Terraform-provider-google: google_service_account validation regex too restrictive

Created on 26 Mar 2019  ·  5Comments  ·  Source: hashicorp/terraform-provider-google


Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

$ terraform -v
Terraform v0.11.11

  • provider.google v2.3.0

Affected Resource(s)

  • google_service_account

Terraform Configuration Files

data "google_service_account" "sandbox-service-account" {
  account_id = "67027686384-compute"
  project    = "foobar-sandbox-20190325"
}

provider "google" {
  region  = "us-east1"
  version = "2.3.0"
  project = "foobar-sandbox-20190325"
}

Debug Output


https://gist.github.com/travisgroth/7dd5885b1d4dc7b10f46e8f8eb1b2e56

Expected Behavior

This service account format should work and return the data about the account.

Actual Behavior

I get a regex validation failure despite '67027686384-compute' being a valid account_id. It is the default compte engine service account format, and I believe accounts that start with the project ID are normal for google provided service accounts.

Steps to Reproduce

  1. terraform plan
bug
Source
picture travisgroth
👍9

Most helpful comment

@emilymye I am trying to set permissions for the default cloudbuild service account as documented here

What is the best way to achieve this?

picture ShahNewazKhan on 9 Apr 2019
👍4

All 5 comments

From the docs, this is the regexp expected for a service account ID for user-created service accounts. In general, if the service account is not a user-created service account, we have data sources like google_compute_default_service_account to handle these GCP-created accounts.

emilymye picture emilymye on 8 Apr 2019
👍1

@emilymye I am trying to set permissions for the default cloudbuild service account as documented here

What is the best way to achieve this?

ShahNewazKhan picture ShahNewazKhan on 9 Apr 2019
👍4

Some service accounts are different formats. Below are two examples. Providing proper data source could help users to manipulate them via terraform

[email protected]
[email protected]

edwardmedia picture edwardmedia on 8 Apr 2020

This is a great question. From what I see, and the tests I've run against the service account API, I can only get any service accounts that are listed in Service Accounts in the console. However, the default cloudbuild service account is Google-Managed and is not listed there (https://cloud.google.com/iam/docs/service-accounts#google_apis_service_account), thus when I tried to GET it with the service account API that we use with this resource, it was unable to be found.

Some services have their own endpoints that will allow us to GET their associated default service account (BigQuery, Compute) while others, from what I can see, do not (CloudBuild, AppEngine), so we are unable to create specific default data sources for them.

If you're looking to enable a Google-Managed service account in Terraform, you would use google_project_service (https://www.terraform.io/docs/providers/google/r/google_project_service.html), like so:

// this will enable the cloudbuild service
resource "google_project_service" "project" {
  project = "your-project-id"
  service = "cloudbuild.googleapis.com"

  disable_on_destroy = false
}

If you're wanting to add permissions to these Google-Managed service accounts, I would recommend using google_project_iam_member (https://www.terraform.io/docs/providers/google/r/google_project_iam.html) where the member would be "serviceAccount:${data.google_project.project.number}@cloudbuild.gserviceaccount.com"

With that, I'll close the issue, but please feel free to open a new issue if there is a default service account needed that has it's own endpoint and we can create a datasource for it, or if you're seeing other issues with the regex.
Thanks!

megan07 picture megan07 on 10 Apr 2020

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

hashibot[bot] picture hashibot[bot] on 11 May 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

terraform-ctc picture terraform-ctc  ·  4Comments
Evesy picture Evesy  ·  3Comments
sho-abe picture sho-abe  ·  3Comments
jamielennox picture jamielennox  ·  4Comments
Dmitry1987 picture Dmitry1987  ·  3Comments