diff --git a/modules/project/README.md b/modules/project/README.md
index 6e1b4d7382..9a77bd26a9 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -1362,16 +1362,16 @@ module "bucket" {
| [prefix](variables.tf#L195) | Optional prefix used to generate project id and name. | string
| | null
|
| [project_create](variables.tf#L205) | Create project. When set to false, uses a data source to reference existing project. | bool
| | true
|
| [quotas](variables-quotas.tf#L17) | Service quota configuration. | map(object({…}))
| | {}
|
-| [service_agents_config](variables.tf#L211) | Automatic service agent configuration options. | object({…})
| | {}
|
-| [service_config](variables.tf#L221) | Configure service API activation. | object({…})
| | {…}
|
-| [service_encryption_key_ids](variables.tf#L233) | Service Agents to be granted encryption/decryption permissions over Cloud KMS encryption keys. Format {SERVICE_AGENT => [KEY_ID]}. | map(list(string))
| | {}
|
-| [services](variables.tf#L240) | Service APIs to enable. | list(string)
| | []
|
-| [shared_vpc_host_config](variables.tf#L246) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | object({…})
| | null
|
-| [shared_vpc_service_config](variables.tf#L255) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | object({…})
| | {…}
|
-| [skip_delete](variables.tf#L283) | Allows the underlying resources to be destroyed without destroying the project itself. | bool
| | false
|
+| [service_agents_config](variables.tf#L211) | Automatic service agent configuration options. | object({…})
| | {}
|
+| [service_config](variables.tf#L222) | Configure service API activation. | object({…})
| | {…}
|
+| [service_encryption_key_ids](variables.tf#L234) | Service Agents to be granted encryption/decryption permissions over Cloud KMS encryption keys. Format {SERVICE_AGENT => [KEY_ID]}. | map(list(string))
| | {}
|
+| [services](variables.tf#L241) | Service APIs to enable. | list(string)
| | []
|
+| [shared_vpc_host_config](variables.tf#L247) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | object({…})
| | null
|
+| [shared_vpc_service_config](variables.tf#L256) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | object({…})
| | {…}
|
+| [skip_delete](variables.tf#L284) | Allows the underlying resources to be destroyed without destroying the project itself. | bool
| | false
|
| [tag_bindings](variables-tags.tf#L81) | Tag bindings for this project, in key => tag value id format. | map(string)
| | null
|
| [tags](variables-tags.tf#L88) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…}))
| | {}
|
-| [vpc_sc](variables.tf#L289) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | object({…})
| | null
|
+| [vpc_sc](variables.tf#L290) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | object({…})
| | null
|
## Outputs
diff --git a/modules/project/service-agents.tf b/modules/project/service-agents.tf
index b2905ce9b5..7de3629fd2 100644
--- a/modules/project/service-agents.tf
+++ b/modules/project/service-agents.tf
@@ -17,6 +17,9 @@
# tfdoc:file:description Service agents supporting resources.
locals {
+ services = distinct(concat(
+ var.services, var.service_agents_config.services_enabled
+ ))
_service_agents_data = yamldecode(file("${path.module}/service-agents.yaml"))
# map of api => list of agents
_service_agents_by_api = {
@@ -25,7 +28,7 @@ locals {
}
# map of service agent name => agent details for this project
_project_service_agents = merge([
- for api in concat(var.services, ["cloudservices"]) : {
+ for api in concat(local.services, ["cloudservices"]) : {
for agent in lookup(local._service_agents_by_api, api, []) :
(agent.name) => merge(agent, {
email = format(agent.identity, local.project.number)
@@ -33,7 +36,6 @@ locals {
})
}
]...)
-
# list of APIs with primary agents that should be created for the
# current project, if the user requested it
primary_service_agents = [
@@ -63,7 +65,6 @@ locals {
], agent.name)
])
}
-
# map of name->agent including all known aliases
_aliased_service_agents = merge(
local._project_service_agents,
@@ -89,17 +90,22 @@ locals {
}
data "google_storage_project_service_account" "gcs_sa" {
- count = contains(var.services, "storage.googleapis.com") ? 1 : 0
+ count = contains(local.services, "storage.googleapis.com") ? 1 : 0
project = local.project.project_id
depends_on = [google_project_service.project_services]
}
data "google_bigquery_default_service_account" "bq_sa" {
- count = contains(var.services, "bigquery.googleapis.com") ? 1 : 0
+ count = contains(local.services, "bigquery.googleapis.com") ? 1 : 0
project = local.project.project_id
depends_on = [google_project_service.project_services]
}
+moved {
+ from = google_project_service_identity.jit_si
+ to = google_project_service_identity.default
+}
+
resource "google_project_service_identity" "default" {
provider = google-beta
for_each = toset(local.primary_service_agents)
diff --git a/modules/project/variables.tf b/modules/project/variables.tf
index b0d96cd421..a9cb656999 100644
--- a/modules/project/variables.tf
+++ b/modules/project/variables.tf
@@ -213,6 +213,7 @@ variable "service_agents_config" {
type = object({
create_primary_agents = optional(bool, true)
grant_default_roles = optional(bool, true)
+ services_enabled = optional(list(string), [])
})
default = {}
nullable = false