Use a local instead of data source

hashicorp/terraform-provider-google#8326
google · Jan 28, 2021 · d14949d · d14949d
1 parent bda6be5
commit d14949d
Show file tree

Hide file tree

Showing 14 changed files with 25 additions and 31 deletions.
diff --git a/terraform/binary_authorization.tf b/terraform/binary_authorization.tf
@@ -79,7 +79,7 @@ resource "google_binary_authorization_attestor" "built-by-ci" {
 resource "google_project_iam_member" "ci-notes" {
   project = var.project
   role    = "roles/containeranalysis.notes.attacher"
-  member  = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member  = "serviceAccount:${local.cloudbuild_email}"
 
   depends_on = [
     google_project_service.services["cloudbuild.googleapis.com"],
@@ -90,7 +90,7 @@ resource "google_binary_authorization_attestor_iam_member" "ci-attestor" {
   project  = var.project
   attestor = google_binary_authorization_attestor.built-by-ci.id
   role     = "roles/binaryauthorization.attestorsViewer"
-  member   = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member   = "serviceAccount:${local.cloudbuild_email}"
 
   depends_on = [
     google_project_service.services["cloudbuild.googleapis.com"],
@@ -127,7 +127,7 @@ resource "google_kms_crypto_key_iam_binding" "ci-attest" {
   role          = "roles/cloudkms.signerVerifier"
 
   members = [
-    "serviceAccount:${data.google_service_account.cloudbuild.email}",
+    "serviceAccount:${local.cloudbuild_email}",
   ]
 
   depends_on = [

diff --git a/terraform/build.tf b/terraform/build.tf
@@ -12,6 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+locals {
+  cloudbuild_email = "${data.google_project.project.number}@cloudbuild.gserviceaccount.com"
+}
+
 resource "google_storage_bucket" "cloudbuild-cache" {
   project  = var.project
   name     = "${var.project}-cloudbuild-cache"
@@ -39,15 +43,5 @@ resource "google_storage_bucket" "cloudbuild-cache" {
 resource "google_storage_bucket_iam_member" "cloudbuild-cache" {
   bucket = google_storage_bucket.cloudbuild-cache.name
   role   = "roles/storage.objectAdmin"
-  member = "serviceAccount:${data.google_service_account.cloudbuild.email}"
-}
-
-
-data "google_service_account" "cloudbuild" {
-  account_id = "${data.google_project.project.number}@cloudbuild.gserviceaccount.com"
-
-  depends_on = [
-    google_project_service.services["iam.googleaips.com"],
-    google_project_service.services["cloudbuild.googleaips.com"],
-  ]
+  member = "serviceAccount:${local.cloudbuild_email}"
 }
diff --git a/terraform/database.tf b/terraform/database.tf
@@ -254,7 +254,7 @@ resource "google_secret_manager_secret_version" "db-verification-code-hmac" {
 resource "google_secret_manager_secret_iam_member" "cloudbuild-db-pwd" {
   secret_id = google_secret_manager_secret.db-secret["password"].id
   role      = "roles/secretmanager.secretAccessor"
-  member    = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member    = "serviceAccount:${local.cloudbuild_email}"
 
   depends_on = [
     google_project_service.services["cloudbuild.googleapis.com"],
@@ -264,7 +264,7 @@ resource "google_secret_manager_secret_iam_member" "cloudbuild-db-pwd" {
 resource "google_secret_manager_secret_iam_member" "cloudbuild-db-apikey-db-hmac" {
   secret_id = google_secret_manager_secret.db-apikey-db-hmac.id
   role      = "roles/secretmanager.secretAccessor"
-  member    = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member    = "serviceAccount:${local.cloudbuild_email}"
 
   depends_on = [
     google_project_service.services["cloudbuild.googleapis.com"],
@@ -274,7 +274,7 @@ resource "google_secret_manager_secret_iam_member" "cloudbuild-db-apikey-db-hmac
 resource "google_secret_manager_secret_iam_member" "cloudbuild-db-apikey-sig-hmac" {
   secret_id = google_secret_manager_secret.db-apikey-sig-hmac.id
   role      = "roles/secretmanager.secretAccessor"
-  member    = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member    = "serviceAccount:${local.cloudbuild_email}"
 
   depends_on = [
     google_project_service.services["cloudbuild.googleapis.com"],
@@ -284,7 +284,7 @@ resource "google_secret_manager_secret_iam_member" "cloudbuild-db-apikey-sig-hma
 resource "google_secret_manager_secret_iam_member" "cloudbuild-db-verification-code-hmac" {
   secret_id = google_secret_manager_secret.db-verification-code-hmac.id
   role      = "roles/secretmanager.secretAccessor"
-  member    = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member    = "serviceAccount:${local.cloudbuild_email}"
 
   depends_on = [
     google_project_service.services["cloudbuild.googleapis.com"],
@@ -295,7 +295,7 @@ resource "google_secret_manager_secret_iam_member" "cloudbuild-db-verification-c
 resource "google_project_iam_member" "cloudbuild-sql" {
   project = var.project
   role    = "roles/cloudsql.client"
-  member  = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member  = "serviceAccount:${local.cloudbuild_email}"
 
   depends_on = [
     google_project_service.services["cloudbuild.googleapis.com"]
@@ -306,7 +306,7 @@ resource "google_project_iam_member" "cloudbuild-sql" {
 resource "google_kms_crypto_key_iam_member" "database-database-encrypter" {
   crypto_key_id = google_kms_crypto_key.database-encrypter.self_link
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member        = "serviceAccount:${local.cloudbuild_email}"
 
   depends_on = [
     google_project_service.services["cloudbuild.googleapis.com"]

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -135,7 +135,7 @@ resource "null_resource" "build" {
 resource "google_project_iam_member" "cloudbuild-deploy" {
   project = var.project
   role    = "roles/run.admin"
-  member  = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member  = "serviceAccount:${local.cloudbuild_email}"
 
   depends_on = [
     google_project_service.services["cloudbuild.googleapis.com"],

diff --git a/terraform/service_admin_apiserver.tf b/terraform/service_admin_apiserver.tf
@@ -21,7 +21,7 @@ resource "google_service_account" "adminapi" {
 resource "google_service_account_iam_member" "cloudbuild-deploy-adminapi" {
   service_account_id = google_service_account.adminapi.id
   role               = "roles/iam.serviceAccountUser"
-  member             = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member             = "serviceAccount:${local.cloudbuild_email}"
 }
 
 resource "google_project_iam_member" "adminapi-observability" {

diff --git a/terraform/service_apiserver.tf b/terraform/service_apiserver.tf
@@ -21,7 +21,7 @@ resource "google_service_account" "apiserver" {
 resource "google_service_account_iam_member" "cloudbuild-deploy-apiserver" {
   service_account_id = google_service_account.apiserver.id
   role               = "roles/iam.serviceAccountUser"
-  member             = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member             = "serviceAccount:${local.cloudbuild_email}"
 }
 
 resource "google_project_iam_member" "apiserver-observability" {

diff --git a/terraform/service_appsync.tf b/terraform/service_appsync.tf
@@ -21,7 +21,7 @@ resource "google_service_account" "appsync" {
 resource "google_service_account_iam_member" "cloudbuild-deploy-appsync" {
   service_account_id = google_service_account.appsync.id
   role               = "roles/iam.serviceAccountUser"
-  member             = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member             = "serviceAccount:${local.cloudbuild_email}"
 }
 
 resource "google_project_iam_member" "appsync-observability" {

diff --git a/terraform/service_cleanup.tf b/terraform/service_cleanup.tf
@@ -21,7 +21,7 @@ resource "google_service_account" "cleanup" {
 resource "google_service_account_iam_member" "cloudbuild-deploy-cleanup" {
   service_account_id = google_service_account.cleanup.id
   role               = "roles/iam.serviceAccountUser"
-  member             = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member             = "serviceAccount:${local.cloudbuild_email}"
 }
 
 resource "google_project_iam_member" "cleanup-observability" {

diff --git a/terraform/service_e2e_runner.tf b/terraform/service_e2e_runner.tf
@@ -21,7 +21,7 @@ resource "google_service_account" "e2e-runner" {
 resource "google_service_account_iam_member" "cloudbuild-deploy-e2e-runner" {
   service_account_id = google_service_account.e2e-runner.id
   role               = "roles/iam.serviceAccountUser"
-  member             = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member             = "serviceAccount:${local.cloudbuild_email}"
 }
 
 resource "google_project_iam_member" "e2e-runner-observability" {

diff --git a/terraform/service_modeler.tf b/terraform/service_modeler.tf
@@ -21,7 +21,7 @@ resource "google_service_account" "modeler" {
 resource "google_service_account_iam_member" "cloudbuild-deploy-modeler" {
   service_account_id = google_service_account.modeler.id
   role               = "roles/iam.serviceAccountUser"
-  member             = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member             = "serviceAccount:${local.cloudbuild_email}"
 }
 
 resource "google_project_iam_member" "modeler-observability" {

diff --git a/terraform/service_redirect.tf b/terraform/service_redirect.tf
@@ -22,7 +22,7 @@ resource "google_service_account" "enx-redirect" {
 resource "google_service_account_iam_member" "cloudbuild-deploy-enx-redirect" {
   service_account_id = google_service_account.enx-redirect.id
   role               = "roles/iam.serviceAccountUser"
-  member             = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member             = "serviceAccount:${local.cloudbuild_email}"
 }
 
 resource "google_project_iam_member" "enx-redirect-observability" {

diff --git a/terraform/service_rotation.tf b/terraform/service_rotation.tf
@@ -21,7 +21,7 @@ resource "google_service_account" "rotation" {
 resource "google_service_account_iam_member" "cloudbuild-deploy-rotation" {
   service_account_id = google_service_account.rotation.id
   role               = "roles/iam.serviceAccountUser"
-  member             = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member             = "serviceAccount:${local.cloudbuild_email}"
 }
 
 resource "google_project_iam_member" "rotation-observability" {

diff --git a/terraform/service_server.tf b/terraform/service_server.tf
@@ -21,7 +21,7 @@ resource "google_service_account" "server" {
 resource "google_service_account_iam_member" "cloudbuild-deploy-server" {
   service_account_id = google_service_account.server.id
   role               = "roles/iam.serviceAccountUser"
-  member             = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member             = "serviceAccount:${local.cloudbuild_email}"
 }
 
 resource "google_project_iam_member" "server-observability" {

diff --git a/terraform/service_stats_puller.tf b/terraform/service_stats_puller.tf
@@ -21,7 +21,7 @@ resource "google_service_account" "stats-puller" {
 resource "google_service_account_iam_member" "cloudbuild-deploy-stats-puller" {
   service_account_id = google_service_account.stats-puller.id
   role               = "roles/iam.serviceAccountUser"
-  member             = "serviceAccount:${data.google_service_account.cloudbuild.email}"
+  member             = "serviceAccount:${local.cloudbuild_email}"
 }
 
 resource "google_project_iam_member" "stats-puller-observability" {