diff --git a/modules/project/README.md b/modules/project/README.md index 6e1b4d7382..9a77bd26a9 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -1362,16 +1362,16 @@ module "bucket" { | [prefix](variables.tf#L195) | Optional prefix used to generate project id and name. | string | | null | | [project_create](variables.tf#L205) | Create project. When set to false, uses a data source to reference existing project. | bool | | true | | [quotas](variables-quotas.tf#L17) | Service quota configuration. | map(object({…})) | | {} | -| [service_agents_config](variables.tf#L211) | Automatic service agent configuration options. | object({…}) | | {} | -| [service_config](variables.tf#L221) | Configure service API activation. | object({…}) | | {…} | -| [service_encryption_key_ids](variables.tf#L233) | Service Agents to be granted encryption/decryption permissions over Cloud KMS encryption keys. Format {SERVICE_AGENT => [KEY_ID]}. | map(list(string)) | | {} | -| [services](variables.tf#L240) | Service APIs to enable. | list(string) | | [] | -| [shared_vpc_host_config](variables.tf#L246) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | object({…}) | | null | -| [shared_vpc_service_config](variables.tf#L255) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | object({…}) | | {…} | -| [skip_delete](variables.tf#L283) | Allows the underlying resources to be destroyed without destroying the project itself. | bool | | false | +| [service_agents_config](variables.tf#L211) | Automatic service agent configuration options. | object({…}) | | {} | +| [service_config](variables.tf#L222) | Configure service API activation. | object({…}) | | {…} | +| [service_encryption_key_ids](variables.tf#L234) | Service Agents to be granted encryption/decryption permissions over Cloud KMS encryption keys. Format {SERVICE_AGENT => [KEY_ID]}. | map(list(string)) | | {} | +| [services](variables.tf#L241) | Service APIs to enable. | list(string) | | [] | +| [shared_vpc_host_config](variables.tf#L247) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | object({…}) | | null | +| [shared_vpc_service_config](variables.tf#L256) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | object({…}) | | {…} | +| [skip_delete](variables.tf#L284) | Allows the underlying resources to be destroyed without destroying the project itself. | bool | | false | | [tag_bindings](variables-tags.tf#L81) | Tag bindings for this project, in key => tag value id format. | map(string) | | null | | [tags](variables-tags.tf#L88) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | -| [vpc_sc](variables.tf#L289) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | object({…}) | | null | +| [vpc_sc](variables.tf#L290) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | object({…}) | | null | ## Outputs diff --git a/modules/project/service-agents.tf b/modules/project/service-agents.tf index b2905ce9b5..7de3629fd2 100644 --- a/modules/project/service-agents.tf +++ b/modules/project/service-agents.tf @@ -17,6 +17,9 @@ # tfdoc:file:description Service agents supporting resources. locals { + services = distinct(concat( + var.services, var.service_agents_config.services_enabled + )) _service_agents_data = yamldecode(file("${path.module}/service-agents.yaml")) # map of api => list of agents _service_agents_by_api = { @@ -25,7 +28,7 @@ locals { } # map of service agent name => agent details for this project _project_service_agents = merge([ - for api in concat(var.services, ["cloudservices"]) : { + for api in concat(local.services, ["cloudservices"]) : { for agent in lookup(local._service_agents_by_api, api, []) : (agent.name) => merge(agent, { email = format(agent.identity, local.project.number) @@ -33,7 +36,6 @@ locals { }) } ]...) - # list of APIs with primary agents that should be created for the # current project, if the user requested it primary_service_agents = [ @@ -63,7 +65,6 @@ locals { ], agent.name) ]) } - # map of name->agent including all known aliases _aliased_service_agents = merge( local._project_service_agents, @@ -89,17 +90,22 @@ locals { } data "google_storage_project_service_account" "gcs_sa" { - count = contains(var.services, "storage.googleapis.com") ? 1 : 0 + count = contains(local.services, "storage.googleapis.com") ? 1 : 0 project = local.project.project_id depends_on = [google_project_service.project_services] } data "google_bigquery_default_service_account" "bq_sa" { - count = contains(var.services, "bigquery.googleapis.com") ? 1 : 0 + count = contains(local.services, "bigquery.googleapis.com") ? 1 : 0 project = local.project.project_id depends_on = [google_project_service.project_services] } +moved { + from = google_project_service_identity.jit_si + to = google_project_service_identity.default +} + resource "google_project_service_identity" "default" { provider = google-beta for_each = toset(local.primary_service_agents) diff --git a/modules/project/variables.tf b/modules/project/variables.tf index b0d96cd421..a9cb656999 100644 --- a/modules/project/variables.tf +++ b/modules/project/variables.tf @@ -213,6 +213,7 @@ variable "service_agents_config" { type = object({ create_primary_agents = optional(bool, true) grant_default_roles = optional(bool, true) + services_enabled = optional(list(string), []) }) default = {} nullable = false