Fixes services accounts

2-multitenant/modules/env_baseline/outputs.tf

@@ -80,7 +80,7 @@ output "cluster_type" {
 output "cluster_service_accounts" {
   description = "The default service accounts used for nodes, if not overridden in node_pools."
   value = merge(
-    { for i, value in merge(module.gke-standard, module.gke-autopilot) : "cluster_${i}" => value.service_account },
-    { for i, value in module.eab_cluster_project : "project_${i}" => "${value.project_number}-compute@developer.gserviceaccount.com" }
+    { for i, value in merge(module.gke-standard, module.gke-autopilot) : "cluster_${var.env}_${i}" => value.service_account },
+    { for i, value in module.eab_cluster_project : "project_${var.env}_${i}" => "${value.project_number}-compute@developer.gserviceaccount.com" }
   )
 }

5-appinfra/apps/default-example/hello-world/envs/shared/main.tf

@@ -28,7 +28,7 @@ module "app" {
   project_id                 = local.app_admin_project
   region                     = var.region
   env_cluster_membership_ids = local.cluster_membership_ids
-  cluster_services_accounts  = tomap(local.cluster_services_accounts)
+  cluster_service_accounts   = { for i, sa in local.cluster_service_accounts : (i) => "serviceAccount:${sa}" }
 
   service_name           = local.service_name
   team_name              = local.team_name

5-appinfra/apps/default-example/hello-world/envs/shared/remote.tf

@@ -15,9 +15,16 @@
  */
 
 locals {
-  cluster_membership_ids    = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
-  cluster_services_accounts = flatten([for state in data.terraform_remote_state.multitenant : state.outputs.cluster_service_accounts])
-  app_admin_project         = data.terraform_remote_state.appfactory.outputs.app-group["default-example.hello-world"].app_admin_project_id
+  cluster_membership_ids = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
+  cluster_service_accounts = zipmap(
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : keys(item.outputs.cluster_service_accounts)]
+    ),
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : values(item.outputs.cluster_service_accounts)]
+    )
+  )
+  app_admin_project = data.terraform_remote_state.appfactory.outputs.app-group["default-example.hello-world"].app_admin_project_id
 }
 
 data "terraform_remote_state" "multitenant" {

5-appinfra/modules/cicd-pipeline/artifact-registry.tf

@@ -30,7 +30,7 @@ resource "google_artifact_registry_repository_iam_member" "member" {
     cloud_deploy   = google_service_account.cloud_deploy.member,
     cloud_build_si = google_project_service_identity.cloudbuild_service_identity.member,
     compute        = data.google_compute_default_service_account.compute_service_identity.member,
-  }, var.cluster_services_accounts)
+  }, var.cluster_service_accounts)
 
   project    = var.project_id
   location   = var.region

5-appinfra/modules/cicd-pipeline/variables.tf

@@ -22,7 +22,7 @@ variable "region" {
   description = "CI/CD Region (e.g. us-central1)"
 }
 
-variable "cluster_services_accounts" {
+variable "cluster_service_accounts" {
   description = "Cluster services accounts to be granted the Artifact Registry reader role."
   type        = map(string)
 }

examples/cymbal-bank/5-appinfra/cymbal-bank/accounts-contacts/envs/shared/main.tf

@@ -29,7 +29,7 @@ module "app" {
   region                     = var.region
   env_cluster_membership_ids = local.cluster_membership_ids
 
-  cluster_services_accounts = tomap(local.cluster_services_accounts)
+  cluster_service_accounts = { for i, sa in local.cluster_service_accounts : (i) => "serviceAccount:${sa}" }
 
   service_name           = local.service_name
   team_name              = local.team_name

examples/cymbal-bank/5-appinfra/cymbal-bank/accounts-contacts/envs/shared/remote.tf

@@ -15,9 +15,16 @@
  */
 
 locals {
-  cluster_membership_ids    = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
-  cluster_services_accounts = flatten([for state in data.terraform_remote_state.multitenant : state.outputs.cluster_service_accounts])
-  app_admin_project         = data.terraform_remote_state.appfactory.outputs.app-group["cymbal-bank.contacts"].app_admin_project_id
+  cluster_membership_ids = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
+  cluster_service_accounts = zipmap(
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : keys(item.outputs.cluster_service_accounts)]
+    ),
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : values(item.outputs.cluster_service_accounts)]
+    )
+  )
+  app_admin_project = data.terraform_remote_state.appfactory.outputs.app-group["cymbal-bank.contacts"].app_admin_project_id
 }
 
 data "terraform_remote_state" "multitenant" {

examples/cymbal-bank/5-appinfra/cymbal-bank/accounts-userservice/envs/shared/main.tf

@@ -29,7 +29,7 @@ module "app" {
   region                     = var.region
   env_cluster_membership_ids = local.cluster_membership_ids
 
-  cluster_services_accounts = tomap(local.cluster_services_accounts)
+  cluster_service_accounts = { for i, sa in local.cluster_service_accounts : (i) => "serviceAccount:${sa}" }
 
   service_name           = local.service_name
   team_name              = local.team_name

examples/cymbal-bank/5-appinfra/cymbal-bank/accounts-userservice/envs/shared/remote.tf

@@ -15,9 +15,16 @@
  */
 
 locals {
-  cluster_membership_ids    = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
-  cluster_services_accounts = flatten([for state in data.terraform_remote_state.multitenant : state.outputs.cluster_service_accounts])
-  app_admin_project         = data.terraform_remote_state.appfactory.outputs.app-group["cymbal-bank.userservice"].app_admin_project_id
+  cluster_membership_ids = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
+  cluster_service_accounts = zipmap(
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : keys(item.outputs.cluster_service_accounts)]
+    ),
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : values(item.outputs.cluster_service_accounts)]
+    )
+  )
+  app_admin_project = data.terraform_remote_state.appfactory.outputs.app-group["cymbal-bank.userservice"].app_admin_project_id
 }
 
 data "terraform_remote_state" "multitenant" {

examples/cymbal-bank/5-appinfra/cymbal-bank/frontend/envs/shared/main.tf

@@ -29,7 +29,7 @@ module "app" {
   region                     = var.region
   env_cluster_membership_ids = local.cluster_membership_ids
 
-  cluster_services_accounts = tomap(local.cluster_services_accounts)
+  cluster_service_accounts = { for i, sa in local.cluster_service_accounts : (i) => "serviceAccount:${sa}" }
 
   service_name           = local.service_name
   team_name              = local.team_name

examples/cymbal-bank/5-appinfra/cymbal-bank/frontend/envs/shared/remote.tf

@@ -15,9 +15,16 @@
  */
 
 locals {
-  cluster_membership_ids    = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
-  cluster_services_accounts = flatten([for state in data.terraform_remote_state.multitenant : state.outputs.cluster_service_accounts])
-  app_admin_project         = data.terraform_remote_state.appfactory.outputs.app-group["cymbal-bank.frontend"].app_admin_project_id
+  cluster_membership_ids = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
+  cluster_service_accounts = zipmap(
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : keys(item.outputs.cluster_service_accounts)]
+    ),
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : values(item.outputs.cluster_service_accounts)]
+    )
+  )
+  app_admin_project = data.terraform_remote_state.appfactory.outputs.app-group["cymbal-bank.frontend"].app_admin_project_id
 }
 
 data "terraform_remote_state" "multitenant" {

examples/cymbal-bank/5-appinfra/cymbal-bank/ledger-balancereader/envs/shared/main.tf

@@ -29,7 +29,7 @@ module "app" {
   region                     = var.region
   env_cluster_membership_ids = local.cluster_membership_ids
 
-  cluster_services_accounts = tomap(local.cluster_services_accounts)
+  cluster_service_accounts = { for i, sa in local.cluster_service_accounts : (i) => "serviceAccount:${sa}" }
 
   service_name           = local.service_name
   team_name              = local.team_name

examples/cymbal-bank/5-appinfra/cymbal-bank/ledger-balancereader/envs/shared/remote.tf

@@ -15,9 +15,16 @@
  */
 
 locals {
-  cluster_membership_ids    = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
-  cluster_services_accounts = flatten([for state in data.terraform_remote_state.multitenant : state.outputs.cluster_service_accounts])
-  app_admin_project         = data.terraform_remote_state.appfactory.outputs.app-group["cymbal-bank.balancereader"].app_admin_project_id
+  cluster_membership_ids = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
+  cluster_service_accounts = zipmap(
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : keys(item.outputs.cluster_service_accounts)]
+    ),
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : values(item.outputs.cluster_service_accounts)]
+    )
+  )
+  app_admin_project = data.terraform_remote_state.appfactory.outputs.app-group["cymbal-bank.balancereader"].app_admin_project_id
 }
 
 data "terraform_remote_state" "multitenant" {

examples/cymbal-bank/5-appinfra/cymbal-bank/ledger-ledgerwriter/envs/shared/main.tf

@@ -29,7 +29,7 @@ module "app" {
   region                     = var.region
   env_cluster_membership_ids = local.cluster_membership_ids
 
-  cluster_services_accounts = tomap(local.cluster_services_accounts)
+  cluster_service_accounts = { for i, sa in local.cluster_service_accounts : (i) => "serviceAccount:${sa}" }
 
   service_name           = local.service_name
   team_name              = local.team_name

examples/cymbal-bank/5-appinfra/cymbal-bank/ledger-ledgerwriter/envs/shared/remote.tf

@@ -15,9 +15,16 @@
  */
 
 locals {
-  cluster_membership_ids    = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
-  cluster_services_accounts = flatten([for state in data.terraform_remote_state.multitenant : state.outputs.cluster_service_accounts])
-  app_admin_project         = data.terraform_remote_state.appfactory.outputs.app-group["cymbal-bank.ledgerwriter"].app_admin_project_id
+  cluster_membership_ids = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
+  cluster_service_accounts = zipmap(
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : keys(item.outputs.cluster_service_accounts)]
+    ),
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : values(item.outputs.cluster_service_accounts)]
+    )
+  )
+  app_admin_project = data.terraform_remote_state.appfactory.outputs.app-group["cymbal-bank.ledgerwriter"].app_admin_project_id
 }
 
 data "terraform_remote_state" "multitenant" {

examples/cymbal-bank/5-appinfra/cymbal-bank/ledger-transactionhistory/envs/shared/main.tf

@@ -29,7 +29,7 @@ module "app" {
   region                     = var.region
   env_cluster_membership_ids = local.cluster_membership_ids
 
-  cluster_services_accounts = tomap(local.cluster_services_accounts)
+  cluster_service_accounts = { for i, sa in local.cluster_service_accounts : (i) => "serviceAccount:${sa}" }
 
   service_name           = local.service_name
   team_name              = local.team_name

examples/cymbal-bank/5-appinfra/cymbal-bank/ledger-transactionhistory/envs/shared/remote.tf

@@ -15,9 +15,16 @@
  */
 
 locals {
-  cluster_membership_ids    = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
-  cluster_services_accounts = flatten([for state in data.terraform_remote_state.multitenant : state.outputs.cluster_service_accounts])
-  app_admin_project         = data.terraform_remote_state.appfactory.outputs.app-group["cymbal-bank.transactionhistory"].app_admin_project_id
+  cluster_membership_ids = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
+  cluster_service_accounts = zipmap(
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : keys(item.outputs.cluster_service_accounts)]
+    ),
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : values(item.outputs.cluster_service_accounts)]
+    )
+  )
+  app_admin_project = data.terraform_remote_state.appfactory.outputs.app-group["cymbal-bank.transactionhistory"].app_admin_project_id
 }
 
 data "terraform_remote_state" "multitenant" {

examples/cymbal-shop/5-appinfra/cymbal-shop/cymbalshop/envs/shared/main.tf

@@ -29,7 +29,7 @@ module "app" {
   region                     = var.region
   env_cluster_membership_ids = local.cluster_membership_ids
 
-  cluster_services_accounts = tomap(local.cluster_services_accounts)
+  cluster_service_accounts = { for i, sa in local.cluster_service_accounts : (i) => "serviceAccount:${sa}" }
 
 
   service_name           = local.service_name

examples/cymbal-shop/5-appinfra/cymbal-shop/cymbalshop/envs/shared/remote.tf

@@ -15,9 +15,16 @@
  */
 
 locals {
-  cluster_membership_ids    = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
-  cluster_services_accounts = flatten([for state in data.terraform_remote_state.multitenant : state.outputs.cluster_service_accounts])
-  app_admin_project         = data.terraform_remote_state.appfactory.outputs.app-group["cymbal-shop.cymbalshop"].app_admin_project_id
+  cluster_membership_ids = { for state in data.terraform_remote_state.multitenant : (state.outputs.env) => { "cluster_membership_ids" = (state.outputs.cluster_membership_ids) } }
+  cluster_service_accounts = zipmap(
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : keys(item.outputs.cluster_service_accounts)]
+    ),
+    flatten(
+      [for item in data.terraform_remote_state.multitenant : values(item.outputs.cluster_service_accounts)]
+    )
+  )
+  app_admin_project = data.terraform_remote_state.appfactory.outputs.app-group["cymbal-shop.cymbalshop"].app_admin_project_id
 }
 
 data "terraform_remote_state" "multitenant" {

examples/standalone_single_project/5-appinfra.tf

@@ -66,7 +66,7 @@ module "cicd" {
   project_id                 = var.project_id
   region                     = var.region
   env_cluster_membership_ids = local.cluster_membership_ids
-  cluster_services_accounts  = tomap(module.multitenant_infra.cluster_service_accounts)
+  cluster_service_accounts   = { for i, sa in module.multitenant_infra.cluster_service_accounts : (i) => "serviceAccount:${sa}" }
 
   service_name           = each.value.service_name
   team_name              = each.value.team_name

test/integration/fleetscope/fleetscope_test.go

@@ -182,10 +182,7 @@ func TestFleetscope(t *testing.T) {
 							controlPlaneManagement := result.Get("membershipStates").Get(memberShipName).Get("servicemesh.controlPlaneManagement.state").String()
 							if dataPlaneManagement == "PROVISIONING" || controlPlaneManagement == "PROVISIONING" {
 								retry = true
-							} else if (dataPlaneManagement == "ACTIVE" && controlPlaneManagement == "ACTIVE") && !retry {
-								// if there is no other membership still in PROVISIONING
-								retry = false
-							} else {
+							} else if !(dataPlaneManagement == "ACTIVE" && controlPlaneManagement == "ACTIVE") {
 								return false, fmt.Errorf("Service mesh provisioning failed for %s: dataPlaneManagement = %s and controlPlaneManagement = %s", memberShipName, dataPlaneManagement, controlPlaneManagement)
 							}
 						}