lox/main.tf

## main.tf
// See https://cloud.namespace.so/docs/federation/gcp

locals {
  roles = [
    "roles/resourcemanager.projectIamAdmin", # allow managing identity
    "roles/editor",                          # allow to manage all resources
    "roles/iam.serviceAccountAdmin",         # allow to manage service accounts
  ]
}

resource "google_service_account" "namespace" {
  project      = google_project.default.project_id
  account_id   = "namespace"
  display_name = "namespace"
  description  = "Link to Workload Identity Pool used by Namespace"
}

# Allow to access all resources and key projects
resource "google_project_iam_member" "roles" {
  project = google_project.default.project_id
  for_each = {
    for role in local.roles : role => role
  }
  role   = each.value
  member = "serviceAccount:${google_service_account.namespace.email}"
}

resource "google_project_iam_member" "project_owner" {
  project = google_project.default.project_id
  role    = "roles/owner"
  member  = "serviceAccount:${google_service_account.namespace.email}"
}

resource "google_iam_workload_identity_pool" "namespace" {
  provider                  = google-beta
  project                   = google_project.default.project_id
  workload_identity_pool_id = "namespace"
  display_name              = "namespace"
  description               = "for Namespace"
}

resource "google_iam_workload_identity_pool_provider" "namespace" {
  provider                           = google-beta
  project                            = google_project.default.project_id
  workload_identity_pool_id          = google_iam_workload_identity_pool.namespace.workload_identity_pool_id
  workload_identity_pool_provider_id = "namespace-provider"
  display_name                       = "namespace provider"
  description                        = "OIDC identity pool provider for Namespace"

  # See https://cloud.namespace.so/docs/federation/gcp#creating-workload-identity-pool-and-provider
  attribute_mapping = {
    "google.subject" = "assertion.tenant_id"
  }

  oidc {
    issuer_uri = "https://federation.namespaceapis.com"
  }
}

resource "google_service_account_iam_member" "namespace" {
  service_account_id = google_service_account.namespace.name
  role               = "roles/iam.workloadIdentityUser"
  member             = "principal://iam.googleapis.com/${google_iam_workload_identity_pool.namespace.name}/subject/${var.namespace_tenant_id}"
}
	// See https://cloud.namespace.so/docs/federation/gcp

	locals {
	roles = [
	"roles/resourcemanager.projectIamAdmin", # allow managing identity
	"roles/editor", # allow to manage all resources
	"roles/iam.serviceAccountAdmin", # allow to manage service accounts
	]
	}

	resource "google_service_account" "namespace" {
	project = google_project.default.project_id
	account_id = "namespace"
	display_name = "namespace"
	description = "Link to Workload Identity Pool used by Namespace"
	}

	# Allow to access all resources and key projects
	resource "google_project_iam_member" "roles" {
	project = google_project.default.project_id
	for_each = {
	for role in local.roles : role => role
	}
	role = each.value
	member = "serviceAccount:${google_service_account.namespace.email}"
	}

	resource "google_project_iam_member" "project_owner" {
	project = google_project.default.project_id
	role = "roles/owner"
	member = "serviceAccount:${google_service_account.namespace.email}"
	}

	resource "google_iam_workload_identity_pool" "namespace" {
	provider = google-beta
	project = google_project.default.project_id
	workload_identity_pool_id = "namespace"
	display_name = "namespace"
	description = "for Namespace"
	}

	resource "google_iam_workload_identity_pool_provider" "namespace" {
	provider = google-beta
	project = google_project.default.project_id
	workload_identity_pool_id = google_iam_workload_identity_pool.namespace.workload_identity_pool_id
	workload_identity_pool_provider_id = "namespace-provider"
	display_name = "namespace provider"
	description = "OIDC identity pool provider for Namespace"

	# See https://cloud.namespace.so/docs/federation/gcp#creating-workload-identity-pool-and-provider
	attribute_mapping = {
	"google.subject" = "assertion.tenant_id"
	}

	oidc {
	issuer_uri = "https://federation.namespaceapis.com"
	}
	}

	resource "google_service_account_iam_member" "namespace" {
	service_account_id = google_service_account.namespace.name
	role = "roles/iam.workloadIdentityUser"
	member = "principal://iam.googleapis.com/${google_iam_workload_identity_pool.namespace.name}/subject/${var.namespace_tenant_id}"
	}