use boolean var to grant sql perms

Currently uses sql_instance_connection_name which causes issues when the provided value is not known until apply.

use boolean var to grant sql perms
186c200a · Ryan Kowalewski · b9fb91e4 · 186c200a · 186c200a
Commit 186c200a authored 2 years ago by Ryan Kowalewski
--- a/main.tf
+++ b/main.tf
@@ -7,10 +7,10 @@ resource "google_service_account" "webapp" {
  display_name = coalesce(var.service_account_display_name, "Web application Cloud Run service account")
 }
-# The webapp service account has the ability to connect to the SQL instance.
+# Grant the webapp service account the ability to connect to the SQL instance
-# (Only if sql_instance_connection_name is non-empty.)
+# via the grant_sql_client_role_to_webapp_sa boolean variable.
 resource "google_project_iam_member" "webapp_sql_client" {
-  count = (var.sql_instance_connection_name != "") ? 1 : 0
+  count = var.grant_sql_client_role_to_webapp_sa ? 1 : 0
  project = local.sql_instance_project
  role    = "roles/cloudsql.client"

--- a/variables.tf
+++ b/variables.tf
@@ -19,6 +19,15 @@ variable "sql_instance_connection_name" {
  default     = ""
 }
+variable "grant_sql_client_role_to_webapp_sa" {
+  description = <<EOI
+    When set to true the 'roles/cloudsql.client' role will be granted to the
+    webapp service account at the project level to allow it to connect to Cloud SQL.
+  EOI
+  type        = bool
+  default     = false
+}
 variable "cloud_run_region" {
  description = "Override region used to create Cloud Resources"
  default     = ""