From 5dd17fc895b2e7459c21041d08ff8d7fa79f9249 Mon Sep 17 00:00:00 2001 From: Deepika Daluka Date: Tue, 27 Sep 2022 17:20:48 +0530 Subject: [PATCH] Added change for default service account deprivilege setting --- modules/project/service-accounts.tf | 8 ++++++++ modules/project/variables.tf | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/modules/project/service-accounts.tf b/modules/project/service-accounts.tf index 4bb7306209..f6da4fbf6b 100644 --- a/modules/project/service-accounts.tf +++ b/modules/project/service-accounts.tf @@ -140,3 +140,11 @@ resource "google_kms_crypto_key_iam_member" "service_identity_cmek" { data.google_storage_project_service_account.gcs_sa, ] } + +resource "google_project_default_service_accounts" "default_service_accounts" { + count = upper(var.default_service_account) == "KEEP" ? 0 : 1 + action = upper(var.default_service_account) + project = local.project.project_id + restore_policy = "REVERT_AND_IGNORE_FAILURE" + depends_on = [google_project_service.project_services] +} diff --git a/modules/project/variables.tf b/modules/project/variables.tf index 9268deb275..30eff53aa0 100644 --- a/modules/project/variables.tf +++ b/modules/project/variables.tf @@ -46,6 +46,12 @@ variable "descriptive_name" { default = null } +variable "default_service_account" { + description = "Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`." + default = "keep" + type = string +} + variable "group_iam" { description = "Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable." type = map(list(string))