Cannot lookup Cloud Build service account with data source.

[sethvargo]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.14.5

Affected Resource(s)

• data.google_service_account

Terraform Configuration Files

data "google_service_account" "cloudbuild" {
  account_id = "${data.google_project.project.number}@cloudbuild.gserviceaccount.com"
}

Error Output

Error: "account_id" ("648217170662@cloudbuild.gserviceaccount.com") doesn't match regexp "^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$"

  on .terraform/modules/en/terraform/build.tf line 47, in data "google_service_account" "cloudbuild":
  47:   account_id = "${data.google_project.project.number}@cloudbuild.gserviceaccount.com"

Expected Behavior

The data source should be able to lookup service accounts by email account_id. In fact, the helper that the data source uses, serviceAccountFQN , correctly handles this case. However, the provider has a validation on the account_id that might be unnecessarily restrictive.

Actual Behavior

Error above.

Steps to Reproduce

1. terraform apply

[sethvargo]

/cc @rileykarson

[rileykarson]

What an unusual restriction, given that it should just work using the FQN method! Assigning you since you've already got a PR out. I think https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/service_account#account_id will need to be updated as well to state that an email can be supplied.

[sethvargo]

@rileykarson done in the PR

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!