Data source for google_project_service_identity

mans0954 commented 1 month ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to a user, that user is claiming responsibility for the issue.
Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

It is often necessary to reference a service agent in IAM config - either in a google_iam_policy or an ACL on an individual resource e.g. google_storage_bucket_iam_binding.

The existing google_project_service_identity is designed to cater for the possibility where the service agent does not exist, and therefore any reference to the member attribute will result in (known after apply) in the terraform plan the first time it is run.

A complex environment will often be broken down into a series of terraform configurations. I would envisage having one terraform configuration which initialises service agents and then subsequent configurations for setting google_project_iam_policy and policy on individual resources.

Therefore I would like a google_project_service_identity data source which assumes that the service agent has previously been created (e.g. by the google_project_service_identity resource) and it therefore able to populate the member attribute on the first plan to avoid the large diffs which are otherwise generated in google_iam_policy .

New or Affected Resource(s)

google_project_service_identity data source

Potential Terraform Configuration

Service Agent terraform configuration (does not assume agent already exists)

resource "google_project_service_identity" "storage-insights" {
  provider = google-beta
  project = var.project_id
  service = "storageinsights.googleapis.com"
}

GCS Bucket terraform configuration (assumes agent already exists so that the e-mail address can be determined)

data "google_project_service_identity" "storage-insights" {
  provider = google-beta
  project = var.project_id
  service = "storageinsights.googleapis.com"
}

resource "google_storage_bucket_iam_binding" "storage-insights-reports-objectuser" {
  bucket = google_storage_bucket.storage-insights-reports.name
  members = [
    google_project_service_identity.storage-insights.member,
  ]
  role = "roles/storage.objectUser"
}

References

No response

b/370524643

melinath commented 1 month ago

Note from triage: This resource currently uses https://cloud.google.com/service-usage/docs/reference/rest/v1beta1/services/generateServiceIdentity, which uses a POST method and has side effects. Implementing a data source as suggested here would require server-side support for a GET call with no side effects that fails if the service identity doesn't exist.

benhxy commented 1 month ago

watching

benhxy commented 1 month ago

This and https://github.com/hashicorp/terraform-provider-google/issues/18649 face the same problem: what should we return when there are multiple service agents under one service?

melinath commented 1 month ago

That could be resolved in the data source case by creating a plural data source that returns all the service agents for a single service (if there's an API that allows that) and/or by having the new GET method take additional parameters that allow the user to specify which of the service's agents they want to get information about.

hashicorp / terraform-provider-google