iam

tp-cloud/terraform/environments/dev/main.tf

@@ -30,4 +30,9 @@ module "compute" {
   frontend_subnet_id  = module.network.subnets["frontend"]
   backend_subnet_id   = module.network.subnets["backend"]
   database_subnet_id  = module.network.subnets["database"]
-}
+}
+
+module "iam" {
+  source     = "../../modules/iam"
+  project_id = var.project_id
+}

tp-cloud/terraform/modules/iam/main.tf

@@ -0,0 +1,30 @@
+resource "google_service_account" "terraform_sa" {
+  account_id   = "terraform-admin"
+  display_name = "Terraform Administrative Service Account"
+}
+
+# 2. Clé du compte de service
+resource "google_service_account_key" "terraform_sa_key" {
+  service_account_id = google_service_account.terraform_sa.name
+}
+
+resource "google_project_iam_member" "terraform_roles" {
+  for_each = toset([
+    "roles/compute.admin",
+    "roles/iam.serviceAccountUser",
+    "roles/resourcemanager.projectIamAdmin",
+    "roles/compute.osLogin",
+    "roles/compute.networkAdmin",
+  ])
+
+  project = var.project_id
+  role    = each.value
+  member  = "serviceAccount:${google_service_account.terraform_sa.email}"
+}
+
+resource "google_compute_project_metadata" "oslogin" {
+  metadata = {
+    enable-oslogin = "TRUE"
+    ssh-keys       = "student:${file("~/.ssh/id_ed25519.pub")}"
+  }
+}

tp-cloud/terraform/modules/iam/outputs.tf

@@ -0,0 +1,10 @@
+output "service_account_email" {
+  description = "Email du compte de service Terraform"
+  value       = google_service_account.terraform_sa.email
+}
+
+output "service_account_key" {
+  description = "Clé privée du compte de service Terraform"
+  value       = google_service_account_key.terraform_sa_key.private_key
+  sensitive   = true
+}

tp-cloud/terraform/modules/iam/variables.tf

@@ -0,0 +1,4 @@
+variable "project_id" {
+  description = "ID du projet GCP"
+  type        = string
+}