refactored module

data.tf

@@ -1 +1 @@
-data "google_project" "project" {}
+data "google_project" "truefoundry_platform_feature_project" {}

iam.tf

@@ -1,18 +1,18 @@
-// create service accounts
-resource "google_service_account" "service_account" {
+// service account for truefoundry platform feature
+resource "google_service_account" "truefoundry_platform_feature_service_account" {
   account_id   = local.serviceaccount_name
   project      = var.project
   display_name = "Terraform-managed truefoundry platform service account"
   description = "Truefoundry platform user with access to artifact registry, blob storage and secrets manager"
 }
 
-// custom roles for secret manager
-resource "google_project_iam_custom_role" "secret_manager_tfy_role" {
+// custom role for secret manager
+resource "google_project_iam_custom_role" "truefoundry_platform_feature_secret_manager_role" {
   count       = var.feature_secrets_enabled ? 1 : 0
 
   role_id     = replace("${local.trufoundry_platform_resources}_bucket_secret_manager_tfy_role", "-", "_")
-  title       = "Secret Manager TFY Role"
-  description = "Role to manage secrets starting with tfy"
+  title       = replace("${local.trufoundry_platform_resources}_bucket_secret_manager_tfy_role", "-", "_")
+  description = "TrueFoundry platform feature role to manage secrets in GSM"
   permissions = [
     "secretmanager.secrets.get",
     "secretmanager.secrets.list",
@@ -25,12 +25,12 @@ resource "google_project_iam_custom_role" "secret_manager_tfy_role" {
 }
 
 // custom role for GCS
-resource "google_project_iam_custom_role" "gcs_tfy_role" {
+resource "google_project_iam_custom_role" "truefoundry_platform_feature_gcs_bucket_role" {
   count       = var.feature_blob_storage_enabled ? 1 : 0
 
   role_id     = replace("${local.trufoundry_platform_resources}_bucket_gcs_tfy_role", "-", "_")
-  title       = "GCS TFY Role"
-  description = "Role to manage GCS buckets starting with tfy"
+  title       = replace("${local.trufoundry_platform_resources}_bucket_gcs_tfy_role", "-", "_")
+  description = "TrueFoundry platform feature role to manage GCS bucket"
   permissions = [
     "storage.objects.create",
     "storage.objects.delete",
@@ -50,73 +50,73 @@ resource "google_project_iam_custom_role" "gcs_tfy_role" {
   ]
 }
 
-// add secret manager custom roles to service account with condition
-resource "google_project_iam_member" "secret_manager_role_binding" {
+// custom role binding with condition for secret manager role
+resource "google_project_iam_member" "truefoundry_platform_feature_secret_manager_role_binding" {
   count = var.feature_secrets_enabled ? 1 : 0
 
   project = var.project
-  role    = google_project_iam_custom_role.secret_manager_tfy_role[count.index].id
-  member  = "serviceAccount:${google_service_account.service_account.email}"
+  role    = google_project_iam_custom_role.truefoundry_platform_feature_secret_manager_role[count.index].id
+  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
 
   condition {
-    title       = "Restrict to tfy secrets"
-    description = "Allows access to secrets that start with 'tfy'"
-    expression  = "resource.name.startsWith('projects/${data.google_project.project.number}/secrets/tfy')"
+    title       = "Condition to allow access to secrets starting with 'tfy'"
+    description = "TrueFoundry platform feature role to allows access to secrets that start with 'tfy'"
+    expression  = "resource.name.startsWith('projects/${data.google_project.truefoundry_platform_feature_project.number}/secrets/tfy')"
   }
 }
 
-// add GCS custom roles to service account with condition
-resource "google_project_iam_member" "gcs_role_binding" {
+// custom role binding with condition for GCS role
+resource "google_project_iam_member" "truefoundry_platform_feature_gcs_role_binding" {
   count = var.feature_blob_storage_enabled ? 1 : 0
 
   project = var.project
-  role    = google_project_iam_custom_role.gcs_tfy_role[count.index].id
-  member  = "serviceAccount:${google_service_account.service_account.email}"
+  role    = google_project_iam_custom_role.truefoundry_platform_feature_gcs_bucket_role[count.index].id
+  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
 
   condition {
-    title       = "Restrict to tfy storage buckets"
-    description = "Allows access to buckets that start with 'tfy'"
-    expression  = "resource.name.startsWith('projects/_/buckets/tfy')"
+    title       = "Condition to allow access to truefoundry bucket"
+    description = "TrueFoundry platform feature role to allows access to buckets that start with 'tfy'"
+    expression  = "resource.name.startsWith('projects/_/buckets/${module.blob_storage[0].name}')"
   }
 }
 
-// add service account to token creator role
-resource "google_project_iam_member" "token_creator_role_binding" {
+// role binding token creator role to service account
+resource "google_project_iam_member" "truefoundry_platform_feature_token_creator_role_binding" {
   count = var.feature_blob_storage_enabled ? 1 : 0
 
   project = var.project
   role    = "roles/iam.serviceAccountTokenCreator"
-  member  = "serviceAccount:${google_service_account.service_account.email}"
+  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
 }
 
-// add artifact registry role to service account
-resource "google_project_iam_member" "artifact_registry_role_binding" {
+// role binding artifact registry role to service account
+resource "google_project_iam_member" "truefoundry_platform_feature_artifact_registry_role_binding" {
   count = var.feature_docker_registry_enabled ? 1 : 0
 
   project = var.project
   role    = "roles/artifactregistry.admin"
-  member  = "serviceAccount:${google_service_account.service_account.email}"
+  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
 }
 
-// add container cluster viewer role to service account
-resource "google_project_iam_member" "container_cluster_viewer_role_binding" {
+// role binding container cluster viewer role to service account
+resource "google_project_iam_member" "truefoundry_platform_feature_container_cluster_viewer_role_binding" {
   count = var.feature_cloud_integration_enabled ? 1 : 0
 
   project = var.project
   role    = "roles/container.clusterViewer"
-  member  = "serviceAccount:${google_service_account.service_account.email}"
+  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
 }
 
-// add container viewer role to service account
-resource "google_project_iam_member" "container_viewer_role_binding" {
+// role binding container viewer role to service account
+resource "google_project_iam_member" "truefoundry_platform_feature_container_viewer_role_binding" {
   count = var.feature_cloud_integration_enabled ? 1 : 0
 
   project = var.project
   role    = "roles/container.viewer"
-  member  = "serviceAccount:${google_service_account.service_account.email}"
+  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
 }
 
 // service account key
-resource "google_service_account_key" "service_account_key" {
-  service_account_id = google_service_account.service_account.id
+resource "google_service_account_key" "truefoundry_platform_feature_service_account_key" {
+  service_account_id = google_service_account.truefoundry_platform_feature_service_account.id
 }

output.tf

@@ -27,7 +27,7 @@ output "serviceaccount_name" {
   description = "Name of the service account"
 }
 output "serviceaccount_key" {
-  value       = google_service_account_key.service_account_key.private_key
+  value       = google_service_account_key.truefoundry_platform_feature_service_account_key.private_key
   sensitive   = true
   description = "Service account keys"
 }