Fix KMS service agent when universe is set (#2920)

* propose the changes to the service agent config agent * Fix formatting * Fix typo --------- Co-authored-by: Julio Castillo <jccb@google.com>
2025-02-21 15:59:48 +01:00
parent 1abfa69ccc
commit 16727ded25
1 changed files with 10 additions and 3 deletions
--- a/modules/project/service-agents.tf
+++ b/modules/project/service-agents.tf
@@ -37,9 +37,16 @@ locals {
      for agent in lookup(local._service_agents_by_api, api, []) :
      (agent.name) => merge(agent, {
        email = (
-          var.universe == null || api != "cloudservices"
-          ? templatestring(agent.identity, { project_number = local.project.number, universe_domain = local._universe_domain })
-          : format("%s@cloudservices.%siam.gserviceaccount.com", local.project.number, local._universe_domain)
+          # If universe variable is set, enfore the use of the service-PROJECT_NUMBER@gcp-sa-ekms.UNVIVERSE-system.iam.gserviceaccount.com
+          # instead of service-PROJECT_NUMBER@gcp-sa-kms.UNVIVERSE-system.iam.gserviceaccount.com
+          # as in the TPC universes, the partner KMS is enforced by design
+          var.universe != null && api == "cloudkms.googleapis.com"
+          ? format("service-%s@gcp-sa-ekms.%siam.gserviceaccount.com", local.project.number, local._universe_domain)
+          : (
+            var.universe == null || api != "cloudservices"
+            ? templatestring(agent.identity, { project_number = local.project.number, universe_domain = local._universe_domain })
+            : format("%s@cloudservices.%siam.gserviceaccount.com", local.project.number, local._universe_domain)
+          )
        )
      })
    }