truefoundry · dunefro · Sep 4, 2025 · Sep 3, 2025 · Sep 3, 2025 · Sep 3, 2025
diff --git a/README.md b/README.md
@@ -31,6 +31,7 @@ Truefoundry Google Cloud platform features module
 | [google_project_iam_custom_role.truefoundry_platform_feature_cluster_integration_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
 | [google_project_iam_custom_role.truefoundry_platform_feature_gcs_bucket_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
 | [google_project_iam_custom_role.truefoundry_platform_feature_secret_manager_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
+| [google_project_iam_member.truefoundry_platform_feature_additional_roles_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.truefoundry_platform_feature_artifact_registry_role_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.truefoundry_platform_feature_cluster_integration_role_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.truefoundry_platform_feature_gcs_role_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
@@ -51,13 +52,19 @@ Truefoundry Google Cloud platform features module
 | <a name="input_blob_storage_force_destroy"></a> [blob\_storage\_force\_destroy](#input\_blob\_storage\_force\_destroy) | Force destroy for mlfoundry s3 bucket | `bool` | `true` | no |
 | <a name="input_blob_storage_override_name"></a> [blob\_storage\_override\_name](#input\_blob\_storage\_override\_name) | S3 bucket name. Only used if s3\_enable\_override is enabled | `string` | `""` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster | `string` | n/a | yes |
+| <a name="input_existing_service_account_email"></a> [existing\_service\_account\_email](#input\_existing\_service\_account\_email) | Use existing service account email | `string` | `""` | no |
 | <a name="input_feature_blob_storage_enabled"></a> [feature\_blob\_storage\_enabled](#input\_feature\_blob\_storage\_enabled) | Enable blob storage feature in the platform | `bool` | `true` | no |
 | <a name="input_feature_cluster_integration_enabled"></a> [feature\_cluster\_integration\_enabled](#input\_feature\_cluster\_integration\_enabled) | Enable cluster integration feature in the platform | `bool` | `true` | no |
 | <a name="input_feature_docker_registry_enabled"></a> [feature\_docker\_registry\_enabled](#input\_feature\_docker\_registry\_enabled) | Enable docker registry feature in the platform | `bool` | `true` | no |
 | <a name="input_feature_logs_viewer_enabled"></a> [feature\_logs\_viewer\_enabled](#input\_feature\_logs\_viewer\_enabled) | Enable logs viewer permission in the platform | `bool` | `true` | no |
 | <a name="input_feature_secrets_enabled"></a> [feature\_secrets\_enabled](#input\_feature\_secrets\_enabled) | Enable secrets manager feature in the platform | `bool` | `true` | no |
 | <a name="input_project"></a> [project](#input\_project) | GCP Project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | region | `string` | n/a | yes |
+| <a name="input_service_account_additional_roles"></a> [service\_account\_additional\_roles](#input\_service\_account\_additional\_roles) | List of additional IAM roles to be added to the service account | `list(string)` | `[]` | no |
+| <a name="input_service_account_enable_override"></a> [service\_account\_enable\_override](#input\_service\_account\_enable\_override) | Enable overriding name of service account. This will only be used if service\_account\_enabled is enabled. You need to pass service\_account\_override\_name to pass the service account name | `bool` | `false` | no |
+| <a name="input_service_account_enabled"></a> [service\_account\_enabled](#input\_service\_account\_enabled) | Enable service account feature in the platform | `bool` | `true` | no |
+| <a name="input_service_account_key_creation_enabled"></a> [service\_account\_key\_creation\_enabled](#input\_service\_account\_key\_creation\_enabled) | Enable service account key creation | `bool` | `true` | no |
+| <a name="input_service_account_override_name"></a> [service\_account\_override\_name](#input\_service\_account\_override\_name) | Service account name. Only used if service\_account\_enable\_override is enabled | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 
 ## Outputs

diff --git a/iam.tf b/iam.tf
@@ -1,6 +1,7 @@
 // service account for truefoundry platform feature
 resource "google_service_account" "truefoundry_platform_feature_service_account" {
-  account_id   = local.serviceaccount_name
+  count        = var.service_account_enabled ? 1 : 0
+  account_id   = var.service_account_enable_override ? var.service_account_override_name : local.serviceaccount_name
   project      = var.project
   display_name = "Terraform-managed truefoundry platform service account"
   description  = "Truefoundry platform user with access to artifact registry, blob storage and secrets manager"
@@ -33,7 +34,7 @@ resource "google_project_iam_member" "truefoundry_platform_feature_secret_manage
 
   project = var.project
   role    = google_project_iam_custom_role.truefoundry_platform_feature_secret_manager_role[count.index].id
-  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
+  member  = "serviceAccount:${local.serviceaccount_email}"
 
   condition {
     title       = "Condition to allow access to secrets starting with 'tfy'"
@@ -77,7 +78,7 @@ resource "google_project_iam_member" "truefoundry_platform_feature_gcs_role_bind
 
   project = var.project
   role    = google_project_iam_custom_role.truefoundry_platform_feature_gcs_bucket_role[count.index].id
-  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
+  member  = "serviceAccount:${local.serviceaccount_email}"
 
   condition {
     title       = "Condition to allow access to truefoundry bucket"
@@ -108,7 +109,7 @@ resource "google_project_iam_member" "truefoundry_platform_feature_cluster_integ
 
   project = var.project
   role    = google_project_iam_custom_role.truefoundry_platform_feature_cluster_integration_role[count.index].id
-  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
+  member  = "serviceAccount:${local.serviceaccount_email}"
 }
 
 // artifact registry role
@@ -153,7 +154,7 @@ resource "google_project_iam_member" "truefoundry_platform_feature_artifact_regi
 
   project = var.project
   role    = google_project_iam_custom_role.truefoundry_platform_feature_artifact_registry_role[count.index].id
-  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
+  member  = "serviceAccount:${local.serviceaccount_email}"
 }
 
 // role binding token creator role to service account
@@ -162,18 +163,33 @@ resource "google_project_iam_member" "truefoundry_platform_feature_token_creator
 
   project = var.project
   role    = "roles/iam.serviceAccountTokenCreator"
-  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
+  member  = "serviceAccount:${local.serviceaccount_email}"
 }
 
 // role binding logs viewer role to service account
 resource "google_project_iam_member" "truefoundry_platform_feature_logs_viewer_role_binding" {
   count   = var.feature_logs_viewer_enabled ? 1 : 0
   project = var.project
   role    = "roles/logging.viewer"
-  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
+  member  = "serviceAccount:${local.serviceaccount_email}"
+}
+
+// Adding support for passing additional IAM roles to the service account
+resource "google_project_iam_member" "truefoundry_platform_feature_additional_roles_binding" {
+  count   = length(var.service_account_additional_roles) > 0 ? 1 : 0
+  project = var.project
+  role    = var.service_account_additional_roles[count.index]
+  member  = "serviceAccount:${local.serviceaccount_email}"
 }
 
 // service account key
 resource "google_service_account_key" "truefoundry_platform_feature_service_account_key" {
-  service_account_id = google_service_account.truefoundry_platform_feature_service_account.id
+  count              = var.service_account_enabled && var.service_account_key_creation_enabled ? 1 : 0
+  service_account_id = google_service_account.truefoundry_platform_feature_service_account[0].id
+}
+
+// moved block
+moved {
+  from = google_service_account.truefoundry_platform_feature_service_account
+  to   = google_service_account.truefoundry_platform_feature_service_account[0]
 }
diff --git a/locals.tf b/locals.tf
@@ -10,4 +10,5 @@ locals {
   truefoundry_platform_resources = "${var.cluster_name}-platform-${random_string.random_id.result}"
   truefoundry_blob_storage_name  = var.blob_storage_enable_override ? var.blob_storage_override_name : "${local.truefoundry_platform_resources}-bucket"
   serviceaccount_name            = trimsuffix(substr("${local.truefoundry_platform_resources}-user", 0, 30), "-")
+  serviceaccount_email           = var.service_account_enabled ? google_service_account.truefoundry_platform_feature_service_account[0].email : var.existing_service_account_email != "" ? var.existing_service_account_email : ""
 }
diff --git a/output.tf b/output.tf
@@ -2,7 +2,7 @@
 # IAM serviceaccount
 ################################################################################
 output "sa_auth_data" {
-  value       = base64decode(google_service_account_key.truefoundry_platform_feature_service_account_key.private_key)
+  value       = var.service_account_enabled ? base64decode(google_service_account_key.truefoundry_platform_feature_service_account_key[0].private_key) : ""
   sensitive   = true
   description = "Private key of the service account"
 }
@@ -42,11 +42,11 @@ output "artifact_registry_url" {
 # IAM serviceaccount
 ################################################################################
 output "serviceaccount_name" {
-  value       = local.serviceaccount_name
+  value       = var.service_account_enabled && var.service_account_enable_override ? var.service_account_override_name : local.serviceaccount_name
   description = "Name of the service account"
 }
 output "serviceaccount_key" {
-  value       = base64decode(google_service_account_key.truefoundry_platform_feature_service_account_key.private_key)
+  value       = var.service_account_enabled && var.service_account_key_creation_enabled ? base64decode(google_service_account_key.truefoundry_platform_feature_service_account_key[0].private_key) : ""
   sensitive   = true
   description = "Service account keys"
 }

diff --git a/variables.tf b/variables.tf
@@ -29,6 +29,46 @@ variable "project" {
   type        = string
 }
 
+################################################################################
+# Service Account
+################################################################################
+
+variable "service_account_enabled" {
+  description = "Enable service account feature in the platform"
+  type        = bool
+  default     = true
+}
+
+variable "service_account_key_creation_enabled" {
+  description = "Enable service account key creation"
+  type        = bool
+  default     = true
+}
+
+variable "existing_service_account_email" {
+  description = "Use existing service account email"
+  type        = string
+  default     = ""
+}
+
+variable "service_account_enable_override" {
+  description = "Enable overriding name of service account. This will only be used if service_account_enabled is enabled. You need to pass service_account_override_name to pass the service account name"
+  type        = bool
+  default     = false
+}
+
+variable "service_account_override_name" {
+  description = "Service account name. Only used if service_account_enable_override is enabled"
+  type        = string
+  default     = ""
+}
+
+variable "service_account_additional_roles" {
+  description = "List of additional IAM roles to be added to the service account"
+  type        = list(string)
+  default     = []
+}
+
 ################################################################################
 # Blob Storage
 ################################################################################