-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add warning documenting behavior of the google_service_account_key resource for certain cases where the project cannot be inferred by terraform #5301
Conversation
…source for certain cases where the project cannot be inferred by terraform
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
Hello! I am a robot who works on Magic Modules PRs. I have detected that you are a community contributor, so your PR will be assigned to someone with a commit-bit on this repo for initial review. Thanks for your contribution! A human will be with you soon. @melinath, please review this PR or find an appropriate assignee. |
@googlebot I signed it! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems like it might be better to clarify the docs for service_account_id rather than adding a separate warning.
Also, this warning as written is not entirely correct (and neither is the current service_account_id). The project will be inferred if service_account_id is a full email address OR if it's a full URL like projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}
. It seems like the failure case is if just the first part of the email address is given?
@stangles are you still working on this PR? |
Yes, that matches my understanding. When taking a look back at how I reproduced the unexpected behavior stated in the issue, I believe I had specified the SA unique ID, thus tripping the same error (and also demonstrating how the current
Yes, apologies for the delayed response. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks a lot better but it seems like it should be possible to use projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}
according to these docs. Could you incorporate that information as well?
In case it's helpful here's the code the provider uses to calculate the actual service account id sent to the server: https://github.com/hashicorp/terraform-provider-google/blob/master/google/utils.go#L349
Done in f34e0f1
That was quite helpful, thank you for the documentation and code references. Hopefully I've got it right this time around 😄 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks a lot better - the one thing that seems to be missing is that I think it should be possible to use projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}
- could you include that as an option?
Yep, added in 35423ff which hopefully is unambiguous without being too wordy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - thanks!
Build failure is unrelated; this is docs only & will be fine after merge. |
…source for certain cases where the project cannot be inferred by terraform (GoogleCloudPlatform#5301) * Add warning documenting behavior of the google_service_account_key resource for certain cases where the project cannot be inferred by terraform * remove warning in favor of rewording service_account_id description * restore newline * clarify description to include '-' wildcard substitution * rewrite to include unique id * remove sa name as account option from fully qualified syntax
…source for certain cases where the project cannot be inferred by terraform (GoogleCloudPlatform#5301) * Add warning documenting behavior of the google_service_account_key resource for certain cases where the project cannot be inferred by terraform * remove warning in favor of rewording service_account_id description * restore newline * clarify description to include '-' wildcard substitution * rewrite to include unique id * remove sa name as account option from fully qualified syntax
…source for certain cases where the project cannot be inferred by terraform (GoogleCloudPlatform#5301) * Add warning documenting behavior of the google_service_account_key resource for certain cases where the project cannot be inferred by terraform * remove warning in favor of rewording service_account_id description * restore newline * clarify description to include '-' wildcard substitution * rewrite to include unique id * remove sa name as account option from fully qualified syntax
Resolves hashicorp/terraform-provider-google#9617.
Release Note Template for Downstream PRs (will be copied)