From 166fb24220958745567b0fc15f037d3663a7bd0b Mon Sep 17 00:00:00 2001
From: David Holsgrove <davidholsgrove@users.noreply.github.com>
Date: Mon, 30 Nov 2020 15:29:54 +1000
Subject: [PATCH] feat: Grant roles/artifactregistry.reader to created service
 account when grant_registry_access is true (#748)

---
 autogen/main/sa.tf.tmpl                           | 6 ++++++
 modules/beta-private-cluster-update-variant/sa.tf | 6 ++++++
 modules/beta-private-cluster/sa.tf                | 6 ++++++
 modules/beta-public-cluster-update-variant/sa.tf  | 6 ++++++
 modules/beta-public-cluster/sa.tf                 | 6 ++++++
 modules/private-cluster-update-variant/sa.tf      | 6 ++++++
 modules/private-cluster/sa.tf                     | 6 ++++++
 sa.tf                                             | 6 ++++++
 8 files changed, 48 insertions(+)

diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl
index d2db09190..68a0a67f1 100644
--- a/autogen/main/sa.tf.tmpl
+++ b/autogen/main/sa.tf.tmpl
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf
index 6e3593141..6b79badb2 100644
--- a/modules/beta-private-cluster-update-variant/sa.tf
+++ b/modules/beta-private-cluster-update-variant/sa.tf
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf
index 6e3593141..6b79badb2 100644
--- a/modules/beta-private-cluster/sa.tf
+++ b/modules/beta-private-cluster/sa.tf
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf
index 6e3593141..6b79badb2 100644
--- a/modules/beta-public-cluster-update-variant/sa.tf
+++ b/modules/beta-public-cluster-update-variant/sa.tf
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf
index 6e3593141..6b79badb2 100644
--- a/modules/beta-public-cluster/sa.tf
+++ b/modules/beta-public-cluster/sa.tf
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf
index 6e3593141..6b79badb2 100644
--- a/modules/private-cluster-update-variant/sa.tf
+++ b/modules/private-cluster-update-variant/sa.tf
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf
index 6e3593141..6b79badb2 100644
--- a/modules/private-cluster/sa.tf
+++ b/modules/private-cluster/sa.tf
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
diff --git a/sa.tf b/sa.tf
index 6e3593141..6b79badb2 100644
--- a/sa.tf
+++ b/sa.tf
@@ -76,3 +76,9 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
+  project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
+  role    = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}