fix: Update service account output to be present at plan time in all cases for v2 module (#334)

Author: q2w

modules/job-exec/versions.tf

@@ -15,7 +15,7 @@
  */
 
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.3"
 
   required_providers {
     terracurl = {

modules/secure-cloud-run-core/versions.tf

@@ -15,7 +15,7 @@
  */
 
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.3"
 
   required_providers {
     google = {

modules/secure-cloud-run-security/versions.tf

@@ -15,7 +15,7 @@
  */
 
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.3"
 
   required_providers {
     google = {

modules/secure-cloud-run/versions.tf

@@ -15,7 +15,7 @@
  */
 
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.3"
 
   required_providers {
     google = {

modules/secure-serverless-harness/versions.tf

@@ -15,7 +15,7 @@
  */
 
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.3"
 
   required_providers {
     google = {

modules/secure-serverless-net/versions.tf

@@ -15,7 +15,7 @@
  */
 
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.3"
 
   required_providers {
     google = {

modules/service-project-factory/versions.tf

@@ -15,7 +15,7 @@
  */
 
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.3"
 
   required_providers {
     google = {

modules/v2/main.tf

@@ -14,9 +14,9 @@
  * limitations under the License.
  */
 
-data "google_service_account" "existing_sa" {
-  count      = local.create_service_account == false ? 1 : 0
-  account_id = google_cloud_run_v2_service.main.template[0].service_account
+data "google_compute_default_service_account" "default" {
+  count   = local.create_service_account == false ? 1 : 0
+  project = var.project_id
 }
 
 locals {
@@ -32,15 +32,21 @@ locals {
   create_service_account = var.create_service_account ? var.service_account == null : false
 
   service_account_prefix = substr("${var.service_name}-${var.location}", 0, 27)
+
   service_account_output = local.create_service_account ? {
     id     = google_service_account.sa[0].account_id,
     email  = google_service_account.sa[0].email,
     member = google_service_account.sa[0].member
+    } : var.service_account == null ? {
+    id     = data.google_compute_default_service_account.default[0].name,
+    email  = data.google_compute_default_service_account.default[0].email,
+    member = data.google_compute_default_service_account.default[0].member
     } : {
-    id     = data.google_service_account.existing_sa[0].account_id,
-    email  = data.google_service_account.existing_sa[0].email,
-    member = data.google_service_account.existing_sa[0].member
+    id     = split("@", var.service_account)[0],
+    email  = var.service_account,
+    member = "serviceAccount:${var.service_account}"
   }
+
   service_account_project_roles = local.create_service_account ? distinct(concat(
     var.service_account_project_roles,
     var.enable_prometheus_sidecar ? ["roles/monitoring.metricWriter"] : []

modules/v2/metadata.yaml

@@ -527,6 +527,7 @@ spec:
           - roles/serviceusage.serviceUsageViewer
           - roles/cloudkms.admin
           - roles/resourcemanager.projectIamAdmin
+          - roles/compute.viewer
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com

test/fixtures/secure_cloud_run/versions.tf

@@ -15,7 +15,7 @@
  */
 
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.3"
 
   required_providers {
     google = {