bug: Using skip_iam_grants with use_existing_service_account doesn't work

[vjosafusha]

Using skip_iam_grants to skip custom role creation with use_existing_service_account fails. In my terraform configuration, I create a service account, assign the already created custom role with proper permissions. I set the service account name and private key to the module.

bigquery.datasets.get
compute.projects.get
pubsub.topics.get
storage.buckets.get
compute.sslPolicies.get

Module reference:

module "gcp_project_level_config" {
  source                       = "lacework/config/gcp"
  version                      = "~> 3.0"
  project_id                   = var.project_id
  required_config_apis         = {} // apis already enabled
  use_existing_service_account = true
  skip_iam_grants              = true
  service_account_name         = google_service_account.lacework_gcp_compliance_config.name
  service_account_private_key  = google_service_account_key.lacework_sa_compliance_key.private_key
}

I get the following error:

Expected behavior
The errors indicate that the module is still trying to assign custom role permission even though the skip_iam_grants is true and I use an existing service account. I am expecting that this step in

terraform-gcp-config/main.tf

Line 124 in c0c0fc7

role = google_project_iam_custom_role.lacework_custom_project_role.0.name

would be skipped.

On line #L127 of main.tf, you're missing a condition that checks if skip_iam_grants is true, similar to the check for creating the custom role #L118. The expected behavior is that we don't assign a custom role if we have already created it and assigned it to an already created SA.

Please complete the following information):

• Terraform Version: "~> 1.8.0"
• Module Version "~> 3.0"