terraform-google-project-factory
terraform-google-project-factory copied to clipboard
terraform-google-modules
don't support datastream api in module shared_vpc_access
TL;DR
When I create a project with datastream.googleapis.com in activate_apis, the shared_vpc_access module tries to grant roles/compute.networkAdmin using the resource google_project_iam_member "datastream_network_admin". However, enabling the datastream.googleapis.com API does not create the service account sa-datastream. As a result, I encounter an error. Regarding documentation https://cloud.google.com/datastream/docs/create-a-private-connectivity-configuration#shared-vpc. Datastream service accounts are created when you perform one of the following: You create a Datastream resource, such as a connection profile or a stream. You create a private connectivity configuration, select your shared VPC and click Create Datastream Service Account. The service account is created in the host project.
Expected behavior
Module shared_vpc_access grants permission networkAdmin to DataStream sa.
Observed behavior
Error service account doesn't exist
Terraform Configuration
module "project"
source = "terraform-google-modules/project-factory/google"
version = "15.0.0"
name = join("-", [local.lbu, local.env, local stage, Local-appref])
org id = local.org_id
folder_id = local.folder_id
billing_account = local.billing_account_id
labels = local.labels
svpc_host_project_id = local. infra_project_id
shared voc sunets = [for name, net in module.shared_vpc.subnets : net.id]
disable_services_on_destroy = false
random_project_id = true
activate_apis = [ "datastream.googleapis.com" ]
grant_services_security_admin_role = local.is_cluster # role granted to GKE service account
depends_on = [module. shared_vpc, ]
}
Terraform Version
1.6.4
TPG google 5.22
TPG google-beat 5.22
Additional information
No response
