#  SERVICE ACCOUNT

resource "google_service_account" "sa" {
  account_id   = var.service_account_id
  display_name = var.service_account_display_name
}


#  CUSTOM ROLE  (optionnel)

resource "google_project_iam_custom_role" "custom_role" {
  role_id     = var.custom_role_id
  title       = var.custom_role_title
  description = var.custom_role_description
  permissions = var.custom_role_permissions
  project     = var.project_id
}


#  IAM BINDING : attache le rôle custom au service account

resource "google_project_iam_member" "sa_role_binding" {
  project = var.project_id
  role    = google_project_iam_custom_role.custom_role.name
  member  = "serviceAccount:${google_service_account.sa.email}"
}