terraform-google-modules · morgante · Dec 11, 2020 · Aug 18, 2020 · Sep 2, 2020 · Oct 1, 2020
@@ -64,6 +64,17 @@ module "project-factory" {
   vpc_service_control_perimeter_name = var.vpc_service_control_perimeter_name
 }
 
+/******************************************
+  Setting API service accounts for shared VPC
+ *****************************************/
+module "shared_vpc_access" {
+  source             = "./modules/shared_vpc_access"
+  host_project_id    = var.shared_vpc
+  service_project_id = module.project-factory.project_id
+  active_apis        = module.project-factory.enabled_apis
+  shared_vpc_subnets = var.shared_vpc_subnets
+}
+
 /******************************************
   Billing budget to create if amount is set
  *****************************************/

@@ -61,7 +61,7 @@ resource "google_compute_subnetwork_iam_member" "service_shared_vpc_subnet_users
    if "dataflow.googleapis.com" compute.networkUser role granted to dataflow  service account for Dataflow on shared VPC Project if no subnets defined
  *****************************************/
 resource "google_project_iam_member" "service_shared_vpc_user" {
-  for_each = length(var.shared_vpc_subnets) == 0 ? local.active_apis : []
+  for_each = (length(var.shared_vpc_subnets) == 0) && (var.host_project_id != "") ? local.active_apis : []
   project  = var.host_project_id
   role     = "roles/compute.networkUser"
   member   = format("serviceAccount:%s", local.apis[each.value])
@@ -72,7 +72,7 @@ resource "google_project_iam_member" "service_shared_vpc_user" {
   See:https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc
  *****************************************/
 resource "google_project_iam_member" "gke_host_agent" {
-  count   = local.gke_shared_vpc_enabled ? 1 : 0
+  count   = local.gke_shared_vpc_enabled && (var.host_project_id != "") ? 1 : 0
   project = var.host_project_id
   role    = "roles/container.hostServiceAgentUser"
   member  = format("serviceAccount:%s", local.apis["container.googleapis.com"])