provider "google" {
}

variable gcp_project_id {
  description = "Enter your Google Cloud Platform Project ID (it tends to be a hyphenated string)"
}

variable account_name {
  description = "Enter a username for the new Service Account (eg tfstate-account)"
}

# Create the Service Account
resource "google_service_account" "main" {
  project      = var.gcp_project_id
  account_id   = var.account_name
  display_name = "tfstate.com Service Account"
  description  = "Service account to allow tfstate.com to run scans"
}

# Assign the Browser role to the Service Account
resource "google_project_iam_member" "main" {
  project = var.gcp_project_id
  role    = "roles/browser"
  member  = "serviceAccount:${google_service_account.main.email}"
}

resource "google_service_account_key" "main" {
  service_account_id = google_service_account.main.id
}

output "service_account_key_json" {
  value     = base64decode(google_service_account_key.main.private_key)
  sensitive = true
}