From 83dbb046b6007b951cc022a08494eb3196c5d5b9 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Fri, 15 May 2026 15:14:49 +0300
Subject: [PATCH] Use google_service_account.member when possible

* No need to build the service account string manually
* Also no need to depend explicitly if the resource is
  already referenced

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 .../external_secrets/external_secrets.tf      |  7 +++----
 gcp/modules/fulcio/service_accounts.tf        |  9 +++-----
 gcp/modules/gke_cluster/service_accounts.tf   |  9 ++++----
 gcp/modules/mysql/mysql.tf                    | 21 ++++++++-----------
 gcp/modules/rekor/kms.tf                      |  3 +--
 gcp/modules/rekor/service_accounts.tf         | 20 +++++++-----------
 gcp/modules/rekor/sql.tf                      | 14 ++++++-------
 gcp/modules/rekor/storage.tf                  |  9 ++++----
 gcp/modules/timestamp/service_accounts.tf     |  6 ++----
 gcp/modules/tuf/kms.tf                        |  4 +---
 gcp/modules/tuf/tuf.tf                        |  4 +---
 11 files changed, 42 insertions(+), 64 deletions(-)

diff --git a/gcp/modules/external_secrets/external_secrets.tf b/gcp/modules/external_secrets/external_secrets.tf
index 375f1be3..c7a286f1 100644
--- a/gcp/modules/external_secrets/external_secrets.tf
+++ b/gcp/modules/external_secrets/external_secrets.tf
@@ -41,10 +41,9 @@ resource "google_service_account" "external_secrets_sa" {
 }
 
 resource "google_project_iam_member" "external_secrets_binding" {
-  project    = var.project_id
-  role       = "roles/secretmanager.secretAccessor"
-  member     = "serviceAccount:${google_service_account.external_secrets_sa.email}"
-  depends_on = [google_service_account.external_secrets_sa]
+  project = var.project_id
+  role    = "roles/secretmanager.secretAccessor"
+  member  = google_service_account.external_secrets_sa.member
 }
 
 resource "google_service_account_iam_member" "gke_sa_iam_member_external_secrets" {
diff --git a/gcp/modules/fulcio/service_accounts.tf b/gcp/modules/fulcio/service_accounts.tf
index a3bc28c8..fed1a9b7 100644
--- a/gcp/modules/fulcio/service_accounts.tf
+++ b/gcp/modules/fulcio/service_accounts.tf
@@ -31,21 +31,18 @@ resource "google_service_account_iam_member" "gke_sa_iam_member_fulcio" {
 resource "google_kms_key_ring_iam_member" "fulcio_kms_signer_verifier_member" {
   key_ring_id = google_kms_key_ring.fulcio-keyring.id
   role        = "roles/cloudkms.signerVerifier"
-  member      = "serviceAccount:${google_service_account.fulcio-sa.email}"
-  depends_on  = [google_service_account.fulcio-sa]
+  member      = google_service_account.fulcio-sa.member
 }
 
 resource "google_kms_key_ring_iam_member" "fulcio_kms_viewer_member" {
   key_ring_id = google_kms_key_ring.fulcio-keyring.id
   role        = "roles/cloudkms.viewer"
-  member      = "serviceAccount:${google_service_account.fulcio-sa.email}"
-  depends_on  = [google_service_account.fulcio-sa]
+  member      = google_service_account.fulcio-sa.member
 }
 
 // Decrypt encrypted Tink keyset to get signing key
 resource "google_kms_key_ring_iam_member" "fulcio_kms_decrypter_member" {
   key_ring_id = google_kms_key_ring.fulcio-keyring.id
   role        = "roles/cloudkms.cryptoKeyDecrypter"
-  member      = "serviceAccount:${google_service_account.fulcio-sa.email}"
-  depends_on  = [google_service_account.fulcio-sa]
+  member      = google_service_account.fulcio-sa.member
 }
diff --git a/gcp/modules/gke_cluster/service_accounts.tf b/gcp/modules/gke_cluster/service_accounts.tf
index 3820e21b..6dfc18a2 100644
--- a/gcp/modules/gke_cluster/service_accounts.tf
+++ b/gcp/modules/gke_cluster/service_accounts.tf
@@ -32,7 +32,7 @@ resource "google_project_iam_member" "service-account" {
   ])
   project = var.project_id
   role    = each.key
-  member  = format("serviceAccount:%s", google_service_account.gke-sa.email)
+  member  = google_service_account.gke-sa.member
 }
 
 // Create the Prometheus service account
@@ -72,8 +72,7 @@ resource "google_project_iam_member" "prometheus_member" {
     "roles/monitoring.viewer",
     "roles/stackdriver.resourceMetadata.writer",
   ])
-  project    = var.project_id
-  role       = each.key
-  member     = "serviceAccount:${google_service_account.prometheus-sa.email}"
-  depends_on = [google_service_account.prometheus-sa]
+  project = var.project_id
+  role    = each.key
+  member  = google_service_account.prometheus-sa.member
 }
diff --git a/gcp/modules/mysql/mysql.tf b/gcp/modules/mysql/mysql.tf
index c7ffe10b..3d104661 100644
--- a/gcp/modules/mysql/mysql.tf
+++ b/gcp/modules/mysql/mysql.tf
@@ -64,10 +64,9 @@ resource "google_service_account" "dbuser_trillian" {
 
 // Attach cloudsql access permissions to the Google SA.
 resource "google_project_iam_member" "db_admin_member_trillian" {
-  project    = var.project_id
-  role       = "roles/cloudsql.client"
-  member     = "serviceAccount:${google_service_account.dbuser_trillian.email}"
-  depends_on = [google_service_account.dbuser_trillian]
+  project = var.project_id
+  role    = "roles/cloudsql.client"
+  member  = google_service_account.dbuser_trillian.member
 }
 
 resource "google_service_account_iam_member" "gke_sa_iam_member_trillian_logserver" {
@@ -86,10 +85,9 @@ resource "google_project_iam_member" "logserver_iam" {
     "roles/cloudsql.client",
     "roles/cloudtrace.agent"
   ])
-  project    = var.project_id
-  role       = each.key
-  member     = "serviceAccount:${google_service_account.dbuser_trillian.email}"
-  depends_on = [google_service_account.dbuser_trillian]
+  project = var.project_id
+  role    = each.key
+  member  = google_service_account.dbuser_trillian.member
 }
 
 resource "google_service_account_iam_member" "gke_sa_iam_member_trillian_logsigner" {
@@ -279,10 +277,9 @@ resource "google_sql_user" "iam_user" {
 }
 
 resource "google_project_iam_member" "db_iam_auth" {
-  project    = var.project_id
-  role       = "roles/cloudsql.instanceUser"
-  member     = "serviceAccount:${google_service_account.dbuser_trillian.email}"
-  depends_on = [google_service_account.dbuser_trillian]
+  project = var.project_id
+  role    = "roles/cloudsql.instanceUser"
+  member  = google_service_account.dbuser_trillian.member
 }
 
 resource "google_sql_user" "breakglass_iam_group" {
diff --git a/gcp/modules/rekor/kms.tf b/gcp/modules/rekor/kms.tf
index 399bcba3..bc1f1f0b 100644
--- a/gcp/modules/rekor/kms.tf
+++ b/gcp/modules/rekor/kms.tf
@@ -36,6 +36,5 @@ resource "google_kms_crypto_key" "rekor-key" {
 resource "google_kms_key_ring_iam_member" "rekor_sa_kms_iam" {
   key_ring_id = google_kms_key_ring.rekor-keyring.id
   role        = "roles/cloudkms.viewer"
-  member      = format("serviceAccount:%s-rekor-sa@%s.iam.gserviceaccount.com", var.cluster_name, var.project_id)
-  depends_on  = [google_kms_key_ring.rekor-keyring, google_service_account.rekor-sa]
+  member      = google_service_account.rekor-sa.member
 }
diff --git a/gcp/modules/rekor/service_accounts.tf b/gcp/modules/rekor/service_accounts.tf
index 464ef09a..772c3d5f 100644
--- a/gcp/modules/rekor/service_accounts.tf
+++ b/gcp/modules/rekor/service_accounts.tf
@@ -31,22 +31,19 @@ resource "google_service_account_iam_member" "gke_sa_iam_member_rekor" {
 resource "google_kms_key_ring_iam_member" "rekor_signer_verifier_member" {
   key_ring_id = google_kms_key_ring.rekor-keyring.id
   role        = "roles/cloudkms.signerVerifier"
-  member      = "serviceAccount:${google_service_account.rekor-sa.email}"
-  depends_on  = [google_service_account.rekor-sa]
+  member      = google_service_account.rekor-sa.member
 }
 
 resource "google_kms_key_ring_iam_member" "rekor_kms_member" {
   key_ring_id = google_kms_key_ring.rekor-keyring.id
   role        = "roles/cloudkms.viewer"
-  member      = "serviceAccount:${google_service_account.rekor-sa.email}"
-  depends_on  = [google_service_account.rekor-sa]
+  member      = google_service_account.rekor-sa.member
 }
 
 resource "google_project_iam_member" "rekor_profiler_agent" {
-  project    = var.project_id
-  role       = "roles/cloudprofiler.agent"
-  member     = "serviceAccount:${google_service_account.rekor-sa.email}"
-  depends_on = [google_service_account.rekor-sa]
+  project = var.project_id
+  role    = "roles/cloudprofiler.agent"
+  member  = google_service_account.rekor-sa.member
 }
 
 resource "google_service_account_iam_member" "gke_sa_iam_member_rekor_server" {
@@ -64,8 +61,7 @@ resource "google_project_iam_member" "logserver_iam" {
     "roles/stackdriver.resourceMetadata.writer",
     "roles/cloudtrace.agent"
   ])
-  project    = var.project_id
-  role       = each.key
-  member     = "serviceAccount:${google_service_account.rekor-sa.email}"
-  depends_on = [google_service_account.rekor-sa]
+  project = var.project_id
+  role    = each.key
+  member  = google_service_account.rekor-sa.member
 }
diff --git a/gcp/modules/rekor/sql.tf b/gcp/modules/rekor/sql.tf
index acafec9b..732ad73a 100644
--- a/gcp/modules/rekor/sql.tf
+++ b/gcp/modules/rekor/sql.tf
@@ -29,17 +29,15 @@ resource "google_sql_user" "iam_user" {
 }
 
 resource "google_project_iam_member" "db_admin_member_rekor" {
-  project    = var.project_id
-  role       = "roles/cloudsql.client"
-  member     = "serviceAccount:${google_service_account.rekor-sa.email}"
-  depends_on = [google_service_account.rekor-sa]
+  project = var.project_id
+  role    = "roles/cloudsql.client"
+  member  = google_service_account.rekor-sa.member
 }
 
 resource "google_project_iam_member" "db_iam_auth" {
-  project    = var.project_id
-  role       = "roles/cloudsql.instanceUser"
-  member     = "serviceAccount:${google_service_account.rekor-sa.email}"
-  depends_on = [google_service_account.rekor-sa]
+  project = var.project_id
+  role    = "roles/cloudsql.instanceUser"
+  member  = google_service_account.rekor-sa.member
 }
 
 /*
diff --git a/gcp/modules/rekor/storage.tf b/gcp/modules/rekor/storage.tf
index 23a00337..bd51ebe9 100644
--- a/gcp/modules/rekor/storage.tf
+++ b/gcp/modules/rekor/storage.tf
@@ -45,9 +45,8 @@ resource "google_storage_bucket" "attestation" {
 
 // GCS Bucket 
 resource "google_storage_bucket_iam_member" "rekor_gcs_member" {
-  count      = var.enable_attestations ? 1 : 0
-  bucket     = google_storage_bucket.attestation[count.index].name
-  role       = "roles/storage.objectAdmin"
-  member     = "serviceAccount:${google_service_account.rekor-sa.email}"
-  depends_on = [google_storage_bucket.attestation, google_service_account.rekor-sa]
+  count  = var.enable_attestations ? 1 : 0
+  bucket = google_storage_bucket.attestation[count.index].name
+  role   = "roles/storage.objectAdmin"
+  member = google_service_account.rekor-sa.member
 }
diff --git a/gcp/modules/timestamp/service_accounts.tf b/gcp/modules/timestamp/service_accounts.tf
index f07b503a..4ffaf2e8 100644
--- a/gcp/modules/timestamp/service_accounts.tf
+++ b/gcp/modules/timestamp/service_accounts.tf
@@ -32,13 +32,11 @@ resource "google_service_account_iam_member" "gke_sa_iam_member_timestamp" {
 resource "google_kms_key_ring_iam_member" "timestamp_kms_decrypter_member" {
   key_ring_id = google_kms_key_ring.timestamp-keyring.id
   role        = "roles/cloudkms.cryptoKeyDecrypter"
-  member      = "serviceAccount:${google_service_account.timestamp-sa.email}"
-  depends_on  = [google_service_account.timestamp-sa]
+  member      = google_service_account.timestamp-sa.member
 }
 
 resource "google_kms_key_ring_iam_member" "timestamp_kms_viewer_member" {
   key_ring_id = google_kms_key_ring.timestamp-keyring.id
   role        = "roles/cloudkms.viewer"
-  member      = "serviceAccount:${google_service_account.timestamp-sa.email}"
-  depends_on  = [google_service_account.timestamp-sa]
+  member      = google_service_account.timestamp-sa.member
 }
diff --git a/gcp/modules/tuf/kms.tf b/gcp/modules/tuf/kms.tf
index adf8252d..cdb4189c 100644
--- a/gcp/modules/tuf/kms.tf
+++ b/gcp/modules/tuf/kms.tf
@@ -42,8 +42,7 @@ resource "google_kms_crypto_key_version" "tuf-key-version" {
 resource "google_kms_key_ring_iam_member" "tuf-sa-key-iam" {
   key_ring_id = google_kms_key_ring.tuf-keyring.id
   role        = "roles/cloudkms.signerVerifier"
-  member      = format("serviceAccount:%s@%s.iam.gserviceaccount.com", var.tuf_service_account_name, var.project_id)
-  depends_on  = [google_kms_key_ring.tuf-keyring, google_service_account.tuf-sa]
+  member      = google_service_account.tuf-sa.member
 }
 
 resource "google_kms_key_ring_iam_member" "tuf-key-iam-viewers" {
@@ -52,5 +51,4 @@ resource "google_kms_key_ring_iam_member" "tuf-key-iam-viewers" {
   key_ring_id = google_kms_key_ring.tuf-keyring.id
   role        = "roles/cloudkms.publicKeyViewer"
   member      = each.key
-  depends_on  = [google_kms_key_ring.tuf-keyring]
 }
diff --git a/gcp/modules/tuf/tuf.tf b/gcp/modules/tuf/tuf.tf
index 939689d6..3e79cf94 100644
--- a/gcp/modules/tuf/tuf.tf
+++ b/gcp/modules/tuf/tuf.tf
@@ -91,7 +91,5 @@ resource "google_storage_bucket_iam_member" "tuf_sa_editor" {
 
   bucket = google_storage_bucket.tuf.name
   role   = each.key
-  member = format("serviceAccount:%s@%s.iam.gserviceaccount.com", var.tuf_service_account_name, var.project_id)
-
-  depends_on = [google_storage_bucket.tuf, google_service_account.tuf-sa]
+  member = google_service_account.tuf-sa.member
 }