module beta-autopilote-private-cluster custom default service account take default compute sa

[ganeis]

TL;DR

try to create autopilote cluster with module ("terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster") in plan i can see custom service account set but when i execute apply i have some error. Terraform try to create with default compute sa : "[email protected]"

Expected behavior

Terraform execute creation with custom service account not default compute sa

Observed behavior

Terraform try to create cluster with default compute sa. We erase all default sa for more security so we want create with custom service account.

Terraform Configuration

module "gke" {
    source  = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster"

    project_id = var.gcp_project_id
    name                       = "gke-test-1"
    region                     = var.gcp_region
    zones                      = ["europe-west1-d", "europe-west1-b", "europe-west1-c"]
    network                    = "vpc-env-ops-prd-vpc1"
    subnetwork                 = "subnet-autopilote-test"
    ip_range_pods              = "europe-west1-01-gke-01-pods"
    ip_range_services          = "europe-west1-01-gke-01-services"
    horizontal_pod_autoscaling = true
    enable_private_endpoint    = true
    enable_private_nodes       = true
    master_ipv4_cidr_block     = "10.0.0.0/28"
    dns_cache                  = false
    create_service_account = true
    enable_vertical_pod_autoscaling = true
  deletion_protection             = false
    

}
module "vpc" {
  source  = "terraform-google-modules/network/google//modules/subnets"
  version = ">= 7.5"

  project_id   = var.gcp_project_id
  network_name = "vpc-env-ops-prd-vpc1"

  subnets = [
    {
      subnet_name           = "subnet-autopilote-test"
      subnet_ip             = "172.21.0.0/16"
      subnet_region         = var.gcp_region
      subnet_private_access = true
      description           = "This subnet is managed by Terraform"
      subnet_flow_logs             = "true"
      subnet_flow_logs_interval    = "INTERVAL_10_MIN"
      subnet_flow_logs_sampling    = 0.7
      subnet_flow_logs_metadata    = "INCLUDE_ALL_METADATA"
      subnet_flow_logs_filter_expr = "true"
    }
    
  ]
  
  secondary_ranges = {
    ("subnet-autopilote-test") = [
      {
        range_name    = "europe-west1-01-gke-01-pods"
        ip_cidr_range = "172.169.0.0/18"
      },
      {
        range_name    = "europe-west1-01-gke-01-services"
        ip_cidr_range = "172.169.64.0/18"
      },
    ]
  }
}

Terraform Version

Terraform v1.8.5
on windows_386
+ provider registry.terraform.io/hashicorp/google v6.10.0
+ provider registry.terraform.io/hashicorp/google-beta v6.10.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.33.0
+ provider registry.terraform.io/hashicorp/random v3.6.3

Additional information

in plan i have:

• cluster_autoscaling {
  + auto_provisioning_locations = (known after apply)
  + enabled = (known after apply)

    + auto_provisioning_defaults {
        + oauth_scopes    = (known after apply)
        + service_account = "[email protected]"
      }
  }
  

[jgogstad]

seeing the same, creating a project with project factory disables the compute SA by default, then we're left with this when trying to apply the module

│ Error: googleapi: Error 400: Service account "[email protected]" is disabled.
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.RequestInfo",
│     "requestId": "0x2a3f071224fdada2"
│   }
│ ]
│ , badRequest
│
│   with module.gke_ap.google_container_cluster.primary,
│   on .terraform/modules/gke_ap/modules/beta-autopilot-private-cluster/cluster.tf line 22, in resource "google_container_cluster" "primary":
│   22: resource "google_container_cluster" "primary" {