google_bigquery_routine missing ability to configure `EXTERNAL SECURITY INVOKER` mode

[eastlondoner]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

The google_bigquery_routine does not have a way to set the INVOKER security mode that is described here: https://cloud.google.com/bigquery/docs/spark-procedures#use_a_custom_service_account

Without this set it's not possible to call the procedure using a custom service account. When calling with a custom service account the following error is encountered:

Invalid input during Spark procedure invocation. Custom service account is only allowed for Spark procedure in INVOKER security mode.

it would be great to add the ability to set this security mode on the google_bigquery_routine resource.

It may be that the REST API is missing the ability to set this property, I cannot see any mention of it in the REST docs https://cloud.google.com/bigquery/docs/reference/rest/v2/routines#Routine

New or Affected Resource(s)

• google_bigquery_routine

Potential Terraform Configuration

resource "google_bigquery_routine" "sproc" {
  ...
  external_security = "INVOKER"
}

References

No response

b/362278269