terraform-google-modules · ybelleguic · Jan 13, 2026 · gemini-code-assist · Jan 13, 2026 · gemini-code-assist
@@ -73,6 +73,7 @@ module "project-factory" {
   tag_binding_values                 = var.tag_binding_values
   cloud_armor_tier                   = var.cloud_armor_tier
   deletion_policy                    = var.deletion_policy
+  universe_subdomain                 = var.universe_subdomain
 }
 
 /******************************************
@@ -89,6 +90,7 @@ module "shared_vpc_access" {
   lookup_project_numbers             = false
   grant_services_security_admin_role = var.grant_services_security_admin_role
   grant_network_role                 = var.grant_network_role
+  universe_subdomain                 = var.universe_subdomain
   # Workaround for import complaining about count cannot determine resource instances
   # until apply. https://github.com/hashicorp/terraform/issues/24690
   depends_on = [module.project-factory.enabled_apis]

@@ -46,10 +46,12 @@ locals {
     "serviceAccount:%s",
     try(google_service_account.default_service_account[0].email, ""),
   ) : ""
-  api_s_account = format(
-    "%s@cloudservices.gserviceaccount.com",
-    google_project.main.number,
+  api_s_account = (
+    var.universe_subdomain != null ?
+    "${google_project.main.number}@cloudservices.${var.universe_subdomain}.iam.gserviceaccount.com" :
+    "${google_project.main.number}@cloudservices.gserviceaccount.com"
   )
+
   activate_apis       = var.activate_apis
   api_s_account_fmt   = format("serviceAccount:%s", local.api_s_account)
   project_bucket_name = var.bucket_name != "" ? var.bucket_name : format("%s-state", local.temp_project_id)

@@ -288,3 +288,9 @@ variable "deletion_policy" {
   type        = string
   default     = "PREVENT"
 }
+
+variable "universe_subdomain" {
+  description = "When using a different universe than GCP (e.g s3ns), service accounts don't have the same domain. If set, the universe subdomain will be injected into the service accounts"
+  type        = string
+  default     = null
+}
@@ -100,6 +100,7 @@ module "project-factory" {
   default_service_account           = var.default_service_account
   disable_dependent_services        = var.disable_dependent_services
   default_network_tier              = var.default_network_tier
+  universe_subdomain                = var.universe_subdomain
 }
 
 /******************************************

@@ -244,3 +244,9 @@ variable "default_network_tier" {
   type        = string
   default     = ""
 }
+
+variable "universe_subdomain" {
+  description = "When using a different universe than GCP (e.g s3ns), service accounts don't have the same domain. If set, the universe subdomain will be injected into the service accounts"
+  type        = string
+  default     = null
+}
@@ -21,53 +21,54 @@ data "google_project" "service_project" {
 
 locals {
   service_project_number = var.lookup_project_numbers ? data.google_project.service_project[0].number : var.service_project_number
+  universe_subdomain     = var.universe_subdomain != null ? "${var.universe_subdomain}." : ""
   apis = {
     "container.googleapis.com" : {
-      service_account = format("service-%s@container-engine-robot.iam.gserviceaccount.com", local.service_project_number)
+      service_account = "service-${local.service_project_number}@container-engine-robot.${local.universe_subdomain}iam.gserviceaccount.com"
       role            = "roles/compute.networkUser"
     }
     "dataproc.googleapis.com" : {
-      service_account = format("service-%s@dataproc-accounts.iam.gserviceaccount.com", local.service_project_number)
+      service_account = "service-${local.service_project_number}@dataproc-accounts.${local.universe_subdomain}iam.gserviceaccount.com"
       role            = "roles/compute.networkUser"
     },
     "dataflow.googleapis.com" : {
-      service_account = format("service-%s@dataflow-service-producer-prod.iam.gserviceaccount.com", local.service_project_number)
+      service_account = "service-${local.service_project_number}@dataflow-service-producter-prod.${local.universe_subdomain}iam.gserviceaccount.com"
       role            = "roles/compute.networkUser"
     },
     "datafusion.googleapis.com" : {
-      service_account = format("service-%s@gcp-sa-datafusion.iam.gserviceaccount.com", local.service_project_number)
+      service_account = "service-${local.service_project_number}@gcp-sa-datafusion.${local.universe_subdomain}iam.gserviceaccount.com"
       role            = "roles/compute.networkViewer"
     },
     "composer.googleapis.com" : {
-      service_account = format("service-%s@cloudcomposer-accounts.iam.gserviceaccount.com", local.service_project_number)
+      service_account = "service-${local.service_project_number}@cloudcomposer-accounts.${local.universe_subdomain}iam.gserviceaccount.com"
       role            = "roles/compute.networkUser"
     }
     "vpcaccess.googleapis.com" : {
-      service_account = format("service-%s@gcp-sa-vpcaccess.iam.gserviceaccount.com", local.service_project_number)
+      service_account = "service-${local.service_project_number}@gcp-sa-vpcaccess.${local.universe_subdomain}iam.gserviceaccount.com"
       role            = "roles/compute.networkUser"
     }
     "datastream.googleapis.com" : {
-      service_account = format("service-%s@gcp-sa-datastream.iam.gserviceaccount.com", local.service_project_number)
+      service_account = "service-${local.service_project_number}@gcp-sa-datastream.${local.universe_subdomain}iam.gserviceaccount.com"
       role            = "roles/compute.networkUser"
     }
     "notebooks.googleapis.com" : {
-      service_account = format("service-%s@gcp-sa-notebooks.iam.gserviceaccount.com", local.service_project_number)
+      service_account = "service-${local.service_project_number}@gcp-sa-notebooks.${local.universe_subdomain}iam.gserviceaccount.com"
       role            = "roles/compute.networkUser"
     }
     "networkconnectivity.googleapis.com" : {
-      service_account = format("service-%s@gcp-sa-networkconnectivity.iam.gserviceaccount.com", local.service_project_number)
+      service_account = "service-${local.service_project_number}@gcp-sa-networkconnectivity.${local.universe_subdomain}iam.gserviceaccount.com"
       role            = "roles/compute.networkUser"
     }
     "run.googleapis.com" : {
-      service_account = format("service-%s@serverless-robot-prod.iam.gserviceaccount.com", local.service_project_number)
+      service_account = "service-${local.service_project_number}@serverless-robot-prod.${local.universe_subdomain}iam.gserviceaccount.com"
       role            = "roles/compute.networkUser"
     }
     "aiplatform.googleapis.com" : {
-      service_account = format("service-%s@gcp-sa-aiplatform.iam.gserviceaccount.com", local.service_project_number)
+      service_account = "service-${local.service_project_number}@gcp-sa-aiplatform.${local.universe_subdomain}iam.gserviceaccount.com"
       role            = "roles/compute.networkUser"
     }
     "cloudbuild.googleapis.com" : {
-      service_account = format("%s@cloudbuild.gserviceaccount.com", local.service_project_number)
+      service_account = "service-${local.service_project_number}@cloudbuild.${local.universe_subdomain}gserviceaccount.com"
       role            = "roles/compute.networkUser"
     }
   }
@@ -143,7 +144,7 @@ resource "google_compute_subnetwork_iam_member" "cloudservices_shared_vpc_subnet
     index(split("/", split(",", local.subnetwork_api[count.index])[1]), "regions") + 1,
   )
   project = var.host_project_id
-  member  = format("serviceAccount:%s@cloudservices.gserviceaccount.com", local.service_project_number)
+  member  = "serviceAccount:${local.service_project_number}@cloudservices.${local.universe_subdomain}gserviceaccount.com"
 }
 
 /******************************************
@@ -228,7 +229,7 @@ resource "google_project_iam_member" "managed_kafka_service_agent" {
   count   = local.managedkafka_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_network_role ? 1 : 0
   project = var.host_project_id
   role    = "roles/managedkafka.serviceAgent"
-  member  = format("serviceAccount:service-%s@gcp-sa-managedkafka.iam.gserviceaccount.com", local.service_project_number)
+  member  = "serviceAccount:service-${local.service_project_number}@gcp-sa-managedkafka.${local.universe_subdomain}iam.gserviceaccount.com"
 }
 
 /******************************************

@@ -70,3 +70,9 @@ variable "grant_network_role" {
   type        = bool
   default     = true
 }
+
+variable "universe_subdomain" {
+  description = "When using a different universe than GCP (e.g s3ns), service accounts don't have the same domain. If set, the universe subdomain will be injected into the service accounts"
+  type        = string
+  default     = null
+}
@@ -60,6 +60,7 @@ module "project-factory" {
   disable_dependent_services        = var.disable_dependent_services
   default_network_tier              = var.default_network_tier
   deletion_policy                   = var.deletion_policy
+  universe_subdomain                = var.universe_subdomain
 }
 
 /******************************************
@@ -76,6 +77,7 @@ module "shared_vpc_access" {
   lookup_project_numbers             = false
   grant_services_security_admin_role = var.grant_services_security_admin_role
   grant_network_role                 = var.grant_network_role
+  universe_subdomain                 = var.universe_subdomain
   # Workaround for import complaining about count cannot determine resource instances
   # until apply. https://github.com/hashicorp/terraform/issues/24690
   depends_on = [module.project-factory.enabled_apis]

@@ -234,3 +234,9 @@ variable "deletion_policy" {
   type        = string
   default     = "PREVENT"
 }
+
+variable "universe_subdomain" {
+  description = "When using a different universe than GCP (e.g s3ns), service accounts don't have the same domain. If set, the universe subdomain will be injected into the service accounts"
+  type        = string
+  default     = null
+}
@@ -377,3 +377,9 @@ variable "deletion_policy" {
   type        = string
   default     = "PREVENT"
 }
+
+variable "universe_subdomain" {
+  description = "When using a different universe than GCP (e.g s3ns), service accounts don't have the same domain. If set, the universe subdomain will be injected into the service accounts"
+  type        = string
+  default     = null
+}