Workload identity gcp_service_account return value incorrect in 16.1.0

[jackwhelpton]

Running with 16.1.0, the following code:

module.workload_identity_rcp[local.api_sa].gcp_service_account.account_id

yields the error:

This value does not have any attributes.

This was working fine in 16.0.1 (and prior).

For completeness, here's the module call:

module "workload_identity_rcp" {
  source  = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  version = "16.0.1"

  providers = {
    kubernetes = kubernetes.rcp
  }

  for_each = toset([local.api_sa, local.component_sa, local.traffic_sa])

  name       = each.value
  namespace  = kubernetes_namespace.rcp.metadata[0].name
  project_id = module.rcp-prodsci-cls-rcp-dev.project_id
}

so I'm not setting any of the use_existing_* flags, just letting the module create the GSA and KSA.

[jackwhelpton]

I've dug in a bit and found the bug here:

data "google_service_account" "cluster_service_account" {
  count = var.use_existing_gcp_sa ? 1 : 0

  account_id = local.gcp_given_name
  project    = var.project_id
}

so the service account details are only looked up if it was explicitly supplied, and not if it was created by the module. This is a breaking change as it means the output variable is null in those cases.

[jackwhelpton]

Looks like a regression caused by #974

[morgante]

Thanks for the report, this is indeed a bug. We should fix it by making the output either reference the data source (if using an existing SA) or the resource (if not).