fix: Don't attempt to activate service identity for compute.googleapi…

…s.com (#628)
terraform-google-modules · Oct 13, 2021 · 777092c · 777092c
1 parent 621c527
commit 777092c
Showing 1 changed file with 33 additions and 6 deletions.
diff --git a/modules/project_services/main.tf b/modules/project_services/main.tf
@@ -15,7 +15,8 @@
  */
 
 locals {
-  services = var.enable_apis ? toset(concat(var.activate_apis, [for i in var.activate_api_identities : i.api])) : toset([])
+  activate_compute_identity = 0 != length([for i in var.activate_api_identities : i if i.api == "compute.googleapis.com"])
+  services                  = var.enable_apis ? toset(concat(var.activate_apis, [for i in var.activate_api_identities : i.api])) : toset([])
   service_identities = flatten([
     for i in var.activate_api_identities : [
       for r in i.roles :
@@ -35,24 +36,50 @@ resource "google_project_service" "project_services" {
   disable_dependent_services = var.disable_dependent_services
 }
 
+# First handle all service identities EXCEPT compute.googleapis.com.
 resource "google_project_service_identity" "project_service_identities" {
   for_each = {
     for i in var.activate_api_identities :
     i.api => i
+    if i.api != "compute.googleapis.com"
   }
 
   provider = google-beta
   project  = var.project_id
   service  = each.value.api
 }
 
+# Process the compute.googleapis.com identity separately, if present in the inputs.
+data "google_compute_default_service_account" "default" {
+  count   = local.activate_compute_identity ? 1 : 0
+  project = var.project_id
+}
+
+locals {
+  add_service_roles = merge(
+    {
+      for si in local.service_identities :
+      "${si.api} ${si.role}" => {
+        email = google_project_service_identity.project_service_identities[si.api].email
+        role  = si.role
+      }
+      if si.api != "compute.googleapis.com"
+    },
+    {
+      for si in local.service_identities :
+      "${si.api} ${si.role}" => {
+        email = data.google_compute_default_service_account.default[0].email
+        role  = si.role
+      }
+      if si.api == "compute.googleapis.com"
+    }
+  )
+}
+
 resource "google_project_iam_member" "project_service_identity_roles" {
-  for_each = {
-    for si in local.service_identities :
-    "${si.api} ${si.role}" => si
-  }
+  for_each = local.add_service_roles
 
   project = var.project_id
   role    = each.value.role
-  member  = "serviceAccount:${google_project_service_identity.project_service_identities[each.value.api].email}"
+  member  = "serviceAccount:${each.value.email}"
 }