Skip to content

Commit 777092c

Browse files
rsinnetrsinnet
authored
fix: Don't attempt to activate service identity for compute.googleapis.com (#628)
1 parent 621c527 commit 777092c

File tree

1 file changed

+33
-6
lines changed

1 file changed

+33
-6
lines changed

modules/project_services/main.tf

Lines changed: 33 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,8 @@
1515
*/
1616

1717
locals {
18-
services = var.enable_apis ? toset(concat(var.activate_apis, [for i in var.activate_api_identities : i.api])) : toset([])
18+
activate_compute_identity = 0 != length([for i in var.activate_api_identities : i if i.api == "compute.googleapis.com"])
19+
services = var.enable_apis ? toset(concat(var.activate_apis, [for i in var.activate_api_identities : i.api])) : toset([])
1920
service_identities = flatten([
2021
for i in var.activate_api_identities : [
2122
for r in i.roles :
@@ -35,24 +36,50 @@ resource "google_project_service" "project_services" {
3536
disable_dependent_services = var.disable_dependent_services
3637
}
3738

39+
# First handle all service identities EXCEPT compute.googleapis.com.
3840
resource "google_project_service_identity" "project_service_identities" {
3941
for_each = {
4042
for i in var.activate_api_identities :
4143
i.api => i
44+
if i.api != "compute.googleapis.com"
4245
}
4346

4447
provider = google-beta
4548
project = var.project_id
4649
service = each.value.api
4750
}
4851

52+
# Process the compute.googleapis.com identity separately, if present in the inputs.
53+
data "google_compute_default_service_account" "default" {
54+
count = local.activate_compute_identity ? 1 : 0
55+
project = var.project_id
56+
}
57+
58+
locals {
59+
add_service_roles = merge(
60+
{
61+
for si in local.service_identities :
62+
"${si.api} ${si.role}" => {
63+
email = google_project_service_identity.project_service_identities[si.api].email
64+
role = si.role
65+
}
66+
if si.api != "compute.googleapis.com"
67+
},
68+
{
69+
for si in local.service_identities :
70+
"${si.api} ${si.role}" => {
71+
email = data.google_compute_default_service_account.default[0].email
72+
role = si.role
73+
}
74+
if si.api == "compute.googleapis.com"
75+
}
76+
)
77+
}
78+
4979
resource "google_project_iam_member" "project_service_identity_roles" {
50-
for_each = {
51-
for si in local.service_identities :
52-
"${si.api} ${si.role}" => si
53-
}
80+
for_each = local.add_service_roles
5481

5582
project = var.project_id
5683
role = each.value.role
57-
member = "serviceAccount:${google_project_service_identity.project_service_identities[each.value.api].email}"
84+
member = "serviceAccount:${each.value.email}"
5885
}

0 commit comments

Comments
 (0)