resource "google_service_account" "terraform_sa" {
  account_id   = var.sa_name
  project      = var.project_id
  display_name = var.sa_display_name
}

resource "google_service_account_key" "terraform_sa_key" {
  service_account_id = google_service_account.terraform_sa.name
  keepers = {
    display_name = google_service_account.terraform_sa.display_name
  }
}

resource "google_project_iam_member" "sa_roles" {
  for_each = toset(var.roles)
  project  = var.project_id
  role     = each.key
  member   = "serviceAccount:${google_service_account.terraform_sa.email}"
}