fix: not applying the correct perms to cluster roles

Author: jsbroks

modules/helm_release/main.tf

@@ -5,10 +5,10 @@ locals {
   }
 
   image_tags = {
-    "migrations.image.tag"         = "6e2185a",
-    "webservice.image.tag"         = "6e2185a",
-    "event-worker.image.tag"       = "6e2185a",
-    "job-policy-checker.image.tag" = "6e2185a",
+    "migrations.image.tag"         = "8cce786",
+    "webservice.image.tag"         = "8adc7da",
+    "event-worker.image.tag"       = "8cce786",
+    "job-policy-checker.image.tag" = "8cce786",
   }
 
   postgres_settings = {

modules/service_accounts/main.tf

@@ -22,31 +22,31 @@ locals {
 }
 
 resource "google_service_account_iam_member" "gke_workload_identity" {
-  for_each = toset(local.members)
+  for_each = { for idx, member in local.members : idx => member }
 
   service_account_id = google_service_account.gke.id
   role               = "roles/iam.workloadIdentityUser"
   member             = each.value
 }
 
 resource "google_project_iam_member" "gke_workload_sa_admin" {
-  for_each = toset(local.members)
+  for_each = { for idx, member in local.members : idx => member }
 
   project = local.project_id
   role    = "roles/iam.serviceAccountAdmin"
   member  = each.value
 }
 
 resource "google_project_iam_member" "gke_workload_sa_user" {
-  for_each = toset(local.members)
+  for_each = { for idx, member in local.members : idx => member }
 
   project = local.project_id
   role    = "roles/iam.serviceAccountUser"
   member  = each.value
 }
 
 resource "google_project_iam_member" "gke_workload_sa_token_creator" {
-  for_each = toset(local.members)
+  for_each = { for idx, member in local.members : idx => member }
 
   project = local.project_id
   role    = "roles/iam.serviceAccountTokenCreator"