# Création du compte de service Terraform
resource "google_service_account" "terraform" {
  account_id   = "terraform-sa"
  display_name = "Terraform Service Account"
  project      = var.project_id
}

# Création de la clé pour le compte de service
resource "google_service_account_key" "terraform_key" {
  service_account_id = google_service_account.terraform.name
  keepers = {
    # Permet de régénérer la clé si besoin
    project = var.project_id
  }
}

# Attribution de rôles IAM
# Exemples de rôles pour pouvoir gérer Compute, IAM et OS Login
resource "google_project_iam_member" "compute_admin" {
  project = var.project_id
  role    = "roles/compute.admin"
  member  = "serviceAccount:${google_service_account.terraform.email}"
}

resource "google_project_iam_member" "iam_admin" {
  project = var.project_id
  role    = "roles/iam.serviceAccountAdmin"
  member  = "serviceAccount:${google_service_account.terraform.email}"
}

resource "google_project_iam_member" "oslogin" {
  project = var.project_id
  role    = "roles/compute.osLogin"
  member  = "serviceAccount:${google_service_account.terraform.email}"
}

# Configuration d'OS Login avec clé SSH
resource "google_compute_project_metadata_item" "enable_oslogin" {
  project = var.project_id
  key     = "enable-oslogin"
  value   = "TRUE"
}