allow setting service account email for keys (#1256)

2024-06-29 06:42:36 +00:00 · 2018-03-26 15:44:34 -07:00 · 2018-03-26 15:44:34 -07:00 · 9fd4d02b89
commit 9fd4d02b89
parent 1b6b9ed126
3 changed files with 53 additions and 10 deletions
--- a/google/resource_google_service_account_key.go
+++ b/google/resource_google_service_account_key.go
@ -2,6 +2,7 @@ package google

 import (
 	"fmt"
+	"strings"

 	"github.com/hashicorp/terraform/helper/encryption"
 	"github.com/hashicorp/terraform/helper/schema"
@ -17,10 +18,9 @@ func resourceGoogleServiceAccountKey() *schema.Resource {
 		Schema: map[string]*schema.Schema{
 			// Required
 			"service_account_id": &schema.Schema{
-				Type:         schema.TypeString,
-				Required:     true,
-				ForceNew:     true,
-				ValidateFunc: validateRegexp(ServiceAccountLinkRegex),
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
 			},
 			// Optional
 			"key_algorithm": &schema.Schema{
@ -89,6 +89,9 @@ func resourceGoogleServiceAccountKeyCreate(d *schema.ResourceData, meta interfac
 	config := meta.(*Config)

 	serviceAccount := d.Get("service_account_id").(string)
+	if !strings.HasPrefix(serviceAccount, "projects/") {
+		serviceAccount = "projects/-/serviceAccounts/" + serviceAccount
+	}

 	r := &iam.CreateServiceAccountKeyRequest{
 		KeyAlgorithm:   d.Get("key_algorithm").(string),
--- a/google/resource_google_service_account_key_test.go
+++ b/google/resource_google_service_account_key_test.go
@ -34,6 +34,30 @@ func TestAccServiceAccountKey_basic(t *testing.T) {
 	})
 }

+func TestAccServiceAccountKey_fromEmail(t *testing.T) {
+	t.Parallel()
+
+	resourceName := "google_service_account_key.acceptance"
+	accountID := "a" + acctest.RandString(10)
+	displayName := "Terraform Test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccServiceAccountKey_fromEmail(accountID, displayName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleServiceAccountKeyExists(resourceName),
+					resource.TestCheckResourceAttrSet(resourceName, "public_key"),
+					resource.TestCheckResourceAttrSet(resourceName, "valid_after"),
+					resource.TestCheckResourceAttrSet(resourceName, "valid_before"),
+					resource.TestCheckResourceAttrSet(resourceName, "private_key"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccServiceAccountKey_pgp(t *testing.T) {
 	t.Parallel()
 	resourceName := "google_service_account_key.acceptance"
@ -86,7 +110,21 @@ resource "google_service_account" "acceptance" {
 }

 resource "google_service_account_key" "acceptance" {
-	service_account_id = "${google_service_account.acceptance.id}"
+	service_account_id = "${google_service_account.acceptance.name}"
+	public_key_type = "TYPE_X509_PEM_FILE"
+}
+`, account, name)
+}
+
+func testAccServiceAccountKey_fromEmail(account, name string) string {
+	return fmt.Sprintf(`
+resource "google_service_account" "acceptance" {
+	account_id = "%s"
+	display_name = "%s"
+}
+
+resource "google_service_account_key" "acceptance" {
+	service_account_id = "${google_service_account.acceptance.email}"
 	public_key_type = "TYPE_X509_PEM_FILE"
 }
 `, account, name)
@ -100,7 +138,7 @@ resource "google_service_account" "acceptance" {
 }

 resource "google_service_account_key" "acceptance" {
-	service_account_id = "${google_service_account.acceptance.id}"
+	service_account_id = "${google_service_account.acceptance.name}"
 	public_key_type = "TYPE_X509_PEM_FILE"
 	pgp_key = <<EOF
 %s
--- a/website/docs/r/google_service_account_key.html.markdown
+++ b/website/docs/r/google_service_account_key.html.markdown
@ -20,7 +20,7 @@ resource "google_service_account" "acceptance" {
 }

 resource "google_service_account_key" "acceptance" {
-  service_account_id = "${google_service_account.acceptance.id}"
+  service_account_id = "${google_service_account.acceptance.name}"
  public_key_type = "TYPE_X509_PEM_FILE"
 }
 ```
@ -33,7 +33,7 @@ resource "google_service_account" "myaccount" {
  display_name = "My Service Account"
 }
 resource "google_service_account_key" "mykey" {
-  service_account_id = "${google_service_account.myaccount.id}"
+  service_account_id = "${google_service_account.myaccount.name}"
 }
 resource "kubernetes_secret" "google-application-credentials" {
  metadata {
@ -54,7 +54,7 @@ resource "google_service_account" "acceptance" {
 }

 resource "google_service_account_key" "acceptance" {
-  service_account_id = "${google_service_account.acceptance.id}"
+  service_account_id = "${google_service_account.acceptance.name}"
  pgp_key = "keybase:keybaseusername"
  public_key_type = "TYPE_X509_PEM_FILE"
 }
@ -64,7 +64,9 @@ resource "google_service_account_key" "acceptance" {

 The following arguments are supported:

-* `service_account_id` - (Required) The Service account id of the Key Pair.
+* `service_account_id` - (Required) The Service account id of the Key Pair. This can be a string in the format
+`{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`, where `{ACCOUNT}` is the email address or
+unique id of the service account. If the `{ACCOUNT}` syntax is used, the project will be inferred from the account.

 * `key_algorithm` - (Optional) The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm.
 Valid values are listed at