Create data source `google_pubsub_project_service_account`

[joe-a-t]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

In the same way that https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/storage_project_service_account exists for the magic storage service account, an equivalent data source should exist for the pubsub service account. This would be helpful so that we don't have to construct it ourselves for setting up dead letter queues and granting the relevant permissions associated with that process.

New or Affected Resource(s)

• google_pubsub_project_service_account data source

Potential Terraform Configuration

data "google_pubsub_project_service_account" "gsa" {}

References

• 0000

[rileykarson]

Does https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service_identity work? It's a generic resource that works across most APIs, and obsoletes the need for service-specific methods.

[joe-a-t]

Hey @rileykarson,

Unfortunately https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service_identity does not work for us since the email value is not known until apply with it being a resource where email is an attribute instead of a data source. If https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service_identity was instead a data source that functioned like https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/storage_project_service_account and others, that could work

[rileykarson]

Sorry for the delay in getting back here! What changes when you don't know the email between plan and apply time, sorry? This resource does make a mutate call to its API, as not all APIs provision the service account prior to use.

[joe-a-t]

The issue is related to doing a for_each over a list of GCP IAM members (or a map where the members are the keys). In a case like project_service_identity where the value is not known until apply, it means that the output then cannot be used as a key in a for_each or else you will get the dreaded plan failure since all of the keys of a for_each must be known during the plan phase.

As a result, right now we would have to either 1) order the addition of the project_service_identity in a separate apply before adding the IAM permissions (which has a bunch of downsides in any re-creation scenario like disaster recovery) or 2) hardcode the GSA/construct it with already known values and hope the naming convention never changes.

If you had some generic project_service_identity data source that took a service = "pubsub" or something argument, that could potentially work if it provides the GSA's identity on plan phase.

[LordMike]

Just chiming in that I didn't know about google_project_service_identity and it resolved my issue. I needed exactly to find the pubsub service account, and I managed to do this with the below. I'm adding it for future searchers who might not know what the service should be.

resource "google_project_service_identity" "pubsub_sa" {
  provider = google-beta

  project = data.google_client_config.current.project
  service = "pubsub.googleapis.com"
}

[rileykarson]

Closing in favour of service identity- there's no API method to get this under https://cloud.google.com/pubsub/docs/reference/rest