From 0e760c30158b9db3a609ad8c88f8e8b66a3d4449 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Tue, 3 Feb 2026 19:28:57 +0100
Subject: [PATCH] fix id in service module when reusing in a universe (#3698)

---
 fast/stages/0-org-setup/cicd-workflows.tf |  2 ++
 modules/iam-service-account/README.md     |  4 ++--
 modules/iam-service-account/main.tf       | 14 ++++++++++++--
 modules/iam-service-account/variables.tf  |  3 +++
 4 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/fast/stages/0-org-setup/cicd-workflows.tf b/fast/stages/0-org-setup/cicd-workflows.tf
index 16806275e..f87aa990a 100644
--- a/fast/stages/0-org-setup/cicd-workflows.tf
+++ b/fast/stages/0-org-setup/cicd-workflows.tf
@@ -103,6 +103,7 @@ module "cicd-sa-apply" {
   name     = each.value.service_accounts.apply
   service_account_reuse = {
     use_data_source = false
+    universe        = try(local.project_defaults.overrides.universe, null)
   }
   iam = {
     "roles/iam.workloadIdentityUser" = (
@@ -132,6 +133,7 @@ module "cicd-sa-plan" {
   name     = each.value.service_accounts.plan
   service_account_reuse = {
     use_data_source = false
+    universe        = try(local.project_defaults.overrides.universe, null)
   }
   iam = {
     "roles/iam.workloadIdentityUser" = [
diff --git a/modules/iam-service-account/README.md b/modules/iam-service-account/README.md
index 8df4621ff..3befecf07 100644
--- a/modules/iam-service-account/README.md
+++ b/modules/iam-service-account/README.md
@@ -170,8 +170,8 @@ module "service-account-with-tags" {
 | [prefix](variables.tf#L64) | Prefix applied to service account names. | <code>string</code> |  | <code>null</code> |
 | [project_id](variables.tf#L75) | Project id where service account will be created. This can be left null when reusing service accounts. | <code>string</code> |  | <code>null</code> |
 | [project_number](variables.tf#L89) | Project number of var.project_id. Set this to avoid permadiffs when creating tag bindings. This can be left null when reusing service accounts and tags are not used. | <code>string</code> |  | <code>null</code> |
-| [service_account_reuse](variables.tf#L96) | Reuse existing service account if not null. Data source can be forced disabled if tag bindings are not used, or unique id is set. | <code title="object&#40;&#123;&#10;  use_data_source &#61; optional&#40;bool, true&#41;&#10;  attributes &#61; optional&#40;object&#40;&#123;&#10;    project_number &#61; number&#10;    unique_id      &#61; string&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [tag_bindings](variables.tf#L109) | Tag bindings for this service accounts, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_account_reuse](variables.tf#L96) | Reuse existing service account if not null. Data source can be forced disabled if tag bindings are not used, or unique id is set. | <code title="object&#40;&#123;&#10;  use_data_source &#61; optional&#40;bool, true&#41;&#10;  attributes &#61; optional&#40;object&#40;&#123;&#10;    project_number &#61; number&#10;    unique_id      &#61; string&#10;  &#125;&#41;&#41;&#10;  universe &#61; optional&#40;object&#40;&#123;&#10;    prefix &#61; string&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [tag_bindings](variables.tf#L112) | Tag bindings for this service accounts, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 
diff --git a/modules/iam-service-account/main.tf b/modules/iam-service-account/main.tf
index 737e7d13f..3f61fe377 100644
--- a/modules/iam-service-account/main.tf
+++ b/modules/iam-service-account/main.tf
@@ -42,7 +42,7 @@ locals {
   )
   static_iam_email = "serviceAccount:${local.static_email}"
   static_id = (
-    "projects/${local.project_id}/serviceAccounts/${local.static_email}"
+    "projects/${local.project_id_universe}/serviceAccounts/${local.static_email}"
   )
   service_account = (
     local.use_data_source
@@ -50,11 +50,21 @@ locals {
     : try(google_service_account.service_account[0], null)
   )
   # universe-related locals
-  universe = try(regex("^([^:]*):[a-z]", local.project_id)[0], "")
+  universe = try(
+    regex("^([^:]*):[a-z]", local.project_id)[0],
+    var.service_account_reuse.universe.prefix,
+    ""
+  )
   use_data_source = (
     try(var.service_account_reuse.use_data_source, null) == true
   )
   project_id_no_universe = element(split(":", local.project_id), 1)
+  # reassemble project id for cases where we are reusing service account
+  project_id_universe = (
+    local.universe == ""
+    ? local.project_id
+    : "${local.universe}:${local.project_id_no_universe}"
+  )
   sa_domain = join(".", compact([
     local.project_id_no_universe, local.universe
   ]))
diff --git a/modules/iam-service-account/variables.tf b/modules/iam-service-account/variables.tf
index eac757aae..6577fb91d 100644
--- a/modules/iam-service-account/variables.tf
+++ b/modules/iam-service-account/variables.tf
@@ -101,6 +101,9 @@ variable "service_account_reuse" {
       project_number = number
       unique_id      = string
     }))
+    universe = optional(object({
+      prefix = string
+    }))
   })
   nullable = true
   default  = null