resource "google_service_account" "job_sa" {
  account_id    = "sa-${var.job_name}-${var.env_name}"
  display_name  = "Cloud Run Job Service Account for ${var.job_name} in ${var.env_name} environment"
  description   = "Cloud Run Job Service Account for ${var.job_name} in ${var.env_name} environment"
  project       = var.project_id
}

# IAM role assignment
# Cloud Run Job実行に必要な権限を付与
resource "google_project_iam_member" "run_job_invoker" {
  project = var.project_id
  role    = "roles/run.invoker"
  member  = "serviceAccount:${google_service_account.job_sa.email}"
}