fix: grant_registry_access gate serviceUsageConsumer (#2266)

autogen/main/sa.tf.tmpl

@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account {% if autopilot_cluster != true %}&& var.enable_gcfs {% endif %}? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access {% if autopilot_cluster != true %}&& var.enable_gcfs {% endif %}? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

modules/beta-autopilot-private-cluster/sa.tf

@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

modules/beta-autopilot-public-cluster/sa.tf

@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

modules/beta-private-cluster-update-variant/sa.tf

@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

modules/beta-private-cluster/sa.tf

@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

modules/beta-public-cluster-update-variant/sa.tf

@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

modules/beta-public-cluster/sa.tf

@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

modules/private-cluster-update-variant/sa.tf

@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

modules/private-cluster/sa.tf

@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

sa.tf

@@ -82,7 +82,7 @@ resource "google_project_iam_member" "cluster_service_account_artifact_registry"
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
-  for_each = var.create_service_account && var.enable_gcfs ? toset(local.registry_projects_list) : []
+  for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"