform-features/${local.truefoundry_platform_resources}_cluster_integration_role", 0, 100), "_")
@@ -104,16 +105,16 @@ resource "google_project_iam_custom_role" "truefoundry_platform_feature_cluster_
 }
 
 resource "google_project_iam_member" "truefoundry_platform_feature_cluster_integration_role_binding" {
-  count = var.feature_cluster_integration_enabled ? 1 : 0
+  count = var.service_account_enabled && var.feature_cluster_integration_enabled ? 1 : 0
 
   project = var.project
   role    = google_project_iam_custom_role.truefoundry_platform_feature_cluster_integration_role[count.index].id
-  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
+  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account[0].email}"
 }
 
 // artifact registry role
 resource "google_project_iam_custom_role" "truefoundry_platform_feature_artifact_registry_role" {
-  count       = var.feature_docker_registry_enabled ? 1 : 0
+  count       = var.service_account_enabled && var.feature_docker_registry_enabled ? 1 : 0
   project     = var.project
   role_id     = trimsuffix(substr(replace("${local.truefoundry_platform_resources}_artifact_registry_role", "-", "_"), 0, 64), "_")
   title       = trimsuffix(substr("truefoundry/${var.cluster_name}/platform-features/${local.truefoundry_platform_resources}_artifact_registry_role", 0, 100), "_")
@@ -149,31 +150,46 @@ resource "google_project_iam_custom_role" "truefoundry_platform_feature_artifact
 }
 
 resource "google_project_iam_member" "truefoundry_platform_feature_artifact_registry_role_binding" {
-  count = var.feature_docker_registry_enabled ? 1 : 0
+  count = var.service_account_enabled && var.feature_docker_registry_enabled ? 1 : 0
 
   project = var.project
   role    = google_project_iam_custom_role.truefoundry_platform_feature_artifact_registry_role[count.index].id
-  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
+  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account[0].email}"
 }
 
 // role binding token creator role to service account
 resource "google_project_iam_member" "truefoundry_platform_feature_token_creator_role_binding" {
-  count = var.feature_blob_storage_enabled ? 1 : 0
+  count = var.service_account_enabled && var.feature_blob_storage_enabled ? 1 : 0
 
   project = var.project
   role    = "roles/iam.serviceAccountTokenCreator"
-  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
+  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account[0].email}"
 }
 
 // role binding logs viewer role to service account
 resource "google_project_iam_member" "truefoundry_platform_feature_logs_viewer_role_binding" {
-  count   = var.feature_logs_viewer_enabled ? 1 : 0
+  count   = var.service_account_enabled && var.feature_logs_viewer_enabled ? 1 : 0
   project = var.project
   role    = "roles/logging.viewer"
-  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
+  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account[0].email}"
+}
+
+// Adding support for passing additional IAM roles to the service account
+resource "google_project_iam_member" "truefoundry_platform_feature_additional_roles_binding" {
+  count   = var.service_account_enabled && length(var.service_account_additional_roles) > 0 ? 1 : 0
+  project = var.project
+  role    = var.service_account_additional_roles[count.index]
+  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account[0].email}"
 }
 
 // service account key
 resource "google_service_account_key" "truefoundry_platform_feature_service_account_key" {
-  service_account_id = google_service_account.truefoundry_platform_feature_service_account.id
+  count              = var.service_account_enabled ? 1 : 0
+  service_account_id = google_service_account.truefoundry_platform_feature_service_account[0].id
+}
+
+// moved block
+moved {
+  from = google_service_account.truefoundry_platform_feature_service_account
+  to   = google_service_account.truefoundry_platform_feature_service_account[0]
 }

output.tf

@@ -2,7 +2,7 @@
 # IAM serviceaccount
 ################################################################################
 output "sa_auth_data" {
-  value       = base64decode(google_service_account_key.truefoundry_platform_feature_service_account_key.private_key)
+  value       = var.service_account_enabled ? base64decode(google_service_account_key.truefoundry_platform_feature_service_account_key[0].private_key) : ""
   sensitive   = true
   description = "Private key of the service account"
 }
@@ -11,42 +11,42 @@ output "sa_auth_data" {
 # Bucket
 ################################################################################
 output "blob_storage_enabled" {
-  value       = var.feature_blob_storage_enabled
+  value       = var.service_account_enabled && var.feature_blob_storage_enabled
   description = "Blob storage feature enabled"
 }
 
 output "bucket_name" {
-  value       = var.feature_blob_storage_enabled ? module.blob_storage[0].name : ""
+  value       = var.service_account_enabled && var.feature_blob_storage_enabled ? module.blob_storage[0].name : ""
   description = "Name of the bucket"
 }
 
 output "bucket_url" {
-  value       = var.feature_blob_storage_enabled ? module.blob_storage[0].url : ""
+  value       = var.service_account_enabled && var.feature_blob_storage_enabled ? module.blob_storage[0].url : ""
   description = "URL of the bucket"
 }
 
 ################################################################################
 # Docker registry (artifact registry)
 ################################################################################
 output "docker_registry_enabled" {
-  value       = var.feature_docker_registry_enabled
+  value       = var.service_account_enabled && var.feature_docker_registry_enabled
   description = "Docker registry feature enabled"
 }
 
 output "artifact_registry_url" {
-  value       = var.feature_docker_registry_enabled ? "${var.region}-docker.pkg.dev/${var.project}" : ""
+  value       = var.service_account_enabled && var.feature_docker_registry_enabled ? "${var.region}-docker.pkg.dev/${var.project}" : ""
   description = "Artifact registry URL to connect"
 }
 
 ################################################################################
 # IAM serviceaccount
 ################################################################################
 output "serviceaccount_name" {
-  value       = local.serviceaccount_name
+  value       = var.service_account_enabled && var.service_account_enable_override ? var.service_account_override_name : local.serviceaccount_name
   description = "Name of the service account"
 }
 output "serviceaccount_key" {
-  value       = base64decode(google_service_account_key.truefoundry_platform_feature_service_account_key.private_key)
+  value       = var.service_account_enabled ? base64decode(google_service_account_key.truefoundry_platform_feature_service_account_key[0].private_key) : ""
   sensitive   = true
   description = "Service account keys"
 }
@@ -55,14 +55,14 @@ output "serviceaccount_key" {
 # Secret manager
 ################################################################################
 output "secret_manger_enabled" {
-  value       = var.feature_secrets_enabled
+  value       = var.service_account_enabled && var.feature_secrets_enabled
   description = "Secret manager feature enabled"
 }
 
 ################################################################################
 # Cluster integration
 ################################################################################
 output "cluster_integration_enabled" {
-  value       = var.feature_cluster_integration_enabled
+  value       = var.service_account_enabled && var.feature_cluster_integration_enabled
   description = "Cluster integration feature enabled"
 }

variables.tf

@@ -29,6 +29,34 @@ variable "project" {
   type        = string
 }
 
+################################################################################
+# Service Account
+################################################################################
+
+variable "service_account_enabled" {
+  description = "Enable service account feature in the platform"
+  type        = bool
+  default     = true
+}
+
+variable "service_account_enable_override" {
+  description = "Enable overriding name of service account. This will only be used if service_account_enabled is enabled. You need to pass service_account_override_name to pass the service account name"
+  type        = bool
+  default     = false
+}
+
+variable "service_account_override_name" {
+  description = "Service account name. Only used if service_account_enable_override is enabled"
+  type        = string
+  default     = ""
+}
+
+variable "service_account_additional_roles" {
+  description = "List of additional IAM roles to be added to the service account"
+  type        = list(string)
+  default     = []
+}
+
 ################################################################################
 # Blob Storage
 ################################################################################