Terraform-provider-google: Document google_project_service_identity can be used for Cloud Build
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.
Description
Similarly to google_compute_default_service_account I think there should be google_cloudbuild_default_service_account to retrieve the default service account of Cloud Build. It is documented here: https://cloud.google.com/cloud-build/docs/cloud-build-service-account#:~:text=By%20default%2C%20Cloud%20Build%20service,service%20account%20has%20by%20default.
Currently, I implemented a module locally to not repeat the code:
variable "project" {
type = string
}
data "google_project" "project" {
project_id = var.project
}
output "email" {
value = "${data.google_project.project.number}@cloudbuild.gserviceaccount.com"
}
New or Affected Resource(s)
- google_cloudbuild_default_service_account
Potential Terraform Configuration
data "google_cloudbuild_default_service_account" "default" {
}
resource "google_project_iam_member" "cloud_build" {
role = "roles/editor"
member = "serviceAccount:${data.google_cloudbuild_default_service_account.email}"
}
iddan
All 9 comments
This is possibly possible through https://www.terraform.io/docs/providers/google/r/project_service_identity.html, depending how the API exposes the account.
rileykarson
on 19 Oct 2020
Thank you! How should users be aware this is the correct way to receive the Cloud Build default service account?
iddan
on 19 Oct 2020
Good question! I think we could consider adding an infobox on the page of resources with default service accounts that points to google_project_service_identity.
As a sidebar I just confirmed this works, with the config below (I posted a guess one of my teammates had during a triage meeting before):
resource "google_project_service_identity" "build_account" {
provider = google-beta
service = "cloudbuild.googleapis.com"
}
output "email" {
value = google_project_service_identity.build_account.email
}
Awesome. Thank you!
iddan
on 21 Oct 2020
Reopening- I think we want this to appear on the original resource page too, not just the service identity resource. This is about improving the discoverability of google_project_service_identity.
rileykarson
on 11 Nov 2020
Re-opening, I was too fast for the robot.
rileykarson
on 11 Nov 2020
Any specific page @rileykarson?
upodroid
on 11 Nov 2020
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloudbuild_trigger for this issue
rileykarson
on 11 Nov 2020
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 12 Dec 2020
Related issues
hashibot
·
30Comments
gouthamve
·
22Comments
vncntvandriessche
·
26Comments
sereeth
·
25Comments
Lirt
·
33Comments