Avoid tag binding permadiffs for project-factory service accounts (#4006)

* Avoid tag binding permadiffs for service accounts created by project-factory

* Regenerate schema docs

modules/iam-service-account/main.tf

@@ -101,6 +101,6 @@ resource "google_service_account" "service_account" {
 
 resource "google_tags_tag_binding" "binding" {
   for_each  = local.tag_bindings
-  parent    = "//iam.googleapis.com/projects/${coalesce(var.project_number, var.project_id)}/serviceAccounts/${local.service_account.unique_id}"
+  parent    = "//iam.googleapis.com/projects/${coalesce(var.project_number, local.project_id)}/serviceAccounts/${local.service_account.unique_id}"
   tag_value = templatestring(local._tag_bindings[each.key], var.context.tag_vars)
 }

modules/project-factory/README.md

@@ -968,7 +968,7 @@ module "project-factory" {
     basepath = "data"
   }
 }
-# tftest modules=7 resources=31 files=test-0,test-1,test-2 inventory=test-1.yaml
+# tftest modules=10 resources=36 files=test-0,test-1,test-2 inventory=test-1.yaml
 ```
 
 ```yaml
@@ -995,6 +995,16 @@ tags:
           roles/resourcemanager.tagUser:
             - $iam_principals:tag-test
             - $iam_principals:service_accounts/test-1/tag-test
+service_accounts:
+  tag-test:
+    tag_bindings:
+      project-level: $tag_values:test-0/context/project-factory
+automation:
+  project: test-0
+  service_accounts:
+    auto-tag-test:
+      tag_bindings:
+        project-level: $tag_values:test-0/context/project-factory
 # tftest-file id=test-0 path=data/projects/test-0.yaml
 ```
 

modules/project-factory/automation.tf

@@ -126,9 +126,18 @@ module "automation-bucket" {
 }
 
 module "automation-service-accounts" {
-  source      = "../iam-service-account"
-  for_each    = local.automation_sas
-  project_id  = each.value.automation_project
+  source     = "../iam-service-account"
+  for_each   = local.automation_sas
+  project_id = each.value.automation_project
+  project_number = (
+    each.value.automation_project == null
+    ? null
+    : lookup(
+      local.ctx_project_numbers,
+      trimprefix(each.value.automation_project, "$project_ids:"),
+      null
+    )
+  )
   prefix      = each.value.prefix
   name        = each.value.name
   description = lookup(each.value, "description", null)
@@ -143,6 +152,11 @@ module "automation-service-accounts" {
       local.ctx.iam_principals,
       local.projects_sas_iam_emails
     )
+    tag_vars = {
+      projects     = merge(try(local.ctx.tag_vars.projects, {}), local.tag_vars_projects)
+      organization = try(local.ctx.tag_vars.organization, {})
+    }
+    tag_values = local.ctx_tag_values
   })
   iam                    = lookup(each.value, "iam", {})
   iam_bindings           = lookup(each.value, "iam_bindings", {})
@@ -154,6 +168,7 @@ module "automation-service-accounts" {
   # iam_sa_roles           = lookup(each.value, "iam_sa_roles", {})
   # we don't interpolate buckets here as we can't use a dynamic key
   iam_storage_roles = lookup(each.value, "iam_storage_roles", {})
+  tag_bindings      = lookup(each.value, "tag_bindings", {})
 }
 
 module "automation-service-accounts-iam" {

modules/project-factory/projects-service-accounts.tf

@@ -80,10 +80,11 @@ module "service-accounts" {
     for k in local.projects_service_accounts :
     "${k.project_key}/${k.name}" => k
   }
-  project_id   = module.projects[each.value.project_key].project_id
-  name         = each.value.name
-  description  = each.value.description
-  display_name = each.value.display_name
+  project_id     = module.projects[each.value.project_key].project_id
+  project_number = module.projects[each.value.project_key].number
+  name           = each.value.name
+  description    = each.value.description
+  display_name   = each.value.display_name
   context = merge(local.ctx, {
     tag_vars = {
       projects     = merge(try(local.ctx.tag_vars.projects, {}), local.tag_vars_projects)

modules/project-factory/schemas/folder.schema.json

@@ -165,6 +165,9 @@
                 },
                 "iam_storage_roles": {
                   "$ref": "#/$defs/iam_storage_roles"
+                },
+                "tag_bindings": {
+                  "$ref": "#/$defs/tag_bindings"
                 }
               }
             }

modules/project-factory/schemas/folder.schema.md

@@ -54,6 +54,7 @@
       - **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))*
       - **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))*
       - **iam_storage_roles**: *reference([iam_storage_roles](#refs-iam_storage_roles))*
+      - **tag_bindings**: *reference([tag_bindings](#refs-tag_bindings))*
 - **autokey_config**: *object*
   <br>*additional properties: false*
   - **project**: *string*

modules/project-factory/schemas/project.schema.json

@@ -146,6 +146,9 @@
                 },
                 "iam_storage_roles": {
                   "$ref": "#/$defs/iam_storage_roles"
+                },
+                "tag_bindings": {
+                  "$ref": "#/$defs/tag_bindings"
                 }
               }
             }

modules/project-factory/schemas/project.schema.md

@@ -49,6 +49,7 @@
       - **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))*
       - **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))*
       - **iam_storage_roles**: *reference([iam_storage_roles](#refs-iam_storage_roles))*
+      - **tag_bindings**: *reference([tag_bindings](#refs-tag_bindings))*
 - **billing_account**: *string*
 - **billing_budgets**: *array*
   - items: *string*