From 399a9744be755f0818536932d03a9e53d5592c83 Mon Sep 17 00:00:00 2001 From: Roberto Jung Drebes Date: Fri, 27 Mar 2020 21:58:48 +0100 Subject: [PATCH] Add BQ SA datasource to the sidebar, plus docs and test. (#3317) * Add BQ SA datasource to the sidebar, plus docs and test. * email_address -> email --- ...google_bigquery_default_service_account.go | 2 +- ...e_bigquery_default_service_account_test.go | 31 +++++++++++++++++++ .../terraform/website-compiled/google.erb | 3 ++ ...uery_default_service_account.html.markdown | 31 +++++++++++++------ 4 files changed, 56 insertions(+), 11 deletions(-) create mode 100644 third_party/terraform/tests/data_source_google_bigquery_default_service_account_test.go diff --git a/third_party/terraform/data_sources/data_source_google_bigquery_default_service_account.go b/third_party/terraform/data_sources/data_source_google_bigquery_default_service_account.go index 5599d0cb7b75..8eb24f56d37d 100644 --- a/third_party/terraform/data_sources/data_source_google_bigquery_default_service_account.go +++ b/third_party/terraform/data_sources/data_source_google_bigquery_default_service_account.go @@ -31,7 +31,7 @@ func dataSourceGoogleBigqueryDefaultServiceAccountRead(d *schema.ResourceData, m projectResource, err := config.clientBigQuery.Projects.GetServiceAccount(project).Do() if err != nil { - return handleNotFoundError(err, d, "GCE service account not found") + return handleNotFoundError(err, d, "BigQuery service account not found") } d.SetId(projectResource.Email) diff --git a/third_party/terraform/tests/data_source_google_bigquery_default_service_account_test.go b/third_party/terraform/tests/data_source_google_bigquery_default_service_account_test.go new file mode 100644 index 000000000000..dc5132b4e33e --- /dev/null +++ b/third_party/terraform/tests/data_source_google_bigquery_default_service_account_test.go @@ -0,0 +1,31 @@ +package google + +import ( + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" +) + +func TestAccDataSourceGoogleBigqueryDefaultServiceAccount_basic(t *testing.T) { + t.Parallel() + + resourceName := "data.google_bigquery_default_service_account.bq_account" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccCheckGoogleBigqueryDefaultServiceAccount_basic, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttrSet(resourceName, "email"), + ), + }, + }, + }) +} + +const testAccCheckGoogleBigqueryDefaultServiceAccount_basic = ` +data "google_bigquery_default_service_account" "bq_account" { +} +` diff --git a/third_party/terraform/website-compiled/google.erb b/third_party/terraform/website-compiled/google.erb index ed298232a3e9..3a1ae7b39bfb 100644 --- a/third_party/terraform/website-compiled/google.erb +++ b/third_party/terraform/website-compiled/google.erb @@ -41,6 +41,9 @@ > google_active_folder + > + google_bigquery_default_service_account + > google_billing_account diff --git a/third_party/terraform/website/docs/d/google_bigquery_default_service_account.html.markdown b/third_party/terraform/website/docs/d/google_bigquery_default_service_account.html.markdown index c9717c7ef3ac..2b7d5311cf93 100644 --- a/third_party/terraform/website/docs/d/google_bigquery_default_service_account.html.markdown +++ b/third_party/terraform/website/docs/d/google_bigquery_default_service_account.html.markdown @@ -4,32 +4,43 @@ layout: "google" page_title: "Google: google_bigquery_default_service_account" sidebar_current: "docs-google-datasource-bigquery-default-service-account" description: |- - Retrieve default service account used by bigquery encryption in this project + Get the email address of the project's BigQuery service account --- # google\_bigquery\_default\_service\_account -Use this data source to retrieve default service account for this project +Get the email address of a project's unique BigQuery service account. + +Each Google Cloud project has a unique service account used by BigQuery. When using +BigQuery with [customer-managed encryption keys](https://cloud.google.com/bigquery/docs/customer-managed-encryption), +this account needs to be granted the +`cloudkms.cryptoKeyEncrypterDecrypter` IAM role on the customer-managed Cloud KMS key used to protect the data. + +For more information see +[the API reference](https://cloud.google.com/bigquery/docs/reference/rest/v2/projects/getServiceAccount). ## Example Usage ```hcl -data "google_bigquery_default_service_account" "default" { } - -output "default_account" { - value = "${data.google_bigquery_default_service_account.default.email}" -} +data "google_bigquery_default_service_account" "bq_sa" { +} + +resource "google_kms_crypto_key_iam_member" "key_sa_user" { + crypto_key_id = google_kms_crypto_key.key.id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:${data.google_bigquery_default_service_account.bq_sa.email}" +} ``` ## Argument Reference The following arguments are supported: -* `project` - (Optional) The project ID. If it is not provided, the provider project is used. - +* `project` - (Optional) The project the unique service account was created for. If it is not provided, the provider project is used. ## Attributes Reference The following attributes are exported: -* `email` - Email address of the default service account used by bigquery encryption in this project +* `email` - The email address of the service account. This value is often used to refer to the service account +in order to grant IAM permissions.