feat: Add ability to disable granting billing IAM via grant_billing_u…

…ser variable (#19)

CHANGELOG.md

@@ -20,6 +20,10 @@ and this project adheres to
 
 ## [Unreleased]
 
+### Added
+
+- The `grant_billing_user` variable. [#18]
+
 ## [0.3.0] - 2019-12-18
 
 ### Fixed

README.md

@@ -50,6 +50,7 @@ For the cloudbuild submodule, see the README [cloudbuild](./modules/cloudbuild).
 | billing\_account | The ID of the billing account to associate projects with. | string | n/a | yes |
 | default\_region | Default region to create resources where applicable. | string | `"us-central1"` | no |
 | folder\_id | The ID of a folder to host this project | string | `""` | no |
+| grant\_billing\_user | Grant roles/billing.user role to CFT service account | bool | `"true"` | no |
 | group\_billing\_admins | Google Group for GCP Billing Administrators | string | n/a | yes |
 | group\_org\_admins | Google Group for GCP Organization Administrators | string | n/a | yes |
 | org\_admins\_org\_iam\_permissions | List of permissions granted to the group supplied in group_org_admins variable across the GCP organization. | list(string) | `<list>` | no |

main.tf

@@ -136,6 +136,7 @@ resource "google_organization_iam_member" "tf_sa_org_perms" {
 }
 
 resource "google_billing_account_iam_member" "tf_billing_user" {
+  count              = var.grant_billing_user == true ? 1 : 0
   billing_account_id = var.billing_account
   role               = "roles/billing.user"
   member             = "serviceAccount:${google_service_account.org_terraform.email}"

variables.tf

@@ -103,6 +103,12 @@ variable "sa_enable_impersonation" {
   default     = false
 }
 
+variable "grant_billing_user" {
+  description = "Grant roles/billing.user role to CFT service account"
+  type        = bool
+  default     = true
+}
+
 variable "storage_bucket_labels" {
   description = "Labels to apply to the storage bucket."
   type        = map(string)