From 7c8477bd6137745176d27a4e092c997b0da64149 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Mon, 20 May 2024 15:22:47 -0700 Subject: [PATCH] fix: enable create_ignore for service accounts (#292) --- main.tf | 7 ++++--- modules/im_cloudbuild_workspace/sa.tf | 18 ++++++++++-------- modules/tf_cloudbuild_builder/cb.tf | 9 +++++---- modules/tf_cloudbuild_builder/workflow.tf | 9 +++++---- modules/tf_cloudbuild_workspace/sa.tf | 9 +++++---- 5 files changed, 29 insertions(+), 23 deletions(-) diff --git a/main.tf b/main.tf index a1d711f9..ed9805eb 100644 --- a/main.tf +++ b/main.tf @@ -90,9 +90,10 @@ module "enable_cross_project_service_account_usage" { resource "google_service_account" "org_terraform" { count = var.create_terraform_sa ? 1 : 0 - project = module.seed_project.project_id - account_id = var.tf_service_account_id - display_name = var.tf_service_account_name + project = module.seed_project.project_id + account_id = var.tf_service_account_id + display_name = var.tf_service_account_name + create_ignore_already_exists = true } /*********************************************** diff --git a/modules/im_cloudbuild_workspace/sa.tf b/modules/im_cloudbuild_workspace/sa.tf index 02d037a0..13bcf4d7 100644 --- a/modules/im_cloudbuild_workspace/sa.tf +++ b/modules/im_cloudbuild_workspace/sa.tf @@ -25,10 +25,11 @@ locals { } resource "google_service_account" "cb_sa" { - count = local.create_cloudbuild_sa ? 1 : 0 - project = var.project_id - account_id = trimsuffix(substr(var.custom_cloudbuild_sa_name != "" ? var.custom_cloudbuild_sa_name : "cb-sa-${random_id.resources_random_id.dec}-${local.default_prefix}", 0, 30), "-") - description = "SA used for Cloud Build triggers invoking Infrastructure Manager." + count = local.create_cloudbuild_sa ? 1 : 0 + project = var.project_id + account_id = trimsuffix(substr(var.custom_cloudbuild_sa_name != "" ? var.custom_cloudbuild_sa_name : "cb-sa-${random_id.resources_random_id.dec}-${local.default_prefix}", 0, 30), "-") + description = "SA used for Cloud Build triggers invoking Infrastructure Manager." + create_ignore_already_exists = true } # https://cloud.google.com/infrastructure-manager/docs/configure-service-account @@ -70,10 +71,11 @@ resource "google_project_iam_member" "cb_storage_objects_viewer" { } resource "google_service_account" "im_sa" { - count = local.create_infra_manager_sa ? 1 : 0 - project = var.project_id - account_id = trimsuffix(substr(var.custom_infra_manager_sa_name != "" ? var.custom_infra_manager_sa_name : "im-sa-${random_id.resources_random_id.dec}-${local.default_prefix}", 0, 30), "-") - description = "SA used by Infrastructure Manager for actuating resources." + count = local.create_infra_manager_sa ? 1 : 0 + project = var.project_id + account_id = trimsuffix(substr(var.custom_infra_manager_sa_name != "" ? var.custom_infra_manager_sa_name : "im-sa-${random_id.resources_random_id.dec}-${local.default_prefix}", 0, 30), "-") + description = "SA used by Infrastructure Manager for actuating resources." + create_ignore_already_exists = true } # https://cloud.google.com/infrastructure-manager/docs/configure-service-account diff --git a/modules/tf_cloudbuild_builder/cb.tf b/modules/tf_cloudbuild_builder/cb.tf index 6c9d34e6..25f779d5 100644 --- a/modules/tf_cloudbuild_builder/cb.tf +++ b/modules/tf_cloudbuild_builder/cb.tf @@ -88,10 +88,11 @@ resource "google_cloudbuild_trigger" "build_trigger" { } resource "google_service_account" "cb_sa" { - count = var.cloudbuild_sa == "" ? 1 : 0 - project = var.project_id - account_id = "tf-cb-builder-sa" - display_name = "SA for Terraform builder build trigger. Managed by Terraform." + count = var.cloudbuild_sa == "" ? 1 : 0 + project = var.project_id + account_id = "tf-cb-builder-sa" + display_name = "SA for Terraform builder build trigger. Managed by Terraform." + create_ignore_already_exists = true } # https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts#permissions diff --git a/modules/tf_cloudbuild_builder/workflow.tf b/modules/tf_cloudbuild_builder/workflow.tf index cbe40aab..d36cb547 100644 --- a/modules/tf_cloudbuild_builder/workflow.tf +++ b/modules/tf_cloudbuild_builder/workflow.tf @@ -26,10 +26,11 @@ locals { } resource "google_service_account" "workflow_sa" { - count = var.workflow_sa == "" ? 1 : 0 - project = var.project_id - account_id = "terraform-runner-workflow-sa" - display_name = "SA for TF Builder Workflow. Managed by Terraform." + count = var.workflow_sa == "" ? 1 : 0 + project = var.project_id + account_id = "terraform-runner-workflow-sa" + display_name = "SA for TF Builder Workflow. Managed by Terraform." + create_ignore_already_exists = true } resource "google_workflows_workflow" "builder" { diff --git a/modules/tf_cloudbuild_workspace/sa.tf b/modules/tf_cloudbuild_workspace/sa.tf index ebc7bb1d..e73937b5 100644 --- a/modules/tf_cloudbuild_workspace/sa.tf +++ b/modules/tf_cloudbuild_workspace/sa.tf @@ -34,10 +34,11 @@ locals { resource "google_service_account" "cb_sa" { - count = var.create_cloudbuild_sa ? 1 : 0 - project = var.project_id - account_id = var.create_cloudbuild_sa_name != "" ? var.create_cloudbuild_sa_name : "tf-cb-${local.default_prefix}" - display_name = "SA for Terraform build trigger ${local.default_prefix}. Managed by Terraform." + count = var.create_cloudbuild_sa ? 1 : 0 + project = var.project_id + account_id = var.create_cloudbuild_sa_name != "" ? var.create_cloudbuild_sa_name : "tf-cb-${local.default_prefix}" + display_name = "SA for Terraform build trigger ${local.default_prefix}. Managed by Terraform." + create_ignore_already_exists = true } # https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts#permissions