terraform-google-service-accounts icon indicating copy to clipboard operation
terraform-google-service-accounts copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

Breaking change in 4.1.1 - Attribute `iam_emails` returns full service account `id` / `name` instead of `account_id`

Open philippeboyd opened this issue 2 years ago • 11 comments

TL;DR

Attribute iam_emails returns full service account id / name instead of account_id (same with return attribute emails)

Expected behavior

> module.service_accounts.iam_emails
{
  "first" = "serviceAccount:prefix-first@<project_id>.iam.gserviceaccount.com"
  "second" = "serviceAccount:prefix-second@<project_id>.iam.gserviceaccount.com"
}

Observed behavior

> module.service_accounts.iam_emails
{
  "projects/<project_id>/serviceAccounts/prefix-first@<project_id>.iam.gserviceaccount.com" = "serviceAccount:prefix-first@<project_id>.iam.gserviceaccount.com"
  "projects/<project_id>/serviceAccounts/prefix-second@<project_id>.iam.gserviceaccount.com" = "serviceAccount:prefix-second@<project_id>.iam.gserviceaccount.com"
}

Terraform Configuration

module "service_accounts" {
  source        = "terraform-google-modules/service-accounts/google"
  version       = "4.1.1"
  project_id    = "<project_id>"
  prefix        = "prefix"
  names         = ["first", "second"]
}

Terraform Version

Terraform v1.1.6
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v4.11.0
+ provider registry.terraform.io/hashicorp/google-beta v4.11.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/time v0.7.2

Additional information

Related to PR https://github.com/terraform-google-modules/terraform-google-service-accounts/pull/57

Version 4.1.0 was convenient in the following use case:

module "service_accounts" {
  source        = "terraform-google-modules/service-accounts/google"
  version       = "4.1.0"
  project_id    = "<project_id>"
  prefix        = "prefix"
  names         = ["first", "second"]
}

module "buckets" {
  source  = "terraform-google-modules/cloud-storage/google"
  version = "~> 3.1"

  project_id = <project_id>
  location   = "northamerica-northeast1"
  prefix     = ""
  names = [
    "bucket-first",
    "bucket-second",
  ]

  set_viewer_roles = true
  bucket_viewers = {
    "bucket-first" = module.service_accounts.iam_emails["first"], # <- no longer works since key `first` doesn't exist
    "bucket-second" = module.service_accounts.iam_emails["second"], # <- no longer works since key `second` doesn't exist
  }
}

philippeboyd avatar Feb 18 '22 20:02 philippeboyd

Looping in PR owner @wkrysmann

philippeboyd avatar Feb 18 '22 20:02 philippeboyd

Attribute service_accounts_map returns proper module specified names as keys so a workaround is to use

  bucket_viewers = {
    "bucket-first" = "serviceAccount:${module.service_accounts.service_accounts_map["first"]["email"]}",
    "bucket-second" = "serviceAccount:${module.service_accounts.service_accounts_map["second"]["email"]}",
  }

Still a breaking change though...

philippeboyd avatar Feb 18 '22 20:02 philippeboyd

This should be considered a bug, since we didn't intend to change the interface of service_accounts. If you can get a PR up to fix it, we can change it back quickly.

morgante avatar Feb 18 '22 21:02 morgante

Changing it back would be to revert PR #57 (commit cb0f7f0) but then the problem that @wkrysmann mentioned in his PR would be back. Hence I would like to get his inputs on this issue first.

philippeboyd avatar Feb 19 '22 18:02 philippeboyd

Hi @philippeboyd, thanks for flagging this out, this is definitely a bug which I introduced unintentionally. I'm wondering if we could use service_accounts_map, similarly to how you use it in workaround solution to fix iam_emails output.

wkrysmann avatar Feb 23 '22 17:02 wkrysmann

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

github-actions[bot] avatar Apr 24 '22 23:04 github-actions[bot]

not stale

philippeboyd avatar Apr 29 '22 21:04 philippeboyd

Attribute service_accounts_map returns proper module specified names as keys so a workaround is to use

  bucket_viewers = {
    "bucket-first" = "serviceAccount:${module.service_accounts.service_accounts_map["first"]["email"]}",
    "bucket-second" = "serviceAccount:${module.service_accounts.service_accounts_map["second"]["email"]}",
  }

Still a breaking change though...

I did use this instead:

bucket_viewers = {
    "bucket-first" = "serviceAccount:${module.service_accounts.service_accounts_map.first.email}",
    "bucket-second" = "serviceAccount:${module.service_accounts.service_accounts_map.second.email}",
  }

mehdicopter avatar May 02 '22 12:05 mehdicopter

Any update on this?

ccogan-lh avatar Jul 27 '22 18:07 ccogan-lh

Is there any update to this issue? We do use the service_accounts_map output, but it renders the output variables emails and iam_emails effectively useless

corey-hammerton avatar Feb 23 '23 17:02 corey-hammerton

just hit this problem: it was an unannounced breaking changed, would be great to get it fixed for now this is my workaround:

locals {
  service_accounts_iam_emails_by_name = {
    for env, account in module.service-accounts.service_accounts_map:
      env => "serviceAccount:${account.email}"
  }
}

this issues affects the emails output as well

IMHO best approach would be a fix reverting to original behaviour released as a breaking change with major version update

adrian-gierakowski avatar May 12 '23 15:05 adrian-gierakowski