GoogleCloudPlatform · q2w · Feb 12, 2025
@@ -57,6 +57,15 @@ locals {
     startup_probe  = []
     liveness_probe = []
   }]
+
+  service_account_project_role_mappings = flatten([
+    for project_role in var.service_account_roles_in_projects : [
+      for role in distinct(project_role.roles) : {
+        project_id = project_role.project_id
+        role       = role
+      }
+    ]
+  ])
 }
 
 resource "google_service_account" "sa" {
@@ -77,6 +86,13 @@ resource "google_project_iam_member" "roles" {
   member  = "serviceAccount:${local.service_account}"
 }
 
+resource "google_project_iam_member" "project_roles" {
+  for_each = { for item in local.service_account_project_role_mappings : "${item.project_id}-${item.role}" => item }
+  project  = each.value.project_id
+  role     = each.value.role
+  member   = "serviceAccount:${local.service_account}"
+}
+
 resource "google_cloud_run_v2_service" "main" {
   provider = google-beta
 

@@ -124,6 +124,10 @@ variable "service_account_project_roles" {
   default     = []
 }
 
+variable "service_account_roles_in_projects" {
+  type = list(object({ project_id = string, roles = list(string) }))
+}
+
 variable "members" {
   type        = list(string)
   description = "Users/SAs to be given invoker access to the service. Grant invoker access by specifying the users or service accounts (SAs). Use allUsers for public access, allAuthenticatedUsers for access by logged-in Google users, or provide a list of specific users/SAs. See the complete list of available options: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service_iam#member\\/members-1"