Use terraform-google-iam
Closed this issue · 0 comments
One thing I like to do with my TF code is to minimize multiple duplicate resource calls in modules intended for reuse. In your main.tf, you've got three calls like this:
resource "google_project_iam_member" "logwriter" {
project = module.project.project_id
role = "roles/logging.logWriter"
member = "serviceAccount:${module.project.service_account_email}"
}
One thing I could suggest is making use of the google-iam-module here: https://github.com/terraform-google-modules/terraform-google-iam. That way you can set all the roles for the SA in a single block, or make the code flexible enough that if someone using the module needed to give external SAs permission to logging, they could do so when they create a project instance.
Originally posted by @broestls in #1 (comment)
We tried but couldn't because the project needs to exist before. The module uses for each and cannot use dynamic values. but we should revisit this