fix: grant_registry_access gate serviceUsageConsumer (#2266)

apeabody · web-flow · commit 69eca655edcf · 2025-02-06T00:47:34.000Z
diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl
@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account {% if autopilot_cluster != true %}&& var.enable_gcfs {% endif %}? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access {% if autopilot_cluster != true %}&& var.enable_gcfs {% endif %}? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
diff --git a/modules/beta-autopilot-private-cluster/sa.tf b/modules/beta-autopilot-private-cluster/sa.tf
@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
diff --git a/modules/beta-autopilot-public-cluster/sa.tf b/modules/beta-autopilot-public-cluster/sa.tf
@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf
@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf
@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf
@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf
@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf
@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf
@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
diff --git a/sa.tf b/sa.tf
@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"`
`82`	`82`	`}`
`83`	`83`
`84`	`84`	`resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {`
`85`		`- for_each = var.create_service_account {% if autopilot_cluster != true %}&& var.enable_gcfs {% endif %}? toset(local.registry_projects_list) : []`
	`85`	`+ for_each = var.create_service_account && var.grant_registry_access {% if autopilot_cluster != true %}&& var.enable_gcfs {% endif %}? toset(local.registry_projects_list) : []`
`86`	`86`	`project = each.key`
`87`	`87`	`role = "roles/serviceusage.serviceUsageConsumer"`
`88`	`88`	`member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"`