Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set google_service_account IAM-related fields during plan stage #11929

Merged

Conversation

mikesmitty
Copy link
Contributor

@mikesmitty mikesmitty commented Oct 4, 2024

This sets the IAM-related fields on google_service_account with CustomizeDiff so they won't be "known after apply" and can be used to set IAM rules in a single TF run. I couldn't find any existing issues around it, but it has been a thorn in my side for a while.

Release Note Template for Downstream PRs (will be copied)

resourcemanager: made `google_service_account` `email` and `member` fields available during plan

@github-actions github-actions bot requested a review from melinath October 4, 2024 21:01
Copy link

github-actions bot commented Oct 4, 2024

Hello! I am a robot. Tests will require approval from a repository maintainer to run.

@melinath, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.

@modular-magician modular-magician added the awaiting-approval Pull requests that need reviewer's approval to run presubmit tests label Oct 4, 2024
@mikesmitty
Copy link
Contributor Author

Did some local tests and it appears to be working as intended:

Terraform will perform the following actions:

  # google_service_account.service_account will be created
  + resource "google_service_account" "service_account" {
      + account_id = "test-account"
      + disabled   = false
      + email      = "[email protected]"
      + id         = (known after apply)
      + member     = "serviceAccount:[email protected]"
      + name       = (known after apply)
      + project    = "my-project-id"
      + unique_id  = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

@modular-magician modular-magician added service/iam-serviceaccount and removed awaiting-approval Pull requests that need reviewer's approval to run presubmit tests labels Oct 8, 2024
@modular-magician
Copy link
Collaborator

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 1 file changed, 22 insertions(+))
google-beta provider: Diff ( 1 file changed, 22 insertions(+))

Copy link
Member

@melinath melinath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution & patience; apologies for the delayed review. This is a slightly unusual contribution that we don't have a lot of precedent for so I'm going to check with teammates about whether there's anything specific to look out for here.

I've left a couple comments down below in the meantime. No worries if you'd prefer to wait to hear if there are any blockers before proceeding.

@modular-magician
Copy link
Collaborator

Tests analytics

Total tests: 147
Passed tests: 117
Skipped tests: 30
Affected tests: 0

Click here to see the affected service packages
  • resourcemanager

🟢 All tests passed!

View the build log

@github-actions github-actions bot requested a review from melinath October 9, 2024 16:48
@modular-magician modular-magician added awaiting-approval Pull requests that need reviewer's approval to run presubmit tests and removed awaiting-approval Pull requests that need reviewer's approval to run presubmit tests labels Oct 9, 2024
@modular-magician
Copy link
Collaborator

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 1 file changed, 22 insertions(+))
google-beta provider: Diff ( 1 file changed, 22 insertions(+))

@modular-magician
Copy link
Collaborator

Tests analytics

Total tests: 147
Passed tests: 117
Skipped tests: 30
Affected tests: 0

Click here to see the affected service packages
  • resourcemanager

🟢 All tests passed!

View the build log

Copy link

@melinath This PR has been waiting for review for 3 weekdays. Please take a look! Use the label disable-review-reminders to disable these notifications.

Copy link
Member

@melinath melinath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're okay with this change in a general sense. I'm double-checking to make sure that it's safe for us to always assume the service account will have the expected format. (I think it should be?)

note to self: yaqs/6281398878809882624.

@melinath
Copy link
Member

Regarding the failed TGC tests - you'll need to account for the fact that references to service account emails are known before apply in two files:

@melinath
Copy link
Member

It looks like TGC already has custom logic to add the email into the API object (to get around the fact it's missing in the plan): https://github.com/GoogleCloudPlatform/terraform-google-conversion/blob/aa4f4879b9078957d64d3dc68342817020601124/tfplan2cai/converters/google/resources/services/resourcemanager/service_account.go#L104-L107 So at least the person who made that change also thought that was safe to compute ahead of time.

@melinath
Copy link
Member

The format for the service account is documented here: https://cloud.google.com/iam/docs/service-accounts-create#creating so it should definitely be safe to precompute as long as the universe_domain is googleapis.com. I'm working on figuring out the best way to express that conditional - we may want to add a reusable function for it.

Copy link

@mikesmitty, this PR is waiting for action from you. If no action is taken, this PR will be closed in 28 days.

Please address any comments or change requests, or re-request review from a core reviewer if no action is required.

Image showing the re-request review button

This notification can be disabled with the disable-automatic-closure label.

@mikesmitty
Copy link
Contributor Author

Thanks for the tips, I'll be back to work on this in a bit

@github-actions github-actions bot requested a review from melinath October 29, 2024 16:48
Copy link
Member

@melinath melinath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, thanks! I don't have any updates on a "reusable function" but config.UniverseDomain is where you can check whether it's in the standard universe domain I mentioned above.

@mikesmitty mikesmitty force-pushed the ms/set-sa-outputs-during-plan branch from b8baf66 to 1c4d7c0 Compare November 8, 2024 19:11
@github-actions github-actions bot requested a review from melinath November 8, 2024 19:12
@modular-magician modular-magician added the awaiting-approval Pull requests that need reviewer's approval to run presubmit tests label Nov 8, 2024
chore: add fallback project id to test case
@mikesmitty
Copy link
Contributor Author

@melinath I added a basic reusable function to get the UniverseDomain since I wasn't sure what other use cases there might be for it. I'm open to suggestions if you had something else in mind however

@modular-magician modular-magician removed the awaiting-approval Pull requests that need reviewer's approval to run presubmit tests label Nov 18, 2024
@modular-magician
Copy link
Collaborator

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 5 files changed, 205 insertions(+))
google-beta provider: Diff ( 5 files changed, 205 insertions(+))
terraform-google-conversion: Diff ( 2 files changed, 3 insertions(+), 2 deletions(-))

@modular-magician
Copy link
Collaborator

Tests analytics

Total tests: 4303
Passed tests: 3891
Skipped tests: 411
Affected tests: 1

Click here to see the affected service packages

All service packages are affected

Action taken

Found 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests
  • TestAccComputeInstanceNetworkIntefaceWithSecurityPolicy

Get to know how VCR tests work

@modular-magician
Copy link
Collaborator

🔴 Tests failed during RECORDING mode:
TestAccComputeInstanceNetworkIntefaceWithSecurityPolicy [Error message] [Debug log]

🔴 Errors occurred during RECORDING mode. Please fix them to complete your PR.

View the build log or the debug log for each test

@modular-magician modular-magician added the awaiting-approval Pull requests that need reviewer's approval to run presubmit tests label Nov 21, 2024
@modular-magician modular-magician removed the awaiting-approval Pull requests that need reviewer's approval to run presubmit tests label Nov 21, 2024
@modular-magician
Copy link
Collaborator

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 5 files changed, 178 insertions(+))
google-beta provider: Diff ( 5 files changed, 178 insertions(+))
terraform-google-conversion: Diff ( 2 files changed, 3 insertions(+), 2 deletions(-))

Errors

Other:

  • Failed to update breaking-change status check with state: success

@melinath
Copy link
Member

/gcbrun

@modular-magician modular-magician added the awaiting-approval Pull requests that need reviewer's approval to run presubmit tests label Nov 21, 2024
Copy link

@melinath This PR has been waiting for review for 3 weekdays. Please take a look! Use the label disable-review-reminders to disable these notifications.

@modular-magician modular-magician removed the awaiting-approval Pull requests that need reviewer's approval to run presubmit tests label Nov 27, 2024
@modular-magician
Copy link
Collaborator

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 5 files changed, 178 insertions(+))
google-beta provider: Diff ( 5 files changed, 178 insertions(+))
terraform-google-conversion: Diff ( 2 files changed, 3 insertions(+), 2 deletions(-))

@modular-magician
Copy link
Collaborator

Tests analytics

Total tests: 4322
Passed tests: 3907
Skipped tests: 407
Affected tests: 8

Click here to see the affected service packages

All service packages are affected

Action taken

Found 8 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests
  • TestAccOracleDatabaseAutonomousDatabase_basic
  • TestAccOracleDatabaseAutonomousDatabases_basic
  • TestAccOracleDatabaseCloudExadataInfrastructure_basic
  • TestAccOracleDatabaseCloudExadataInfrastructures_basic
  • TestAccOracleDatabaseCloudVmCluster_basic
  • TestAccOracleDatabaseDbNodes_basic
  • TestAccOracleDatabaseDbServers_basic
  • TestAccSecureSourceManagerInstance_secureSourceManagerInstancePrivatePscBackendExample

Get to know how VCR tests work

@modular-magician
Copy link
Collaborator

🔴 Tests failed during RECORDING mode:
TestAccOracleDatabaseAutonomousDatabase_basic [Error message] [Debug log]
TestAccOracleDatabaseAutonomousDatabases_basic [Error message] [Debug log]
TestAccOracleDatabaseCloudExadataInfrastructure_basic [Error message] [Debug log]
TestAccOracleDatabaseCloudExadataInfrastructures_basic [Error message] [Debug log]
TestAccOracleDatabaseCloudVmCluster_basic [Error message] [Debug log]
TestAccOracleDatabaseDbNodes_basic [Error message] [Debug log]
TestAccOracleDatabaseDbServers_basic [Error message] [Debug log]
TestAccSecureSourceManagerInstance_secureSourceManagerInstancePrivatePscBackendExample [Error message] [Debug log]

🔴 Errors occurred during RECORDING mode. Please fix them to complete your PR.

View the build log or the debug log for each test

@melinath
Copy link
Member

The test failures are unrelated.

Copy link
Member

@melinath melinath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - I did some additional manual testing and this seems to work as I'd expect. Thanks for sticking with this and adding thorough tests!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants