fix: Additional roles should only granted for Shared VPC when attaching to a service project (#542)

xingao267 · web-flow · commit 99093dece468 · 2021-01-27T14:21:25.000-05:00
diff --git a/modules/shared_vpc_access/main.tf b/modules/shared_vpc_access/main.tf
@@ -86,7 +86,7 @@ resource "google_project_iam_member" "gke_host_agent" {
   and https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc#creating_additional_firewall_rules
  *****************************************/
 resource "google_project_iam_member" "gke_security_admin" {
-  count   = local.gke_shared_vpc_enabled && var.grant_services_security_admin_role ? 1 : 0
+  count   = local.gke_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_services_security_admin_role ? 1 : 0
   project = var.host_project_id
   role    = "roles/compute.securityAdmin"
   member  = format("serviceAccount:%s", local.apis["container.googleapis.com"])
