Do not require private AR repo

joecorall · joecorall · commit fafd5856fd2c · 2026-03-17T16:48:32.000-04:00
diff --git a/README.md b/README.md
@@ -68,6 +68,8 @@ Deploy a docker compose project to a Google Cloud Compute Instance.
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The GCP project ID | `string` | n/a | yes |
 | <a name="input_project_number"></a> [project\_number](#input\_project\_number) | The GCP project number | `string` | n/a | yes |
 | <a name="input_allowed_ips"></a> [allowed\_ips](#input\_allowed\_ips) | CIDR IP Addresses allowed to turn on this site's GCP instance | `list(string)` | `[]` | no |
+| <a name="input_artifact_registry_location"></a> [artifact\_registry\_location](#input\_artifact\_registry\_location) | Artifact Registry location for var.artifact\_registry\_repository. | `string` | `"us"` | no |
+| <a name="input_artifact_registry_repository"></a> [artifact\_registry\_repository](#input\_artifact\_registry\_repository) | Optional Artifact Registry repository name to grant the VM service account reader access to. Leave empty to skip creating the IAM binding. | `string` | `""` | no |
 | <a name="input_allowed_ssh_ipv4"></a> [allowed\_ssh\_ipv4](#input\_allowed\_ssh\_ipv4) | CIDR IPv4 Addresses allowed to to SSH into this site's GCP instance | `list(string)` | `[]` | no |
 | <a name="input_allowed_ssh_ipv6"></a> [allowed\_ssh\_ipv6](#input\_allowed\_ssh\_ipv6) | CIDR IPv6 Addresses allowed to SSH into this site's GCP instance | `list(string)` | `[]` | no |
 | <a name="input_disk_size_gb"></a> [disk\_size\_gb](#input\_disk\_size\_gb) | Data disk size in GB | `number` | `50` | no |
diff --git a/main.tf b/main.tf
@@ -122,9 +122,10 @@ resource "google_service_account" "cloud-compose" {
 
 # docker pull app images
 resource "google_artifact_registry_repository_iam_member" "private-policy-cloud-compose" {
+  count      = var.artifact_registry_repository != "" ? 1 : 0
   project    = var.project_id
-  location   = "us"
-  repository = "private"
+  location   = var.artifact_registry_location
+  repository = var.artifact_registry_repository
   role       = "roles/artifactregistry.reader"
   member     = "serviceAccount:${google_service_account.cloud-compose.email}"
 }
diff --git a/variables.tf b/variables.tf
@@ -173,3 +173,15 @@ variable "initcmd" {
   default     = []
   description = "Commands to run before /home/cloud-compose/run.sh"
 }
+
+variable "artifact_registry_repository" {
+  type        = string
+  default     = ""
+  description = "Optional Artifact Registry repository name to grant the VM service account reader access to. Leave empty to skip creating the IAM binding."
+}
+
+variable "artifact_registry_location" {
+  type        = string
+  default     = "us"
+  description = "Artifact Registry location for var.artifact_registry_repository."
+}
