Default service account not disabled by google_project_default_service_accounts resource

[danielpeng2]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.7.5 on linux_amd64

• provider registry.terraform.io/hashicorp/google v5.23.0

Affected Resource(s)

google_project_default_service_accounts

Terraform Configuration

resource "google_project_default_service_accounts" "disable_default_service_accounts" {
  project        = var.project_id
  action         = "DISABLE"
  restore_policy = "REVERT"
}

Debug Output

No response

Expected Behavior

In my GCP project, I have a default service account with the name Default compute service account. I expected this service account to be disabled.

Actual Behavior

The default service account wasn't disabled.

Looking at the code, it seems like this resource expects a service account with the name compute engine default service account. However, in my GCP projects, sometimes this default service account will have a different name (Default compute service account). I'm not entirely sure what causes the naming to be different, but I believe these accounts are functionally the same and accounts with either name should be disabled by this resource. https://github.com/hashicorp/terraform-provider-google/blob/72ca8f0668ff02a83f46e2ab5e9ee84114a4272f/google/services/resourcemanager/resource_google_project_default_service_accounts.go#L216-L225

Steps to reproduce

1. terraform apply

Important Factoids

No response

References

No response

[ggtisc]

Hi @danielpeng2!

I tried to replicate this issue, but after executing the code the tfstate file shows the action with the value "DISABLE" indicating that the action was successfully generated without errors. Remember that the default service accounts are generated by GCP, there aren't custom service accounts like google_service_account resources that you can create by yourself.

The primary purpose of using action = "DISABLE" in the google_project_default_service_accounts resource is to prevent the creation of default service accounts for a GCP project. These default service accounts are system-generated and have broad permissions.

When you set action = "DISABLE", Terraform will attempt to prevent the creation of these default service accounts. However, it's important to note that:

• Existing Default Service Accounts: This action doesn't affect any default service accounts that might already exist in the project.
• GCP's Internal Management: GCP has its own mechanisms for managing default service accounts, and there's no guarantee that Terraform can completely prevent their creation in all circumstances.
• Limited Control: You have minimal control over the behavior of these default service accounts even if you prevent their creation.