Terraform-provider-google: Support project service identity
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.
Description
New or Affected Resource(s)
- google_project_service_identity
Potential Terraform Configuration
resource "google_project_service_identity" "healthcare_identity" {
project = "foo"
service = "healthcare.googleapis.com"
}
References
gcloud command: https://cloud.google.com/sdk/gcloud/reference/beta/services/identity/create
umairidris
All 9 comments
This is the relevant API.
https://cloud.google.com/service-usage/docs/reference/rest/v1beta1/services/generateServiceIdentity
xdqyzy
on 18 Aug 2020
b/165640832
c2thorn
on 25 Aug 2020
We really need this feature as Composer service account use to be part of enabling the service. Recently they changed the behavior and it is not created as part of enabling composer service. It can be enabled by running gcloud beta services identity create --service=composer.googleapis.com
imrannayer
on 25 Aug 2020
@c2thorn I am looking into adding support for this in magic modules. Thanks!
umairidris
on 26 Aug 2020
If anyone wants to use this immediately, an initial version of the resource is available at https://github.com/hashicorp/terraform-provider-google-beta/pull/2430.
I verified correctness with the following config:
data "google_project" "project" {
project_id = "REPLACE"
}
resource "google_project_service_identity" "healthcare" {
provider = "google-beta"
project = data.google_project.project.project_id
service = "healthcare.googleapis.com"
}
resource "google_project_iam_member" "bq_jobuser" {
project = data.google_project.project.project_id
role = "roles/bigquery.jobUser"
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-healthcare.iam.gserviceaccount.com"
}
Thanks. Any ETA when it will be available?
imrannayer
on 26 Aug 2020
@imrannayer google providers are released on a weekly basis, but if you need it sooner you can clone the repo and run go build to build the provider yourself (and move the binary to the same dir as the deployment or a central one).
umairidris
on 27 Aug 2020
FYI - for more details/background explained by a Google engineer (afaik), see https://github.com/terraform-google-modules/terraform-google-project-factory/issues/448#issuecomment-683468418
rtoma
on 31 Aug 2020
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 27 Sep 2020
Related issues
kaifresh
·
4Comments
matti
·
3Comments
nthypes
·
4Comments
Evesy
·
3Comments
Zhann
·
3Comments
Most helpful comment
We really need this feature as Composer service account use to be part of enabling the service. Recently they changed the behavior and it is not created as part of enabling composer service. It can be enabled by running gcloud beta services identity create --service=composer.googleapis.com