Skip to content

Update main.tf #1025

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
PaggieChen wants to merge 1 commit into
base: main
Choose a base branch
from
+43 −40
Open

Update main.tf #1025

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 43 additions & 40 deletions modules/project_services/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,28 +1,41 @@
/**
* Copyright 2018 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* ... (License header preserved)
*/

# Get the project data to retrieve the Project Number
data "google_project" "project" {
project_id = var.project_id
}

locals {
activate_compute_identity = 0 != length([for i in var.activate_api_identities : i if i.api == "compute.googleapis.com"])
services = var.enable_apis ? toset(concat(var.activate_apis, [for i in var.activate_api_identities : i.api])) : toset([])

service_identities = flatten([
for i in var.activate_api_identities : [
for r in i.roles :
{ api = i.api, role = r }
]
])

# Deterministic construction of Service Agent emails to avoid 'null' errors.
# Format: service-PROJECT_NUMBER@gcp-sa-SERVICE_NAME.iam.gserviceaccount.com
# Note: Compute Engine is the exception as it uses the 'Default Compute Service Account'.
service_agent_emails = {
for i in var.activate_api_identities :
i.api => i.api == "compute.googleapis.com" ?
data.google_compute_default_service_account.default[0].email :
"service-${data.google_project.project.number}@gcp-sa-${replace(i.api, ".googleapis.com", "")}.iam.gserviceaccount.com"
}
Comment on lines +25 to +30
Copy link

@gemini-code-assist gemini-code-assist bot Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The deterministic construction of service agent emails assumes a single format (service-...@gcp-sa-...), which is not universally true for all Google Cloud services. This will cause failures for services with different service agent email formats, such as BigQuery or Cloud Storage.

To make this more robust, you could use a map of exceptions for services that don't follow the common pattern. Here is a suggested implementation using lookup to handle these exceptions. You may want to expand this map with other known exceptions.

  service_agent_emails = {
    for i in var.activate_api_identities :
    i.api => i.api == "compute.googleapis.com" ?
      data.google_compute_default_service_account.default[0].email :
      lookup(
        {
          "bigquery.googleapis.com" = "bq-${data.google_project.project.number}@bigquery-iam.gserviceaccount.com",
          "storage.googleapis.com"  = "service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com"
        },
        i.api,
        "service-${data.google_project.project.number}@gcp-sa-${replace(i.api, ".googleapis.com", "")}.iam.gserviceaccount.com"
      )
  }


add_service_roles = {
for si in local.service_identities :
"${si.api} ${si.role}" => {
email = local.service_agent_emails[si.api]
role = si.role
}
}
}

/******************************************
Expand All @@ -36,50 +49,40 @@ resource "google_project_service" "project_services" {
disable_dependent_services = var.disable_dependent_services
}

# First handle all service identities EXCEPT compute.googleapis.com.
# Still trigger the identity creation to ensure Google actually initializes them.
resource "google_project_service_identity" "project_service_identities" {
for_each = {
for i in var.activate_api_identities :
i.api => i
if i.api != "compute.googleapis.com"
}

provider = google-beta
project = var.project_id
service = each.value.api
provider = google-beta
project = var.project_id
service = each.value.api
depends_on = [google_project_service.project_services]
}

# Process the compute.googleapis.com identity separately, if present in the inputs.
# Handle Compute Engine default account
data "google_compute_default_service_account" "default" {
count = local.activate_compute_identity ? 1 : 0
project = var.project_id
}

locals {
add_service_roles = merge(
{
for si in local.service_identities :
"${si.api} ${si.role}" => {
email = google_project_service_identity.project_service_identities[si.api].email
role = si.role
}
if si.api != "compute.googleapis.com"
},
{
for si in local.service_identities :
"${si.api} ${si.role}" => {
email = data.google_compute_default_service_account.default[0].email
role = si.role
}
if si.api == "compute.googleapis.com"
}
)
count = local.activate_compute_identity ? 1 : 0
project = var.project_id
depends_on = [google_project_service.project_services]
}

/******************************************
IAM Roles for Service Identities
*****************************************/
resource "google_project_iam_member" "project_service_identity_roles" {
for_each = local.add_service_roles

project = var.project_id
role = each.value.role
member = "serviceAccount:${each.value.email}"

# Ensure identity is triggered before we try to assign roles
depends_on = [
google_project_service_identity.project_service_identities,
data.google_compute_default_service_account.default
]
}