variable "project_id" {
  type    = string
  default = "datacom-poc"
}

variable "project_number" {
  type    = string
  default = "32472615575"
}

variable "region" {
  type    = string
  default = "asia-northeast1"
} 


# Cloud Functionsサービスアカウント
resource "google_service_account" "cf_sa" {
  project      = var.project_id
  account_id   = "mrt-cloudfunctions-sa-devtest" 
  display_name = "Cloud Functions SA"
}

# 権限をSAに付与
resource "google_project_iam_member" "cf_sa_role" {
  for_each       = toset(["roles/storage.objectAdmin","roles/workflows.invoker", "roles/secretmanager.secretAccessor", "roles/aiplatform.user"])
  project        = var.project_id
  role           = each.value
  member         = "serviceAccount:${google_service_account.cf_sa.email}"
}


# Cloud Workflows用サービスアカウント
resource "google_service_account" "workflows_sa" {
  project      = var.project_id
  account_id   = "mrt-cloudworkflows-sa-devtest" 
  display_name = "Cloud Workflows SA"
}

# 権限を SA に付与
resource "google_project_iam_member" "wf_cf_role" {
  for_each       = toset(["roles/cloudfunctions.invoker","roles/run.invoker"])
  project        = var.project_id
  role           = each.value
  member         = "serviceAccount:${google_service_account.workflows_sa.email}"
}


# API Gateway用サービスアカウント
resource "google_service_account" "gateway_sa" {
  project      = var.project_id
  account_id   = "mrt-apigateway-sa-devtest" 
  display_name = "Cloud Functions 起動用サービスアカウント"
}

# 権限を SA に付与
resource "google_project_iam_member" "gateway_role" {
  for_each       = toset(["roles/cloudfunctions.invoker","roles/run.invoker"])
  project        = var.project_id
  role           = each.value
  member         = "serviceAccount:${google_service_account.gateway_sa.email}"
}


# cloud build用サービスアカウント
resource "google_service_account" "cloudbuild_sa" {
  project      = var.project_id
  account_id   = "mrt-cloudbuild-sa-devtest" 
  display_name = "Cloud Build 用サービスアカウント"
}

# 権限を SA に付与
resource "google_project_iam_member" "cloudbuild_role" {
  for_each       = toset(["roles/cloudbuild.builds.builder","roles/storage.objectAdmin", "roles/artifactregistry.writer", "roles/developerconnect.readTokenAccessor", "roles/cloudfunctions.developer","roles/workflows.admin", "roles/iam.serviceAccountUser"])
  project        = var.project_id
  role           = each.value
  member         = "serviceAccount:${google_service_account.cloudbuild_sa.email}"
}