Revert "Update service account creation to prevent failures due to eventual consistency" (#14506) (#23583)

modular-magician · web-flow · commit 12edd60879af · 2025-07-11T12:50:44.000-07:00
[upstream:f89938e737ba53733ddfb484285f01f69eecdef2]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/14506.txt b/.changelog/14506.txt
@@ -0,0 +1,3 @@
+```release-note:note
+iam: Update service account creation to prevent failures due to eventual consistency (reverted)
+```
diff --git a/google/services/resourcemanager/resource_google_service_account.go b/google/services/resourcemanager/resource_google_service_account.go
@@ -138,59 +138,54 @@ func resourceGoogleServiceAccountCreate(d *schema.ResourceData, meta interface{}
 		ServiceAccount: sa,
 	}
 
-	d.SetId(fmt.Sprintf("projects/%s/serviceAccounts/%s@%s.iam.gserviceaccount.com", project, aid, project))
-
-	iamClient := config.NewIamClient(userAgent)
-	sa, err = iamClient.Projects.ServiceAccounts.Create("projects/"+project, r).Do()
+	sa, err = config.NewIamClient(userAgent).Projects.ServiceAccounts.Create("projects/"+project, r).Do()
 	if err != nil {
 		gerr, ok := err.(*googleapi.Error)
 		alreadyExists := ok && gerr.Code == 409 && d.Get("create_ignore_already_exists").(bool)
 		if alreadyExists {
-			err = transport_tpg.Retry(transport_tpg.RetryOptions{
-				RetryFunc: func() (operr error) {
-					sa, saerr := iamClient.Projects.ServiceAccounts.Get(d.Id()).Do()
-
-					if saerr != nil {
-						return saerr
-					}
-					return populateResourceData(d, sa)
-				},
-				Timeout: d.Timeout(schema.TimeoutCreate),
-				ErrorRetryPredicates: []transport_tpg.RetryErrorPredicateFunc{
-					transport_tpg.IsNotFoundRetryableError("service account creation"),
-				},
-			})
-
-			return nil
+			sa = &iam.ServiceAccount{
+				Name: fmt.Sprintf("projects/%s/serviceAccounts/%s@%s.iam.gserviceaccount.com", project, aid, project),
+			}
 		} else {
 			return fmt.Errorf("Error creating service account: %s", err)
 		}
 	}
 
+	d.SetId(sa.Name)
+
+	err = transport_tpg.Retry(transport_tpg.RetryOptions{
+		RetryFunc: func() (operr error) {
+			_, saerr := config.NewIamClient(userAgent).Projects.ServiceAccounts.Get(d.Id()).Do()
+			return saerr
+		},
+		Timeout: d.Timeout(schema.TimeoutCreate),
+		ErrorRetryPredicates: []transport_tpg.RetryErrorPredicateFunc{
+			transport_tpg.IsNotFoundRetryableError("service account creation"),
+			transport_tpg.IsForbiddenIamServiceAccountRetryableError("service account creation"),
+		},
+	})
+
+	if err != nil {
+		return fmt.Errorf("Error reading service account after creation: %s", err)
+	}
+
 	// We poll until the resource is found due to eventual consistency issue
-	// on part of the api https://cloud.google.com/iam/docs/overview#consistency.
-	// Wait for at least 3 successful responses in a row to ensure result is consistent.
+	// on part of the api https://cloud.google.com/iam/docs/overview#consistency
 	// IAM API returns 403 when the queried SA is not found, so we must ignore both 404 & 403 errors
-	transport_tpg.PollingWaitTime(
-		resourceServiceAccountPollRead(d, meta),
-		transport_tpg.PollCheckForExistence,
-		"Creating Service Account",
-		d.Timeout(schema.TimeoutCreate),
-		3, // Number of consecutive occurences.
-	)
+	err = transport_tpg.PollingWaitTime(resourceServiceAccountPollRead(d, meta), transport_tpg.PollCheckForExistenceWith403, "Creating Service Account", d.Timeout(schema.TimeoutCreate), 1)
 
-	populateResourceData(d, sa)
+	if err != nil {
+		return err
+	}
 
 	// We can't guarantee complete consistency even after polling,
 	// so sleep for some additional time to reduce the likelihood of
 	// eventual consistency failures.
 	time.Sleep(10 * time.Second)
 
-	return nil
+	return resourceGoogleServiceAccountRead(d, meta)
 }
 
-// PollReadFunc for checking Service Account existence.
-// If resourceData is not nil, it will be updated with the response.
 func resourceServiceAccountPollRead(d *schema.ResourceData, meta interface{}) transport_tpg.PollReadFunc {
 	return func() (map[string]interface{}, error) {
 		config := meta.(*transport_tpg.Config)
@@ -222,10 +217,6 @@ func resourceGoogleServiceAccountRead(d *schema.ResourceData, meta interface{})
 		return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("Service Account %q", d.Id()))
 	}
 
-	return populateResourceData(d, sa)
-}
-
-func populateResourceData(d *schema.ResourceData, sa *iam.ServiceAccount) error {
 	if err := d.Set("email", sa.Email); err != nil {
 		return fmt.Errorf("Error setting email: %s", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:note
	`2`	`+iam: Update service account creation to prevent failures due to eventual consistency (reverted)`
	`3`	+```