force GSA to be created outside the module

joecorall · joecorall · commit 36b8e01b117e · 2025-11-28T13:11:56.000-05:00
diff --git a/README.md b/README.md
@@ -30,7 +30,6 @@ No modules.
 | [google_compute_backend_service.backend](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_backend_service) | resource |
 | [google_compute_region_network_endpoint_group.neg](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_network_endpoint_group) | resource |
 | [google_project_iam_member.sa_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
-| [google_service_account.service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
 | [google_service_account.service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/service_account) | data source |
 
 ## Inputs
@@ -41,7 +40,7 @@ No modules.
 | <a name="input_containers"></a> [containers](#input\_containers) | List of container configurations to run in the service. At least one container needs a port. This allows easily configuring multi-container deployments. | <pre>list(object({<br/>    image          = string<br/>    name           = string<br/>    command        = optional(list(string), null)<br/>    args           = optional(list(string), null)<br/>    port           = optional(number, 0)<br/>    memory         = optional(string, "512Mi")<br/>    cpu            = optional(string, "1000m")<br/>    liveness_probe = optional(string, "")<br/>    gpus           = optional(string, "")<br/>    volume_mounts = optional(list(object({<br/>      name       = string<br/>      mount_path = string<br/>    })), [])<br/>  }))</pre> | n/a | yes |
 | <a name="input_empty_dir_volumes"></a> [empty\_dir\_volumes](#input\_empty\_dir\_volumes) | List of empty directory volumes to create and mount | <pre>list(object({<br/>    name       = string<br/>    size_limit = optional(string, "2Mi")<br/>  }))</pre> | `[]` | no |
 | <a name="input_gcs_volumes"></a> [gcs\_volumes](#input\_gcs\_volumes) | List of Google Cloud Storage buckets to mount as volumes. Must ensure the Cloud Run GSA has proper IAM set on the bucket | <pre>list(object({<br/>    name      = string<br/>    bucket    = string<br/>    read_only = optional(bool, true)<br/>  }))</pre> | `[]` | no |
-| <a name="input_gsa"></a> [gsa](#input\_gsa) | Service account name the Cloud Run service will run as. If empty, creates a new one. | `string` | `""` | no |
+| <a name="input_gsa"></a> [gsa](#input\_gsa) | Service account name the Cloud Run service will run as. If empty, creates a new one. | `string` | n/a | yes |
 | <a name="input_invokers"></a> [invokers](#input\_invokers) | List of members to grant Cloud Run invoker role | `list(string)` | <pre>[<br/>  "allUsers"<br/>]</pre> | no |
 | <a name="input_max_instances"></a> [max\_instances](#input\_max\_instances) | Maximum number of instances to scale to | `string` | `"100"` | no |
 | <a name="input_min_instances"></a> [min\_instances](#input\_min\_instances) | Minimum number of instances to keep running | `string` | `"0"` | no |
@@ -60,8 +59,6 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_backend"></a> [backend](#output\_backend) | Backend service ID for load balancer (empty if skipNeg is true) |
-| <a name="output_gsa"></a> [gsa](#output\_gsa) | Name of the service account used by Cloud Run |
-| <a name="output_gsaEmail"></a> [gsaEmail](#output\_gsaEmail) | Email address of the service account used by Cloud Run |
 | <a name="output_name"></a> [name](#output\_name) | Map of region to Cloud Run service names |
 | <a name="output_url"></a> [url](#output\_url) | Primary Cloud Run service URL (first region) |
 | <a name="output_urls"></a> [urls](#output\_urls) | Map of region to Cloud Run service URLs |
diff --git a/main.tf b/main.tf
@@ -7,14 +7,8 @@ terraform {
   }
 }
 
-resource "google_service_account" "service_account" {
-  count      = var.gsa == "" ? 1 : 0
-  account_id = "cr-${var.name}"
-  project    = var.project
-}
-
 data "google_service_account" "service_account" {
-  account_id = var.gsa == "" ? google_service_account.service_account[0].name : var.gsa
+  account_id = var.gsa
   project    = var.project
 }
 
diff --git a/outputs.tf b/outputs.tf
@@ -23,13 +23,3 @@ output "url" {
   value       = values(google_cloud_run_v2_service.cloudrun)[0].uri
   description = "Primary Cloud Run service URL (first region)"
 }
-
-output "gsaEmail" {
-  value       = data.google_service_account.service_account.email
-  description = "Email address of the service account used by Cloud Run"
-}
-
-output "gsa" {
-  value       = data.google_service_account.service_account.name
-  description = "Name of the service account used by Cloud Run"
-}
diff --git a/variables.tf b/variables.tf
@@ -5,7 +5,6 @@ variable "name" {
 
 variable "gsa" {
   type        = string
-  default     = ""
   description = "Service account name the Cloud Run service will run as. If empty, creates a new one."
 }
 

Original file line number	Diff line number	Diff line change
`@@ -7,14 +7,8 @@ terraform {`
`7`	`7`	`}`
`8`	`8`	`}`
`9`	`9`
`10`		`-resource "google_service_account" "service_account" {`
`11`		`- count = var.gsa == "" ? 1 : 0`
`12`		`- account_id = "cr-${var.name}"`
`13`		`- project = var.project`
`14`		`-}`
`15`		`-`
`16`	`10`	`data "google_service_account" "service_account" {`
`17`		`- account_id = var.gsa == "" ? google_service_account.service_account[0].name : var.gsa`
	`11`	`+ account_id = var.gsa`
`18`	`12`	`project = var.project`
`19`	`13`	`}`
`20`	`14`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,6 @@ variable "name" {`
`5`	`5`
`6`	`6`	`variable "gsa" {`
`7`	`7`	`type = string`
`8`		`- default = ""`
`9`	`8`	`description = "Service account name the Cloud Run service will run as. If empty, creates a new one."`
`10`	`9`	`}`
`11`	`10`