terraform-provider-google icon indicating copy to clipboard operation
terraform-provider-google copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Add member attribute to all service account resources/data source

Open joe-a-t opened this issue 3 years ago • 0 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Right now, all service account resources and data sources have email_address attributes. However, granting any IAM permissions requires adding a serviceAccount: prefix to the email address. This results in a TON of places where people are manually doing things like

members = [
  "serviceAccount:${google_service_account.foo.email}",
]

or constructing the email themselves because email is not determined until the service account has actually been created, which makes it very hard to do a for_each over a list of members since you cannot for_each an undetermined list so you would have to first do an apply to create the service account, then have a separate PR to grant the IAM permissions.

What I am proposing is to add a member attribute, the value of which would be serviceAccount:${google_service_account.foo.email} but would be known at plan time (which should be doable since the service accounts have a very formulaic email address construction).

Additionally, I would ask that the new member attribute be added to all data sources that represent service accounts. A large percentage of the time that people are using the service account data sources like storage_project_service_account, they are getting that data source in order to grant IAM permissions and as such they then need to add the serviceAccount: prefix, as your examples show. This could all be simplified and DRYed up for everyone if they could use .member instead.

New or Affected Resource(s)

  • https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account
  • https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/app_engine_default_service_account
  • https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/bigquery_default_service_account
  • https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/service_account
  • https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/storage_project_service_account
  • https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/storage_transfer_project_service_account

Potential Terraform Configuration

members = [
  google_service_account.foo.member,
  data.google_storage_transfer_project_service_account.default.member,
]

References

  • #0000

joe-a-t avatar Jul 27 '22 22:07 joe-a-t