Feature: Require specifying the Google Service Account to run as. #20
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mattmoor
commented
Feb 25, 2023
main.tf
Outdated
| # Service accounts can be 30 characters long, so truncate var.name to 23 chars. | ||
| account_id = "${substr(var.name, 0, 23)}-prober" | ||
| # Service accounts can be 30 characters long, so truncate var.name to 26 chars. | ||
| account_id = "${substr(var.name, 0, 26)}-prb" |
There was a problem hiding this comment.
The count change will trigger a delete/create, so this change is intentional in order to avoid a name collision with the tombstoned service account, since I don't believe TF is smart enough to simple bring back the tombstoned GSA.
There was a problem hiding this comment.
Hmm, I am tempted to just mail this required moving forward since the most simple case of feeding a GSA .email in here leads to:
Error: Invalid count argument
on .terraform/.../main.tf line 25, in resource "google_service_account" "prober":
25: count = var.service-account != "" ? 0 : 1
The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply only the resources that the
count depends on.
mattmoor
commented
Feb 25, 2023
| } | ||
|
|
||
| // Build the prober into an image we can run on Cloud Run. | ||
| resource "ko_image" "image" { | ||
| repo = local.repo |
There was a problem hiding this comment.
This is an improvement in newer releases of tf-ko :)
mattmoor
force-pushed
the
allow-specifying-gsa
branch
3 times, most recently
from
153ba95
to
fdcca9a
Compare
mattmoor
commented
Feb 25, 2023
Comment on lines
+19
to
+22
| - name: Dump README | ||
| if: failure() | ||
| run: | | ||
| cat README.md |
There was a problem hiding this comment.
This makes it easy to [ab]use CI to generate what the README should look like.
mattmoor
force-pushed
the
allow-specifying-gsa
branch
2 times, most recently
from
e107ff2
to
6215d43
Compare
mattmoor
changed the title
k4leung4
approved these changes
Feb 25, 2023
mattmoor
force-pushed
the
allow-specifying-gsa
branch
from
6215d43
to
51a1052
Compare
馃巵 This changes the module to require the caller to specify the google service account as which to run. This allows the caller to have greater control over the service account name, and to authorize the service account to take actions prior to invoking the module to spin up the Cloud Run service. /kind feature
mattmoor
force-pushed
the
allow-specifying-gsa
branch
from
51a1052
to
9c2863b
Compare
|
Going to merge this, since I believe it satisfies our needs, but will hold off on cutting a release until sometime next week. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
馃巵 This changes the module to allow the caller to specify the google service account as which to run.
This allows the caller to have greater control over the service account name, and to authorize the service account to take actions prior to invoking the module to spin up the Cloud Run service.
/kind feature