feat(sa): Adjustment to the SA description and reference to the member attribute (#2518)

jullianow · web-flow · commit b4ac6d995aa4 · 2026-01-23T10:20:35.000-08:00
diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl
@@ -43,7 +43,8 @@ resource "google_service_account" "cluster_service_account" {
   count        = var.create_service_account ? 1 : 0
   project      = var.project_id
   account_id   = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
-  display_name = "Terraform-managed service account for cluster ${var.name}"
+  description  = "Terraform-managed service account for cluster ${var.name}"
+  display_name = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
 }
 
 resource "google_project_iam_member" "cluster_service_account_node_service_account" {
@@ -71,21 +72,21 @@ resource "google_project_iam_member" "cluster_service_account_gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/storage.objectViewer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_artifact_registry" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/artifactregistry.reader"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
   for_each = var.create_service_account && var.grant_registry_access {% if autopilot_cluster != true %}&& var.enable_gcfs {% endif %}? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 {% if beta_cluster %}
 
@@ -100,6 +101,6 @@ resource "google_project_iam_member" "service_agent" {
   for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
   project  = var.project_id
   role     = each.value
-  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+  member   = google_project_service_identity.fleet_project[0].member
 }
 {% endif %}
diff --git a/modules/beta-autopilot-private-cluster/sa.tf b/modules/beta-autopilot-private-cluster/sa.tf
@@ -43,7 +43,8 @@ resource "google_service_account" "cluster_service_account" {
   count        = var.create_service_account ? 1 : 0
   project      = var.project_id
   account_id   = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
-  display_name = "Terraform-managed service account for cluster ${var.name}"
+  description  = "Terraform-managed service account for cluster ${var.name}"
+  display_name = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
 }
 
 resource "google_project_iam_member" "cluster_service_account_node_service_account" {
@@ -71,21 +72,21 @@ resource "google_project_iam_member" "cluster_service_account_gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/storage.objectViewer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_artifact_registry" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/artifactregistry.reader"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_service_identity" "fleet_project" {
@@ -99,5 +100,5 @@ resource "google_project_iam_member" "service_agent" {
   for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
   project  = var.project_id
   role     = each.value
-  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+  member   = google_project_service_identity.fleet_project[0].member
 }
diff --git a/modules/beta-autopilot-public-cluster/sa.tf b/modules/beta-autopilot-public-cluster/sa.tf
@@ -43,7 +43,8 @@ resource "google_service_account" "cluster_service_account" {
   count        = var.create_service_account ? 1 : 0
   project      = var.project_id
   account_id   = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
-  display_name = "Terraform-managed service account for cluster ${var.name}"
+  description  = "Terraform-managed service account for cluster ${var.name}"
+  display_name = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
 }
 
 resource "google_project_iam_member" "cluster_service_account_node_service_account" {
@@ -71,21 +72,21 @@ resource "google_project_iam_member" "cluster_service_account_gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/storage.objectViewer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_artifact_registry" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/artifactregistry.reader"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_service_identity" "fleet_project" {
@@ -99,5 +100,5 @@ resource "google_project_iam_member" "service_agent" {
   for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
   project  = var.project_id
   role     = each.value
-  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+  member   = google_project_service_identity.fleet_project[0].member
 }
diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf
@@ -43,7 +43,8 @@ resource "google_service_account" "cluster_service_account" {
   count        = var.create_service_account ? 1 : 0
   project      = var.project_id
   account_id   = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
-  display_name = "Terraform-managed service account for cluster ${var.name}"
+  description  = "Terraform-managed service account for cluster ${var.name}"
+  display_name = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
 }
 
 resource "google_project_iam_member" "cluster_service_account_node_service_account" {
@@ -71,21 +72,21 @@ resource "google_project_iam_member" "cluster_service_account_gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/storage.objectViewer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_artifact_registry" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/artifactregistry.reader"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
   for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_service_identity" "fleet_project" {
@@ -99,5 +100,5 @@ resource "google_project_iam_member" "service_agent" {
   for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
   project  = var.project_id
   role     = each.value
-  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+  member   = google_project_service_identity.fleet_project[0].member
 }
diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf
@@ -43,7 +43,8 @@ resource "google_service_account" "cluster_service_account" {
   count        = var.create_service_account ? 1 : 0
   project      = var.project_id
   account_id   = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
-  display_name = "Terraform-managed service account for cluster ${var.name}"
+  description  = "Terraform-managed service account for cluster ${var.name}"
+  display_name = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
 }
 
 resource "google_project_iam_member" "cluster_service_account_node_service_account" {
@@ -71,21 +72,21 @@ resource "google_project_iam_member" "cluster_service_account_gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/storage.objectViewer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_artifact_registry" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/artifactregistry.reader"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
   for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_service_identity" "fleet_project" {
@@ -99,5 +100,5 @@ resource "google_project_iam_member" "service_agent" {
   for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
   project  = var.project_id
   role     = each.value
-  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+  member   = google_project_service_identity.fleet_project[0].member
 }
diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf
@@ -43,7 +43,8 @@ resource "google_service_account" "cluster_service_account" {
   count        = var.create_service_account ? 1 : 0
   project      = var.project_id
   account_id   = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
-  display_name = "Terraform-managed service account for cluster ${var.name}"
+  description  = "Terraform-managed service account for cluster ${var.name}"
+  display_name = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
 }
 
 resource "google_project_iam_member" "cluster_service_account_node_service_account" {
@@ -71,21 +72,21 @@ resource "google_project_iam_member" "cluster_service_account_gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/storage.objectViewer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_artifact_registry" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/artifactregistry.reader"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
   for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_service_identity" "fleet_project" {
@@ -99,5 +100,5 @@ resource "google_project_iam_member" "service_agent" {
   for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
   project  = var.project_id
   role     = each.value
-  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+  member   = google_project_service_identity.fleet_project[0].member
 }
diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf
@@ -43,7 +43,8 @@ resource "google_service_account" "cluster_service_account" {
   count        = var.create_service_account ? 1 : 0
   project      = var.project_id
   account_id   = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
-  display_name = "Terraform-managed service account for cluster ${var.name}"
+  description  = "Terraform-managed service account for cluster ${var.name}"
+  display_name = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
 }
 
 resource "google_project_iam_member" "cluster_service_account_node_service_account" {
@@ -71,21 +72,21 @@ resource "google_project_iam_member" "cluster_service_account_gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/storage.objectViewer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_artifact_registry" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/artifactregistry.reader"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
   for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_service_identity" "fleet_project" {
@@ -99,5 +100,5 @@ resource "google_project_iam_member" "service_agent" {
   for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
   project  = var.project_id
   role     = each.value
-  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+  member   = google_project_service_identity.fleet_project[0].member
 }
diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf
@@ -43,7 +43,8 @@ resource "google_service_account" "cluster_service_account" {
   count        = var.create_service_account ? 1 : 0
   project      = var.project_id
   account_id   = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
-  display_name = "Terraform-managed service account for cluster ${var.name}"
+  description  = "Terraform-managed service account for cluster ${var.name}"
+  display_name = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name
 }
 
 resource "google_project_iam_member" "cluster_service_account_node_service_account" {
@@ -71,19 +72,19 @@ resource "google_project_iam_member" "cluster_service_account_gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/storage.objectViewer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_artifact_registry" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/artifactregistry.reader"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
 
 resource "google_project_iam_member" "cluster_service_account_service_usage_consumer" {
   for_each = var.create_service_account && var.grant_registry_access && var.enable_gcfs ? toset(local.registry_projects_list) : []
   project  = each.key
   role     = "roles/serviceusage.serviceUsageConsumer"
-  member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+  member   = google_service_account.cluster_service_account[0].member
 }
diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf
diff --git a/sa.tf b/sa.tf
diff --git a/test/integration/beta_cluster/beta_cluster_test.go b/test/integration/beta_cluster/beta_cluster_test.go
diff --git a/test/integration/simple_windows_node_pool/simple_windows_node_pool_test.go b/test/integration/simple_windows_node_pool/simple_windows_node_pool_test.go
