Fix domains of default service accounts when universe is present (#3670)

2026-01-23 15:11:17 +01:00
parent 1e82683b15
commit 8dde9fe773
4 changed files with 44 additions and 30 deletions
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -2267,27 +2267,27 @@ module "project" {
 | [custom_role_id](outputs.tf#L33) | Map of custom role IDs created in the project. |  |
 | [custom_roles](outputs.tf#L38) | Map of custom roles resources created in the project. |  |
 | [default_service_accounts](outputs.tf#L43) | Emails of the default service accounts for this project. |  |
-| [id](outputs.tf#L51) | Project id. |  |
-| [kms_autokeys](outputs.tf#L69) | KMS Autokey key ids. |  |
-| [name](outputs.tf#L76) | Project name. |  |
-| [network_tag_keys](outputs.tf#L88) | Tag key resources. |  |
-| [network_tag_values](outputs.tf#L97) | Tag value resources. |  |
-| [notification_channel_names](outputs.tf#L105) | Notification channel names. |  |
-| [notification_channels](outputs.tf#L113) | Full notification channel objects. |  |
-| [number](outputs.tf#L118) | Project number. |  |
-| [organization_policies_ids](outputs.tf#L133) | Map of ORGANIZATION_POLICIES => ID in the organization. |  |
-| [project_id](outputs.tf#L140) | Project id. |  |
-| [quota_configs](outputs.tf#L158) | Quota configurations. |  |
-| [quotas](outputs.tf#L169) | Quota resources. |  |
-| [scc_custom_sha_modules_ids](outputs.tf#L174) | Map of SCC CUSTOM SHA MODULES => ID in the project. |  |
-| [service_agents](outputs.tf#L179) | List of all (active) service agents for this project. |  |
-| [services](outputs.tf#L188) | Service APIs to enable in the project. |  |
-| [sink_writer_identities](outputs.tf#L197) | Writer identities created for each sink. |  |
-| [tag_keys](outputs.tf#L204) | Tag key resources. |  |
-| [tag_values](outputs.tf#L213) | Tag value resources. |  |
-| [workload_identity_pool_ids](outputs.tf#L221) | Workload identity provider ids. |  |
-| [workload_identity_provider_ids](outputs.tf#L228) | Workload identity provider attributes. |  |
-| [workload_identity_providers](outputs.tf#L236) | Workload identity provider attributes. |  |
+| [id](outputs.tf#L48) | Project id. |  |
+| [kms_autokeys](outputs.tf#L66) | KMS Autokey key ids. |  |
+| [name](outputs.tf#L73) | Project name. |  |
+| [network_tag_keys](outputs.tf#L85) | Tag key resources. |  |
+| [network_tag_values](outputs.tf#L94) | Tag value resources. |  |
+| [notification_channel_names](outputs.tf#L102) | Notification channel names. |  |
+| [notification_channels](outputs.tf#L110) | Full notification channel objects. |  |
+| [number](outputs.tf#L115) | Project number. |  |
+| [organization_policies_ids](outputs.tf#L130) | Map of ORGANIZATION_POLICIES => ID in the organization. |  |
+| [project_id](outputs.tf#L137) | Project id. |  |
+| [quota_configs](outputs.tf#L155) | Quota configurations. |  |
+| [quotas](outputs.tf#L166) | Quota resources. |  |
+| [scc_custom_sha_modules_ids](outputs.tf#L171) | Map of SCC CUSTOM SHA MODULES => ID in the project. |  |
+| [service_agents](outputs.tf#L176) | List of all (active) service agents for this project. |  |
+| [services](outputs.tf#L185) | Service APIs to enable in the project. |  |
+| [sink_writer_identities](outputs.tf#L194) | Writer identities created for each sink. |  |
+| [tag_keys](outputs.tf#L201) | Tag key resources. |  |
+| [tag_values](outputs.tf#L210) | Tag value resources. |  |
+| [workload_identity_pool_ids](outputs.tf#L218) | Workload identity provider ids. |  |
+| [workload_identity_provider_ids](outputs.tf#L225) | Workload identity provider attributes. |  |
+| [workload_identity_providers](outputs.tf#L233) | Workload identity provider attributes. |  |

 ## Fixtures

--- a/modules/project/outputs.tf
+++ b/modules/project/outputs.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -42,10 +42,7 @@ output "custom_roles" {

 output "default_service_accounts" {
  description = "Emails of the default service accounts for this project."
-  value = {
-    compute = "${local.project.number}-compute@developer.gserviceaccount.com"
-    gae     = "${local.project.project_id}@appspot.gserviceaccount.com"
-  }
+  value       = local.default_service_accounts
 }

 output "id" {
--- a/modules/project/service-agents.tf
+++ b/modules/project/service-agents.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -125,6 +125,23 @@ locals {
      try(var.project_reuse.attributes.services_enabled, [])
    )) : s if !contains(local._u_unavailable_si, s)
  ]
+
+
+  default_service_accounts = (
+    var.universe == null
+    ? {
+      compute = "${local.project.number}-compute@developer.gserviceaccount.com"
+      gae     = "${local.project.project_id}@appspot.gserviceaccount.com"
+    }
+    : {
+      compute = "${local.project.number}-compute@developer.${local._u_domain}iam.gserviceaccount.com"
+      gae = format(
+        "%s@appspot.%siam.gserviceaccount.com",
+        trimprefix(local.project.project_id, "${var.universe.prefix}:"),
+        local._u_domain
+      )
+    }
+  )
 }

 data "google_storage_project_service_account" "gcs_sa" {