diff --git a/fast/stages/0-org-setup/cicd-workflows.tf b/fast/stages/0-org-setup/cicd-workflows.tf
index 16806275e..f87aa990a 100644
--- a/fast/stages/0-org-setup/cicd-workflows.tf
+++ b/fast/stages/0-org-setup/cicd-workflows.tf
@@ -103,6 +103,7 @@ module "cicd-sa-apply" {
name = each.value.service_accounts.apply
service_account_reuse = {
use_data_source = false
+ universe = try(local.project_defaults.overrides.universe, null)
}
iam = {
"roles/iam.workloadIdentityUser" = (
@@ -132,6 +133,7 @@ module "cicd-sa-plan" {
name = each.value.service_accounts.plan
service_account_reuse = {
use_data_source = false
+ universe = try(local.project_defaults.overrides.universe, null)
}
iam = {
"roles/iam.workloadIdentityUser" = [
diff --git a/modules/iam-service-account/README.md b/modules/iam-service-account/README.md
index 8df4621ff..3befecf07 100644
--- a/modules/iam-service-account/README.md
+++ b/modules/iam-service-account/README.md
@@ -170,8 +170,8 @@ module "service-account-with-tags" {
| [prefix](variables.tf#L64) | Prefix applied to service account names. | string | | null |
| [project_id](variables.tf#L75) | Project id where service account will be created. This can be left null when reusing service accounts. | string | | null |
| [project_number](variables.tf#L89) | Project number of var.project_id. Set this to avoid permadiffs when creating tag bindings. This can be left null when reusing service accounts and tags are not used. | string | | null |
-| [service_account_reuse](variables.tf#L96) | Reuse existing service account if not null. Data source can be forced disabled if tag bindings are not used, or unique id is set. | object({…}) | | null |
-| [tag_bindings](variables.tf#L109) | Tag bindings for this service accounts, in key => tag value id format. | map(string) | | {} |
+| [service_account_reuse](variables.tf#L96) | Reuse existing service account if not null. Data source can be forced disabled if tag bindings are not used, or unique id is set. | object({…}) | | null |
+| [tag_bindings](variables.tf#L112) | Tag bindings for this service accounts, in key => tag value id format. | map(string) | | {} |
## Outputs
diff --git a/modules/iam-service-account/main.tf b/modules/iam-service-account/main.tf
index 737e7d13f..3f61fe377 100644
--- a/modules/iam-service-account/main.tf
+++ b/modules/iam-service-account/main.tf
@@ -42,7 +42,7 @@ locals {
)
static_iam_email = "serviceAccount:${local.static_email}"
static_id = (
- "projects/${local.project_id}/serviceAccounts/${local.static_email}"
+ "projects/${local.project_id_universe}/serviceAccounts/${local.static_email}"
)
service_account = (
local.use_data_source
@@ -50,11 +50,21 @@ locals {
: try(google_service_account.service_account[0], null)
)
# universe-related locals
- universe = try(regex("^([^:]*):[a-z]", local.project_id)[0], "")
+ universe = try(
+ regex("^([^:]*):[a-z]", local.project_id)[0],
+ var.service_account_reuse.universe.prefix,
+ ""
+ )
use_data_source = (
try(var.service_account_reuse.use_data_source, null) == true
)
project_id_no_universe = element(split(":", local.project_id), 1)
+ # reassemble project id for cases where we are reusing service account
+ project_id_universe = (
+ local.universe == ""
+ ? local.project_id
+ : "${local.universe}:${local.project_id_no_universe}"
+ )
sa_domain = join(".", compact([
local.project_id_no_universe, local.universe
]))
diff --git a/modules/iam-service-account/variables.tf b/modules/iam-service-account/variables.tf
index eac757aae..6577fb91d 100644
--- a/modules/iam-service-account/variables.tf
+++ b/modules/iam-service-account/variables.tf
@@ -101,6 +101,9 @@ variable "service_account_reuse" {
project_number = number
unique_id = string
}))
+ universe = optional(object({
+ prefix = string
+ }))
})
nullable = true
default = null