From a15f97db67575e45d2496625fff7db667a8e0c7a Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Fri, 14 Feb 2025 09:06:23 +0100
Subject: [PATCH] Add universe support to iam-service-accounts (#2892)

* Make service account universe aware

* Add service account universe tests
---
 modules/iam-service-account/main.tf           |  8 +++--
 tests/modules/iam_service_account/tftest.yaml | 18 ++++++++++
 .../iam_service_account/universe.tfvars       |  3 ++
 .../modules/iam_service_account/universe.yaml | 34 +++++++++++++++++++
 4 files changed, 61 insertions(+), 2 deletions(-)
 create mode 100644 tests/modules/iam_service_account/tftest.yaml
 create mode 100644 tests/modules/iam_service_account/universe.tfvars
 create mode 100644 tests/modules/iam_service_account/universe.yaml

diff --git a/modules/iam-service-account/main.tf b/modules/iam-service-account/main.tf
index e8d2bd193..87d168eb9 100644
--- a/modules/iam-service-account/main.tf
+++ b/modules/iam-service-account/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,7 +23,7 @@ locals {
   , {})
   name                  = split("@", var.name)[0]
   prefix                = var.prefix == null ? "" : "${var.prefix}-"
-  resource_email_static = "${local.prefix}${local.name}@${var.project_id}.iam.gserviceaccount.com"
+  resource_email_static = "${local.prefix}${local.name}@${local.sa_domain}.iam.gserviceaccount.com"
   resource_iam_email = (
     local.service_account != null
     ? "serviceAccount:${local.service_account.email}"
@@ -59,6 +59,10 @@ locals {
     : file => filebase64("${path.root}/${var.public_keys_directory}/${file}") }
     : {}
   )
+
+  universe               = try(regex("^([^:]*):[a-z]", var.project_id)[0], "")
+  project_id_no_universe = element(split(":", var.project_id), 1)
+  sa_domain              = join(".", compact([local.project_id_no_universe, local.universe]))
 }
 
 
diff --git a/tests/modules/iam_service_account/tftest.yaml b/tests/modules/iam_service_account/tftest.yaml
new file mode 100644
index 000000000..21821293c
--- /dev/null
+++ b/tests/modules/iam_service_account/tftest.yaml
@@ -0,0 +1,18 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module: modules/iam-service-account
+
+tests:
+  universe:
diff --git a/tests/modules/iam_service_account/universe.tfvars b/tests/modules/iam_service_account/universe.tfvars
new file mode 100644
index 000000000..57baa5291
--- /dev/null
+++ b/tests/modules/iam_service_account/universe.tfvars
@@ -0,0 +1,3 @@
+prefix     = "prefix"
+project_id = "universe:my-project-id"
+name       = "sa-name"
diff --git a/tests/modules/iam_service_account/universe.yaml b/tests/modules/iam_service_account/universe.yaml
new file mode 100644
index 000000000..3900c24f4
--- /dev/null
+++ b/tests/modules/iam_service_account/universe.yaml
@@ -0,0 +1,34 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  google_service_account.service_account[0]:
+    account_id: prefix-sa-name
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform-managed.
+    project: universe:my-project-id
+    timeouts: null
+
+counts:
+  google_service_account: 1
+  modules: 0
+  resources: 1
+
+outputs:
+  email: prefix-sa-name@my-project-id.universe.iam.gserviceaccount.com
+  iam_email: serviceAccount:prefix-sa-name@my-project-id.universe.iam.gserviceaccount.com
+  id: projects/universe:my-project-id/serviceAccounts/prefix-sa-name@my-project-id.universe.iam.gserviceaccount.com
+  name: projects/universe:my-project-id/serviceAccounts/prefix-sa-name@my-project-id.universe.iam.gserviceaccount.com