TL;DR

In the file modules/shared_vpc_access/main.tf, lines 92 to 109 iterate over every active API service account and bind each one individually with the roles/compute.networkUser IAM role on the shared subnet.

This is causing a critical issue for us.

In our organization, we have reached the IAM policy binding limit of 1500.

As a result, all our non-prod and prod deployments are either on hold or failing.

Google support has confirmed that this is a hard limit and classified it as a feature request, with no ETA for increasing it.

Suggested Workaround (by Google): Move service accounts into a Google Group, and grant the networkUser role to the group at the shared subnet level instead of assigning it to each individual service account.

Current State:

We downloaded the project-factory code but avoid modifying it directly due to maintainability concerns.

Removing the shared subnet breaks other modules, so that workaround doesn't help.

As a temporary quick fix, we created a group and used the shared_vpc module to assign the role to the group — but again, this is not a sustainable or clean solution.

Request: Can you please provide:

An enhancement or supported fix that allows group-based assignment of networkUser instead of per-service-account bindings?

A way to implement this without breaking the dependencies or other modules in the terraform-google-project-factory suite?

This would help us — and likely others — who are running into this 1500 bindings limitation.

Terraform Resources

Detailed design

Additional information

No response