From aee12e7175d6adf6d73c3bb5808399537ae56b48 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Szymon=20Bie=C5=84kowski?= <szymon.bienkowski@fluxninja.com>
Date: Fri, 13 May 2022 06:54:57 +0200
Subject: [PATCH] fix: trim trailing dash from gcp SA name (#1243)

As per noted regexp, the service account name cannot end with a dash.

This can happen when the name is over 30 characters long
and so a substring is extracted, but the 30th character happens to be a
dash.
---
 modules/workload-identity/main.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
index eaf02c777..bb44e4122 100644
--- a/modules/workload-identity/main.tf
+++ b/modules/workload-identity/main.tf
@@ -15,9 +15,9 @@
  */
 
 locals {
-  # GCP service account ids must be < 30 chars matching regex ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$
+  # GCP service account ids must be <= 30 chars matching regex ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$
   # KSAs do not have this naming restriction.
-  gcp_given_name = var.gcp_sa_name != null ? var.gcp_sa_name : substr(var.name, 0, 30)
+  gcp_given_name = var.gcp_sa_name != null ? var.gcp_sa_name : trimsuffix(substr(var.name, 0, 30), "-")
   gcp_sa_email   = var.use_existing_gcp_sa ? data.google_service_account.cluster_service_account[0].email : google_service_account.cluster_service_account[0].email
   gcp_sa_fqn     = "serviceAccount:${local.gcp_sa_email}"