feat: create a service account if not defined

PiperOrigin-RevId: 786254967

Author: Android Build Filesystem (ABFS) Team

examples/simple/iam.tf

@@ -12,11 +12,32 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+locals {
+  create_service_account         = var.abfs_service_account_id == ""
+  abfs_service_account_email     = local.create_service_account ? google_service_account.abfs[0].email : data.google_service_account.abfs[0].email
+  abfs_service_account_unique_id = local.create_service_account ? google_service_account.abfs[0].unique_id : data.google_service_account.abfs[0].unique_id
+}
+
 data "google_service_account" "abfs" {
+  count      = local.create_service_account ? 0 : 1
+
   project    = data.google_project.project.project_id
   account_id = var.abfs_service_account_id
 }
 
+resource "google_service_account" "abfs" {
+  count        = local.create_service_account ? 1 : 0
+
+  project      = data.google_project.project.project_id
+  account_id   = var.abfs_service_account_name
+  display_name = "Service Account for ABFS"
+
+  lifecycle {
+    # Prevent the service account that may have been granted an ABFS license from being deleted.
+    prevent_destroy = true
+  }
+}
+
 module "project-iam-bindings" {
   source  = "terraform-google-modules/iam/google//modules/projects_iam"
   version = "8.1.0"
@@ -25,16 +46,18 @@ module "project-iam-bindings" {
   mode     = "authoritative"
 
   bindings = {
-    "roles/artifactregistry.reader"             = [data.google_service_account.abfs.member],
-    "roles/logging.logWriter"                   = [data.google_service_account.abfs.member],
-    "roles/monitoring.metricWriter"             = [data.google_service_account.abfs.member],
-    "roles/monitoring.viewer"                   = [data.google_service_account.abfs.member],
-    "roles/spanner.databaseUser"                = [data.google_service_account.abfs.member],
-    "roles/stackdriver.resourceMetadata.writer" = [data.google_service_account.abfs.member],
-    "roles/storage.objectAdmin"                 = [data.google_service_account.abfs.member],
+    "roles/artifactregistry.reader"             = ["serviceAccount:${local.abfs_service_account_email}"],
+    "roles/logging.logWriter"                   = ["serviceAccount:${local.abfs_service_account_email}"],
+    "roles/monitoring.metricWriter"             = ["serviceAccount:${local.abfs_service_account_email}"],
+    "roles/monitoring.viewer"                   = ["serviceAccount:${local.abfs_service_account_email}"],
+    "roles/spanner.databaseUser"                = ["serviceAccount:${local.abfs_service_account_email}"],
+    "roles/stackdriver.resourceMetadata.writer" = ["serviceAccount:${local.abfs_service_account_email}"],
+    "roles/storage.objectAdmin"                 = ["serviceAccount:${local.abfs_service_account_email}"],
   }
 
   depends_on = [
-    module.project-services
+    module.project-services,
+    data.google_service_account.abfs,
+    google_service_account.abfs
   ]
 }

examples/simple/main.tf

@@ -27,7 +27,7 @@ module "abfs_server" {
 
   project_id                          = data.google_project.project.project_id
   zone                                = var.zone
-  service_account_email               = data.google_service_account.abfs.email
+  service_account_email               = local.abfs_service_account_email
   subnetwork                          = module.abfs-vpc.subnets["${var.region}/abfs-subnet"].name
   abfs_docker_image_uri               = var.abfs_docker_image_uri
   abfs_license                        = var.abfs_license
@@ -42,7 +42,7 @@ module "abfs_uploaders" {
 
   project_id                            = data.google_project.project.project_id
   zone                                  = var.zone
-  service_account_email                 = data.google_service_account.abfs.email
+  service_account_email                 = local.abfs_service_account_email
   subnetwork                            = module.abfs-vpc.subnets["${var.region}/abfs-subnet"].name
   abfs_docker_image_uri                 = var.abfs_docker_image_uri
   abfs_gerrit_uploader_count            = var.abfs_gerrit_uploader_count

examples/simple/network.tf

@@ -27,7 +27,7 @@ module "abfs-vpc" {
       name                    = "allow-egress-google-apis"
       priority                = 1000
       ranges                  = ["199.36.153.8/30", "34.126.0.0/18"]
-      target_service_accounts = [data.google_service_account.abfs.email]
+      target_service_accounts = [local.abfs_service_account_email]
 
       allow = [
         {
@@ -59,8 +59,8 @@ module "abfs-vpc" {
       priority    = 1000
 
       ranges                  = ["0.0.0.0/0"]
-      source_service_accounts = [data.google_service_account.abfs.email]
-      target_service_accounts = [data.google_service_account.abfs.email]
+      source_service_accounts = [local.abfs_service_account_email]
+      target_service_accounts = [local.abfs_service_account_email]
       allow = [
         {
           protocol = "icmp"

examples/simple/outputs.tf

@@ -16,8 +16,8 @@ output "license_information" {
   value = {
     project_id                = data.google_project.project.project_id,
     project_number            = data.google_project.project.number,
-    service_account_email     = data.google_service_account.abfs.email
-    service_account_unique_id = data.google_service_account.abfs.unique_id
+    service_account_email     = local.abfs_service_account_email
+    service_account_unique_id = local.abfs_service_account_unique_id
   }
 }
 

examples/simple/terraform.tf

@@ -17,7 +17,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 6.11.0"
+      version = ">= 6.11.0"
     }
   }
   # grant Storage Object Admin role to the Google Identity invoking Terraform

examples/simple/variables.tf

@@ -86,7 +86,14 @@ variable "alert_notification_email" {
 
 variable "abfs_service_account_id" {
   type        = string
-  description = "ABFS service account ID (e.g. abfs@<project-id>.iam.gserviceaccount.com)"
+  description = "ABFS service account ID (e.g. abfs@<project-id>.iam.gserviceaccount.com); if not specified, a new service account will be created using the abfs_service_account_name."
+  default     = ""
+}
+
+variable "abfs_service_account_name" {
+  type        = string
+  description = "The name of the service account to create in case abfs_service_account_id is not specified."
+  default     = "abfs"
 }
 
 variable "abfs_server_machine_type" {

modules/server/main.tf

@@ -73,7 +73,7 @@ resource "google_compute_instance" "abfs_server" {
   allow_stopping_for_update = var.abfs_server_allow_stopping_for_update
 
   service_account {
-    # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
+    # Google recommends custom service accounts with a cloud-platform scope and permissions granted via IAM roles.
     email  = var.service_account_email
     scopes = ["cloud-platform"]
   }

modules/server/terraform.tf

@@ -17,7 +17,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 6.11.0"
+      version = ">= 6.11.0"
     }
   }
 }

modules/uploaders/main.tf

@@ -59,6 +59,7 @@ locals {
 
 resource "google_compute_instance" "abfs_gerrit_uploaders" {
   count        = var.abfs_gerrit_uploader_count
+
   project      = var.project_id
   name         = "${local.goog_cm_deployment_name}${var.abfs_gerrit_uploader_name_prefix}-${count.index}"
   machine_type = var.abfs_gerrit_uploader_machine_type
@@ -67,7 +68,7 @@ resource "google_compute_instance" "abfs_gerrit_uploaders" {
   allow_stopping_for_update = var.abfs_gerrit_uploader_allow_stopping_for_update
 
   service_account {
-    # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
+    # Google recommends custom service accounts with a cloud-platform scope and permissions granted via IAM roles.
     email  = var.service_account_email
     scopes = ["cloud-platform"]
   }
@@ -98,8 +99,9 @@ resource "google_compute_instance" "abfs_gerrit_uploaders" {
 }
 
 resource "google_compute_disk" "abfs_gerrit_uploader_datadisks" {
-  project = var.project_id
   count   = var.abfs_gerrit_uploader_count
+
+  project = var.project_id
   name    = "${local.goog_cm_deployment_name}${var.abfs_gerrit_uploader_datadisk_name_prefix}-${count.index}"
   size    = var.abfs_gerrit_uploader_datadisk_size_gb
   zone    = var.zone
@@ -111,15 +113,17 @@ resource "google_compute_disk" "abfs_gerrit_uploader_datadisks" {
 }
 
 resource "google_compute_attached_disk" "abfs_gerrit_uploader_datadisk_attachments" {
-  project     = var.project_id
   count       = var.abfs_gerrit_uploader_count
+
+  project     = var.project_id
   disk        = google_compute_disk.abfs_gerrit_uploader_datadisks[count.index].id
   instance    = google_compute_instance.abfs_gerrit_uploaders[count.index].id
   device_name = local.abfs_datadisk_device_name
 }
 
 data "cloudinit_config" "abfs_gerrit_uploader_configs" {
   count         = var.abfs_gerrit_uploader_count
+
   gzip          = false
   base64_encode = false
 

modules/uploaders/terraform.tf

@@ -17,7 +17,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 6.11.0"
+      version = ">= 6.11.0"
     }
   }
 }