diff --git a/main.tf b/main.tf
index 5a263cfc907c15f7048df0a96616739fc8ca2106..753057d42f06bf384c051e069d49a9d7a6d1b4ad 100644
--- a/main.tf
+++ b/main.tf
@@ -7,10 +7,10 @@ resource "google_service_account" "webapp" {
   display_name = coalesce(var.service_account_display_name, "Web application Cloud Run service account")
 }
 
-# The webapp service account has the ability to connect to the SQL instance.
-# (Only if sql_instance_connection_name is non-empty.)
+# Grant the webapp service account the ability to connect to the SQL instance
+# via the grant_sql_client_role_to_webapp_sa boolean variable.
 resource "google_project_iam_member" "webapp_sql_client" {
-  count = (var.sql_instance_connection_name != "") ? 1 : 0
+  count = var.grant_sql_client_role_to_webapp_sa ? 1 : 0
 
   project = local.sql_instance_project
   role    = "roles/cloudsql.client"
diff --git a/variables.tf b/variables.tf
index bf744526dee7beec4b2ffae567d7fdc600f765a8..2d24f7884cf77a74815d07907e15bb11602fa371 100644
--- a/variables.tf
+++ b/variables.tf
@@ -19,6 +19,15 @@ variable "sql_instance_connection_name" {
   default     = ""
 }
 
+variable "grant_sql_client_role_to_webapp_sa" {
+  description = <<EOI
+    When set to true the 'roles/cloudsql.client' role will be granted to the
+    webapp service account at the project level to allow it to connect to Cloud SQL.
+  EOI
+  type        = bool
+  default     = false
+}
+
 variable "cloud_run_region" {
   description = "Override region used to create Cloud Resources"
   default     = ""