magickatt/access_gcr_images_from_other_projects.tf

## access_gcr_images_from_other_projects.tf
locals {
  project_ids    = [123456789012, 234567890123, 345678901234]
  bucket_region  = "us"
  bucket_project = "something-123456"
  bucket_name    = "${local.bucket_region}.artifacts.${local.bucket_project}.appspot.com"
}

# Allow Cloud Build in every other project access to GCR images hosted in the central project
resource "google_storage_bucket_iam_member" "container_registry" {
  for_each = var.project_ids

  bucket = local.bucket_name
  role   = "roles/storage.objectViewer"
  member = "serviceAccount:${each.value}@cloudbuild.gserviceaccount.com"
}

# Allow GCE/GKE in every other project access to GCR images hosted in the central project
resource "google_storage_bucket_iam_member" "container_registry" {
  for_each = var.project_ids

  bucket = local.bucket_name
  role   = "roles/storage.objectViewer"
  member = "serviceAccount:${each.value}-compute@developer.gserviceaccount.com"
}
	locals {
	project_ids = [123456789012, 234567890123, 345678901234]
	bucket_region = "us"
	bucket_project = "something-123456"
	bucket_name = "${local.bucket_region}.artifacts.${local.bucket_project}.appspot.com"
	}

	# Allow Cloud Build in every other project access to GCR images hosted in the central project
	resource "google_storage_bucket_iam_member" "container_registry" {
	for_each = var.project_ids

	bucket = local.bucket_name
	role = "roles/storage.objectViewer"
	member = "serviceAccount:${each.value}@cloudbuild.gserviceaccount.com"
	}

	# Allow GCE/GKE in every other project access to GCR images hosted in the central project
	resource "google_storage_bucket_iam_member" "container_registry" {
	for_each = var.project_ids

	bucket = local.bucket_name
	role = "roles/storage.objectViewer"
	member = "serviceAccount:${each.value}-compute@developer.gserviceaccount.com"
	}