Use the member field for better readbility. (#475)

See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account#attributes-reference
googlecloudrobotics · Dec 17, 2024 · 53f1697 · 53f1697
1 parent 6acdefa
commit 53f1697
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 13 deletions.
diff --git a/src/bootstrap/cloud/terraform/cluster.tf b/src/bootstrap/cloud/terraform/cluster.tf
@@ -145,7 +145,7 @@ resource "google_service_account" "gke_node" {
 
 resource "google_project_iam_member" "gke_node_roles" {
   project = data.google_project.project.project_id
-  member  = "serviceAccount:${google_service_account.gke_node.email}"
+  member  = google_service_account.gke_node.member
   for_each = toset([
     # GKE recommendations
     "roles/logging.logWriter",

diff --git a/src/bootstrap/cloud/terraform/dns.tf b/src/bootstrap/cloud/terraform/dns.tf
@@ -41,7 +41,7 @@ data "google_iam_policy" "external-dns" {
   binding {
     role = "roles/dns.admin"
     members = [
-      "serviceAccount:${google_service_account.cert_manager.email}"
+      google_service_account.cert_manager.member
     ]
   }
 }

diff --git a/src/bootstrap/cloud/terraform/registry.tf b/src/bootstrap/cloud/terraform/registry.tf
@@ -2,9 +2,9 @@
 
 locals {
   service_acounts = flatten([
-    "serviceAccount:${google_service_account.gke_node.email}",
-    "serviceAccount:${google_service_account.human-acl.email}",
-    var.onprem_federation ? ["serviceAccount:${google_service_account.robot-service[0].email}"] : [],
+    google_service_account.gke_node.member,
+    google_service_account.human-acl.member,
+    var.onprem_federation ? [google_service_account.robot-service[0].member] : [],
   ])
   private_repo_access = flatten([
     for sa in local.service_acounts : [

diff --git a/src/bootstrap/cloud/terraform/service-account.tf b/src/bootstrap/cloud/terraform/service-account.tf
@@ -26,19 +26,19 @@ data "google_iam_policy" "robot-service" {
     role = "roles/iam.serviceAccountTokenCreator"
 
     members = [
-      "serviceAccount:${google_service_account.token_vendor.email}",
+      google_service_account.token_vendor.member,
     ]
   }
 
   binding {
     role = "roles/iam.serviceAccountUser"
 
     members = [
-      "serviceAccount:${google_service_account.token_vendor.email}",
+      google_service_account.token_vendor.member,
 
       # This seemingly nonsensical binding is necessary for the robot auth
       # path in the K8s relay, which has to work with GCP auth tokens.
-      "serviceAccount:${google_service_account.robot-service[0].email}",
+      google_service_account.robot-service[0].member,
     ]
   }
 
@@ -55,7 +55,7 @@ resource "google_service_account_iam_policy" "robot-service" {
 
 resource "google_project_iam_member" "robot-service-roles" {
   project = data.google_project.project.project_id
-  member  = "serviceAccount:${google_service_account.robot-service[0].email}"
+  member  = google_service_account.robot-service[0].member
   for_each = var.onprem_federation ? toset([
     "roles/cloudtrace.agent",        # Upload cloud traces
     "roles/container.clusterViewer", # Sync CRs from the GKE cluster.
@@ -92,7 +92,7 @@ resource "google_service_account_iam_member" "human-acl-shared-owner-account-use
 resource "google_project_iam_member" "human-acl-object-viewer" {
   project = data.google_project.project.project_id
   role    = "roles/storage.objectViewer"
-  member  = "serviceAccount:${google_service_account.human-acl.email}"
+  member  = google_service_account.human-acl.member
 }
 
 # Allow robot registration with the token vendor, which checks if the client's
@@ -101,7 +101,7 @@ resource "google_project_iam_member" "human-acl-object-viewer" {
 resource "google_service_account_iam_member" "human-acl-act-as-self" {
   service_account_id = google_service_account.human-acl.name
   role               = "roles/iam.serviceAccountUser"
-  member             = "serviceAccount:${google_service_account.human-acl.email}"
+  member             = google_service_account.human-acl.member
 }
 
 # Grant permissions to generate tokens for registering new workcell clusters.

diff --git a/src/bootstrap/cloud/terraform/workload-identity.tf b/src/bootstrap/cloud/terraform/workload-identity.tf
@@ -59,7 +59,7 @@ resource "google_service_account_iam_policy" "cert_manager" {
 resource "google_project_iam_member" "cert_manager_dns_reader" {
   project = data.google_project.project.project_id
   role    = "roles/dns.reader"
-  member  = "serviceAccount:${google_service_account.cert_manager.email}"
+  member  = google_service_account.cert_manager.member
 }
 
 # cert-manager-google-cas-issuer
@@ -85,7 +85,7 @@ resource "google_privateca_ca_pool_iam_member" "ca-pool-workload-identity" {
 
   ca_pool = google_privateca_ca_pool.ca_pool[0].id
   role    = "roles/privateca.certificateManager"
-  member  = "serviceAccount:${google_service_account.google-cas-issuer[0].email}"
+  member  = google_service_account.google-cas-issuer[0].member
 }
 
 # Define IAM policy for the workload identity user.