Use preexisting service account from another GCP project

[conchaox]

TL;DR

Use a preexisting SA from another GCP project different form the one where the module resources will be created.

Terraform Resources

No response

Detailed design

Is it possible to create the module resources using a preexisting GCP SA (K8s SA will have the same name)that belongs to a project different from the one where we are installing the module resources? I'm trying to do something like this:

`module "my-app-workload-identity" {
  source                          = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  use_existing_gcp_sa             = true
  gcp_sa_name                     = var.gcp_sa_name
  name                            = var.service_account != "" ? var.service_account : google_service_account.service_account[0].account_id
  namespace                       = kubernetes_namespace.namespace.metadata[0].name
  project_id                      = data.google_project.project.project_id
  automount_service_account_token = true
  roles = [
    "roles/cloudsql.client",
    "roles/iam.workloadIdentityUser",
    "roles/storage.admin",
  ]
}`

using `gcp_sa_name` I'm trying to pass the FQDN for an SA that belongs to a project different to  `project_id` this value should override whatever it it sin `var.name` according to the docs.

Additional information

No response

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days