fix #714 (#715)

fast/stages/02-networking-nva/landing.tf

@@ -38,10 +38,12 @@ module "landing-project" {
     service_projects = []
   }
   iam = {
-    "roles/dns.admin" = [local.service_accounts.project-factory-prod]
-    (local.custom_roles.service_project_network_admin) = [
-      local.service_accounts.project-factory-prod
-    ]
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
+    (local.custom_roles.service_project_network_admin) = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
   }
 }
 

fast/stages/02-networking-nva/main.tf

@@ -25,7 +25,8 @@ locals {
     })]
   }
   service_accounts = {
-    for k, v in coalesce(var.service_accounts, {}) : k => "serviceAccount:${v}"
+    for k, v in coalesce(var.service_accounts, {}) :
+    k => "serviceAccount:${v}" if v != null
   }
   stage3_sas_delegated_grants = [
     "roles/composer.sharedVpcAgent",

fast/stages/02-networking-nva/spoke-dev.tf

@@ -40,7 +40,9 @@ module "dev-spoke-project" {
   }
   metric_scopes = [module.landing-project.project_id]
   iam = {
-    "roles/dns.admin" = compact([local.service_accounts.project-factory-dev])
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-dev, null)
+    ])
   }
 }
 
@@ -124,8 +126,8 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
   project = module.dev-spoke-project.project_id
   role    = "roles/resourcemanager.projectIamAdmin"
   members = compact([
-    local.service_accounts.data-platform-dev,
-    local.service_accounts.project-factory-dev,
+    try(local.service_accounts.data-platform-dev, null),
+    try(local.service_accounts.project-factory-dev, null),
   ])
   condition {
     title       = "dev_stage3_sa_delegated_grants"

fast/stages/02-networking-nva/spoke-prod.tf

@@ -40,7 +40,9 @@ module "prod-spoke-project" {
   }
   metric_scopes = [module.landing-project.project_id]
   iam = {
-    "roles/dns.admin" = compact([local.service_accounts.project-factory-prod])
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
   }
 }
 
@@ -124,8 +126,8 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
   project = module.prod-spoke-project.project_id
   role    = "roles/resourcemanager.projectIamAdmin"
   members = compact([
-    local.service_accounts.data-platform-prod,
-    local.service_accounts.project-factory-prod,
+    try(local.service_accounts.data-platform-prod, null),
+    try(local.service_accounts.project-factory-prod, null),
   ])
   condition {
     title       = "prod_stage3_sa_delegated_grants"

fast/stages/02-networking-peering/landing.tf

@@ -38,10 +38,12 @@ module "landing-project" {
     service_projects = []
   }
   iam = {
-    "roles/dns.admin" = [local.service_accounts.project-factory-prod]
-    (local.custom_roles.service_project_network_admin) = [
-      local.service_accounts.project-factory-prod
-    ]
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
+    (local.custom_roles.service_project_network_admin) = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
   }
 }
 

fast/stages/02-networking-peering/main.tf

@@ -36,7 +36,8 @@ locals {
     "roles/vpcaccess.user",
   ]
   service_accounts = {
-    for k, v in coalesce(var.service_accounts, {}) : k => "serviceAccount:${v}"
+    for k, v in coalesce(var.service_accounts, {}) :
+    k => "serviceAccount:${v}" if v != null
   }
 }
 

fast/stages/02-networking-peering/spoke-dev.tf

@@ -41,7 +41,9 @@ module "dev-spoke-project" {
   }
   metric_scopes = [module.landing-project.project_id]
   iam = {
-    "roles/dns.admin" = compact([local.service_accounts.project-factory-dev])
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-dev, null)
+    ])
   }
 }
 
@@ -101,8 +103,8 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
   project = module.dev-spoke-project.project_id
   role    = "roles/resourcemanager.projectIamAdmin"
   members = compact([
-    local.service_accounts.data-platform-dev,
-    local.service_accounts.project-factory-dev,
+    try(local.service_accounts.data-platform-dev, null),
+    try(local.service_accounts.project-factory-dev, null),
   ])
   condition {
     title       = "dev_stage3_sa_delegated_grants"

fast/stages/02-networking-peering/spoke-prod.tf

@@ -41,7 +41,9 @@ module "prod-spoke-project" {
   }
   metric_scopes = [module.landing-project.project_id]
   iam = {
-    "roles/dns.admin" = compact([local.service_accounts.project-factory-prod])
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
   }
 }
 
@@ -101,8 +103,8 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
   project = module.prod-spoke-project.project_id
   role    = "roles/resourcemanager.projectIamAdmin"
   members = compact([
-    local.service_accounts.data-platform-prod,
-    local.service_accounts.project-factory-prod,
+    try(local.service_accounts.data-platform-prod, null),
+    try(local.service_accounts.project-factory-prod, null),
   ])
   condition {
     title       = "prod_stage3_sa_delegated_grants"

fast/stages/02-networking-vpn/landing.tf

@@ -38,10 +38,12 @@ module "landing-project" {
     service_projects = []
   }
   iam = {
-    "roles/dns.admin" = [local.service_accounts.project-factory-prod]
-    (local.custom_roles.service_project_network_admin) = [
-      local.service_accounts.project-factory-prod
-    ]
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
+    (local.custom_roles.service_project_network_admin) = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
   }
 }
 

fast/stages/02-networking-vpn/main.tf

@@ -36,7 +36,8 @@ locals {
     "roles/vpcaccess.user",
   ]
   service_accounts = {
-    for k, v in coalesce(var.service_accounts, {}) : k => "serviceAccount:${v}"
+    for k, v in coalesce(var.service_accounts, {}) :
+    k => "serviceAccount:${v}" if v != null
   }
 }
 

fast/stages/02-networking-vpn/spoke-dev.tf

@@ -41,7 +41,9 @@ module "dev-spoke-project" {
   }
   metric_scopes = [module.landing-project.project_id]
   iam = {
-    "roles/dns.admin" = compact([local.service_accounts.project-factory-dev])
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-dev, null)
+    ])
   }
 }
 
@@ -101,8 +103,8 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
   project = module.dev-spoke-project.project_id
   role    = "roles/resourcemanager.projectIamAdmin"
   members = compact([
-    local.service_accounts.data-platform-dev,
-    local.service_accounts.project-factory-dev,
+    try(local.service_accounts.data-platform-dev, null),
+    try(local.service_accounts.project-factory-dev, null),
   ])
   condition {
     title       = "dev_stage3_sa_delegated_grants"

fast/stages/02-networking-vpn/spoke-prod.tf

@@ -41,7 +41,9 @@ module "prod-spoke-project" {
   }
   metric_scopes = [module.landing-project.project_id]
   iam = {
-    "roles/dns.admin" = compact([local.service_accounts.project-factory-prod])
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
   }
 }
 
@@ -101,8 +103,8 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
   project = module.prod-spoke-project.project_id
   role    = "roles/resourcemanager.projectIamAdmin"
   members = compact([
-    local.service_accounts.data-platform-prod,
-    local.service_accounts.project-factory-prod,
+    try(local.service_accounts.data-platform-prod, null),
+    try(local.service_accounts.project-factory-prod, null),
   ])
   condition {
     title       = "prod_stage3_sa_delegated_grants"