fix id in service module when reusing in a universe (#3698)
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
3e277d808a
commit
0e760c3015
@@ -103,6 +103,7 @@ module "cicd-sa-apply" {
|
||||
name = each.value.service_accounts.apply
|
||||
service_account_reuse = {
|
||||
use_data_source = false
|
||||
universe = try(local.project_defaults.overrides.universe, null)
|
||||
}
|
||||
iam = {
|
||||
"roles/iam.workloadIdentityUser" = (
|
||||
@@ -132,6 +133,7 @@ module "cicd-sa-plan" {
|
||||
name = each.value.service_accounts.plan
|
||||
service_account_reuse = {
|
||||
use_data_source = false
|
||||
universe = try(local.project_defaults.overrides.universe, null)
|
||||
}
|
||||
iam = {
|
||||
"roles/iam.workloadIdentityUser" = [
|
||||
|
||||
@@ -170,8 +170,8 @@ module "service-account-with-tags" {
|
||||
| [prefix](variables.tf#L64) | Prefix applied to service account names. | <code>string</code> | | <code>null</code> |
|
||||
| [project_id](variables.tf#L75) | Project id where service account will be created. This can be left null when reusing service accounts. | <code>string</code> | | <code>null</code> |
|
||||
| [project_number](variables.tf#L89) | Project number of var.project_id. Set this to avoid permadiffs when creating tag bindings. This can be left null when reusing service accounts and tags are not used. | <code>string</code> | | <code>null</code> |
|
||||
| [service_account_reuse](variables.tf#L96) | Reuse existing service account if not null. Data source can be forced disabled if tag bindings are not used, or unique id is set. | <code title="object({ use_data_source = optional(bool, true) attributes = optional(object({ project_number = number unique_id = string })) })">object({…})</code> | | <code>null</code> |
|
||||
| [tag_bindings](variables.tf#L109) | Tag bindings for this service accounts, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [service_account_reuse](variables.tf#L96) | Reuse existing service account if not null. Data source can be forced disabled if tag bindings are not used, or unique id is set. | <code title="object({ use_data_source = optional(bool, true) attributes = optional(object({ project_number = number unique_id = string })) universe = optional(object({ prefix = string })) })">object({…})</code> | | <code>null</code> |
|
||||
| [tag_bindings](variables.tf#L112) | Tag bindings for this service accounts, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -42,7 +42,7 @@ locals {
|
||||
)
|
||||
static_iam_email = "serviceAccount:${local.static_email}"
|
||||
static_id = (
|
||||
"projects/${local.project_id}/serviceAccounts/${local.static_email}"
|
||||
"projects/${local.project_id_universe}/serviceAccounts/${local.static_email}"
|
||||
)
|
||||
service_account = (
|
||||
local.use_data_source
|
||||
@@ -50,11 +50,21 @@ locals {
|
||||
: try(google_service_account.service_account[0], null)
|
||||
)
|
||||
# universe-related locals
|
||||
universe = try(regex("^([^:]*):[a-z]", local.project_id)[0], "")
|
||||
universe = try(
|
||||
regex("^([^:]*):[a-z]", local.project_id)[0],
|
||||
var.service_account_reuse.universe.prefix,
|
||||
""
|
||||
)
|
||||
use_data_source = (
|
||||
try(var.service_account_reuse.use_data_source, null) == true
|
||||
)
|
||||
project_id_no_universe = element(split(":", local.project_id), 1)
|
||||
# reassemble project id for cases where we are reusing service account
|
||||
project_id_universe = (
|
||||
local.universe == ""
|
||||
? local.project_id
|
||||
: "${local.universe}:${local.project_id_no_universe}"
|
||||
)
|
||||
sa_domain = join(".", compact([
|
||||
local.project_id_no_universe, local.universe
|
||||
]))
|
||||
|
||||
@@ -101,6 +101,9 @@ variable "service_account_reuse" {
|
||||
project_number = number
|
||||
unique_id = string
|
||||
}))
|
||||
universe = optional(object({
|
||||
prefix = string
|
||||
}))
|
||||
})
|
||||
nullable = true
|
||||
default = null
|
||||
|
||||
Reference in New Issue
Block a user