Support non default service accounts for AppEngine Flex

[ranjithkumar-glean]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Currently there is no field for providing user managed/non default service account in https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_flexible_app_version. Would be great if we can add support for non default service account like https://cloud.google.com/sdk/gcloud/reference/app/deploy#--service-account. This is blocking our development.

New or Affected Resource(s)

• app_engine_flexible_app_version

Potential Terraform Configuration

# Propose what you think the configuration to take advantage of this feature should look like.
# We may not use it verbatim, but it's helpful in understanding your intent.

want terraform configuration to contain an optional service_account attribute, with default as default appengine service account.

References

• New field in the API documentation : https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions#Version.FIELDS.service_account

[edwardsPaul421]

I opened the same issue: https://github.com/hashicorp/terraform-provider-google/issues/11596 Would be really happy if you add this feature, also blocking our development...

In addition, as you can see: https://cloud.google.com/appengine/docs/flexible/nodejs/user-managed-service-accounts user managed service has moved from preview to stable version in 2022-06-06

[SarahFrench]

Hi all! I had a look into this and it looks like you can only set a non-default service account via the gcloud CLI (as linked above in this PR), and the API doesn't have the ability to set non-default service accounts yet - REST API reference here. What we can manage in the provider is limited by what is exposed by the API.

Do either of you have a workaround for this issue? I saw that the service account can be specified in app.yaml - does this help?

[edwardsPaul421]

Hi all! I had a look into this and it looks like you can only set a non-default service account via the gcloud CLI (as linked above in this PR), and the API doesn't have the ability to set non-default service accounts yet - REST API reference here. What we can manage in the provider is limited by what is exposed by the API.

Do either of you have a workaround for this issue? I saw that the service account can be specified in app.yaml - does this help?

Hey Sarah, I have been trying to use the app_yaml_path flag and to specify the service account in it. But unfortunately, It didn't work for me (Maybe I used it wrong), but non of the configuration that I wrote in the .yaml file was applied.

[SarahFrench]

Just to follow this up - I went back to look at the API documentation and it appears that the page was updated on 2022-07-27 and now lists serviceAccount as something that can be set via the API 🎉

[edwardsPaul421]

Just to follow this up - I went back to look at the API documentation and it appears that the page was updated on 2022-07-27 and now lists serviceAccount as something that can be set via the API tada

@rileykarson Could you please add it to the backlog? I'm sure it will help a lot of people.

[ranjithkumar-glean]

@SarahFrench i opened a PR to fix this https://github.com/GoogleCloudPlatform/magic-modules/pull/6391. first PR, so not really sure on the workflow. Can you take a look?

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.