Handle service account name in control

The ambiguity of what google_container_cluster expects as a value for
service_account is not worth addressing in this module.

README.md

@@ -135,7 +135,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | region | The region to host the cluster in (required) | string | n/a | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no |
 | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no |
-| service\_account | The name of the service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no |
+| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |
@@ -160,8 +160,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | node\_pools\_names | List of node pools names |
 | node\_pools\_versions | List of node pools versions |
 | region | Cluster region |
-| service\_account | The email address of the service account to default running nodes as if not overridden in `node_pools`. |
-| service\_account\_name | The name of the service account to default running nodes as if not overridden in `node_pools`. |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | type | Cluster type (regional / zonal) |
 | zones | List of zones in which the cluster resides |
 

autogen/outputs.tf

@@ -109,11 +109,6 @@ output "node_pools_versions" {
 }
 
 output "service_account" {
-  description = "The email address of the service account to default running nodes as if not overridden in `node_pools`."
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
   value = "${local.service_account}"
 }
-
-output "service_account_name" {
-  description = "The name of the service account to default running nodes as if not overridden in `node_pools`."
-  value = "projects/${var.project_id}/serviceAccounts/${local.service_account}"
-}

autogen/variables.tf

@@ -214,7 +214,7 @@ variable "monitoring_service" {
 }
 
 variable "service_account" {
-  description = "The name of the service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
+  description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
   default     = "create"
 }
 {% if private_cluster %}

examples/deploy_service/README.md

@@ -38,7 +38,7 @@ It will:
 | network |  |
 | project\_id |  |
 | region |  |
-| service\_account | The email address of the service account to default running nodes as if not overridden in `node_pools`. |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | subnetwork |  |
 | zones | List of zones in which the cluster resides |
 

examples/deploy_service/outputs.tf

@@ -29,6 +29,6 @@ output "ca_certificate" {
 }
 
 output "service_account" {
-  description = "The email address of the service account to default running nodes as if not overridden in `node_pools`."
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = "${module.gke.service_account}"
 }

examples/node_pool/README.md

@@ -33,7 +33,7 @@ This example illustrates how to create a cluster with multiple custom node-pool
 | network |  |
 | project\_id |  |
 | region |  |
-| service\_account | The email address of the service account to default running nodes as if not overridden in `node_pools`. |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | subnetwork |  |
 | zones | List of zones in which the cluster resides |
 

examples/node_pool/outputs.tf

@@ -29,6 +29,6 @@ output "ca_certificate" {
 }
 
 output "service_account" {
-  description = "The email address of the service account to default running nodes as if not overridden in `node_pools`."
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = "${module.gke.service_account}"
 }

examples/shared_vpc/README.md

@@ -33,7 +33,7 @@ This example illustrates how to create a simple cluster where the host network i
 | network |  |
 | project\_id |  |
 | region |  |
-| service\_account | The email address of the service account to default running nodes as if not overridden in `node_pools`. |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | subnetwork |  |
 | zones | List of zones in which the cluster resides |
 

examples/shared_vpc/outputs.tf

@@ -29,6 +29,6 @@ output "ca_certificate" {
 }
 
 output "service_account" {
-  description = "The email address of the service account to default running nodes as if not overridden in `node_pools`."
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = "${module.gke.service_account}"
 }

examples/simple_regional/README.md

@@ -32,7 +32,7 @@ This example illustrates how to create a simple cluster.
 | network |  |
 | project\_id |  |
 | region |  |
-| service\_account | The email address of the service account to default running nodes as if not overridden in `node_pools`. |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | subnetwork |  |
 | zones | List of zones in which the cluster resides |
 

examples/simple_regional/outputs.tf

@@ -29,6 +29,6 @@ output "ca_certificate" {
 }
 
 output "service_account" {
-  description = "The email address of the service account to default running nodes as if not overridden in `node_pools`."
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = "${module.gke.service_account}"
 }

examples/simple_regional_private/README.md

@@ -32,7 +32,7 @@ This example illustrates how to create a simple private cluster.
 | network |  |
 | project\_id |  |
 | region |  |
-| service\_account | The email address of the service account to default running nodes as if not overridden in `node_pools`. |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | subnetwork |  |
 | zones | List of zones in which the cluster resides |
 

examples/simple_regional_private/outputs.tf

@@ -29,6 +29,6 @@ output "ca_certificate" {
 }
 
 output "service_account" {
-  description = "The email address of the service account to default running nodes as if not overridden in `node_pools`."
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = "${module.gke.service_account}"
 }

examples/simple_zonal/README.md

@@ -32,7 +32,7 @@ This example illustrates how to create a simple cluster.
 | network |  |
 | project\_id |  |
 | region |  |
-| service\_account | The email address of the service account to default running nodes as if not overridden in `node_pools`. |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | service\_account\_name | The name of the service account to default running nodes as if not overridden in `node_pools`. |
 | subnetwork |  |
 | zones | List of zones in which the cluster resides |

examples/simple_zonal/outputs.tf

@@ -29,11 +29,6 @@ output "ca_certificate" {
 }
 
 output "service_account" {
-  description = "The email address of the service account to default running nodes as if not overridden in `node_pools`."
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = "${module.gke.service_account}"
 }
-
-output "service_account_name" {
-  description = "The name of the service account to default running nodes as if not overridden in `node_pools`."
-  value       = "${module.gke.service_account_name}"
-}

examples/simple_zonal_private/README.md

@@ -33,7 +33,7 @@ This example illustrates how to create a simple private cluster.
 | network |  |
 | project\_id |  |
 | region |  |
-| service\_account | The email address of the service account to default running nodes as if not overridden in `node_pools`. |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | subnetwork |  |
 | zones | List of zones in which the cluster resides |
 

examples/simple_zonal_private/outputs.tf

@@ -29,6 +29,6 @@ output "ca_certificate" {
 }
 
 output "service_account" {
-  description = "The email address of the service account to default running nodes as if not overridden in `node_pools`."
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = "${module.gke.service_account}"
 }

examples/stub_domains/README.md

@@ -37,7 +37,7 @@ It will:
 | network |  |
 | project\_id |  |
 | region |  |
-| service\_account | The email address of the service account to default running nodes as if not overridden in `node_pools`. |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | subnetwork |  |
 | zones | List of zones in which the cluster resides |
 

examples/stub_domains/outputs.tf

@@ -29,6 +29,6 @@ output "ca_certificate" {
 }
 
 output "service_account" {
-  description = "The email address of the service account to default running nodes as if not overridden in `node_pools`."
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = "${module.gke.service_account}"
 }

modules/private-cluster/README.md

@@ -143,7 +143,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | region | The region to host the cluster in (required) | string | n/a | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no |
 | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no |
-| service\_account | The name of the service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no |
+| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |
@@ -168,8 +168,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | node\_pools\_names | List of node pools names |
 | node\_pools\_versions | List of node pools versions |
 | region | Cluster region |
-| service\_account | The email address of the service account to default running nodes as if not overridden in `node_pools`. |
-| service\_account\_name | The name of the service account to default running nodes as if not overridden in `node_pools`. |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | type | Cluster type (regional / zonal) |
 | zones | List of zones in which the cluster resides |
 

modules/private-cluster/outputs.tf

@@ -109,11 +109,6 @@ output "node_pools_versions" {
 }
 
 output "service_account" {
-  description = "The email address of the service account to default running nodes as if not overridden in `node_pools`."
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
   value = "${local.service_account}"
-}
-
-output "service_account_name" {
-  description = "The name of the service account to default running nodes as if not overridden in `node_pools`."
-  value = "projects/${var.project_id}/serviceAccounts/${local.service_account}"
 }

modules/private-cluster/variables.tf

@@ -214,7 +214,7 @@ variable "monitoring_service" {
 }
 
 variable "service_account" {
-  description = "The name of the service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
+  description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
   default     = "create"
 }
 variable "enable_private_endpoint" {

outputs.tf

@@ -109,11 +109,6 @@ output "node_pools_versions" {
 }
 
 output "service_account" {
-  description = "The email address of the service account to default running nodes as if not overridden in `node_pools`."
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
   value = "${local.service_account}"
-}
-
-output "service_account_name" {
-  description = "The name of the service account to default running nodes as if not overridden in `node_pools`."
-  value = "projects/${var.project_id}/serviceAccounts/${local.service_account}"
 }

test/fixtures/shared/outputs.tf

@@ -75,6 +75,6 @@ output "ca_certificate" {
 }
 
 output "service_account" {
-  description = "The email address of the service account to default running nodes as if not overridden in `node_pools`."
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = "${module.example.service_account}"
 }

test/integration/simple_zonal/controls/gcp.rb

@@ -14,8 +14,18 @@
 
 control "gcp" do
   title "Native InSpec Resources"
-  describe google_service_account name: attribute("service_account_name") do
+
+  service_account = attribute("service_account")
+  project_id = attribute("project_id")
+
+  if service_account.start_with? "projects/"
+    service_account_name = service_account
+  else
+    service_account_name = "projects/#{project_id}/serviceAccounts/#{service_account}"
+  end
+
+  describe google_service_account name: service_account_name do
     its("display_name") { should eq "Terraform-managed service account for cluster #{attribute("cluster_name")}" }
-    its("project_id") { should eq attribute("project_id") }
+    its("project_id") { should eq project_id }
   end
 end

test/integration/simple_zonal/inspec.yml

@@ -25,6 +25,6 @@ attributes:
   - name: service_account
     required: true
     type: string
-  - name: service_account_name
+  - name: service_account
     required: true
     type: string

variables.tf

@@ -214,6 +214,6 @@ variable "monitoring_service" {
 }
 
 variable "service_account" {
-  description = "The name of the service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
+  description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
   default     = "create"
 }