Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workload Identity documentation for existing GCP SA should match example to avoid errors #1059

Closed
tomasgareau opened this issue Nov 10, 2021 · 1 comment
Closed

Workload Identity documentation for existing GCP SA should match example to avoid errors #1059

tomasgareau opened this issue Nov 10, 2021 · 1 comment

Comments

@tomasgareau
Copy link
Contributor

The following snippet from the README for existing GCP SA in the Workload Identity module:

resource "google_service_account" "preexisting" {
  account_id   = "preexisting-sa"
}
module "my-app-workload-identity" {
  source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  use_existing_gcp_sa = true
  name                = google_service_account.preexisting.account_id
  project_id          = var.project_id
}

fails for me with the error:

╷
│ Error: Invalid template interpolation value
│
│   on .terraform/modules/myapp_workload_identity/modules/workload-identity/main.tf line 22, in locals:
│   22:   gcp_sa_fqn     = "serviceAccount:${local.gcp_sa_email}"
│     ├────────────────
│     │ local.gcp_sa_email is null
│
│ The expression result is null. Cannot include a null value in a string template.
╵
╷
│ Error: Invalid template interpolation value
│
│   on .terraform/modules/myapp_workload_identity/modules/workload-identity/main.tf line 71, in module "annotate-sa":
│   71:   kubectl_create_command  = "kubectl annotate --overwrite sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}"
│     ├────────────────
│     │ local.gcp_sa_email is null
│
│ The expression result is null. Cannot include a null value in a string template.
╵
╷
│ Error: Missing required argument
│
│   with module.myapp_workload_identity.google_service_account_iam_member.main,
│   on .terraform/modules/myapp_workload_identity/modules/workload-identity/main.tf line 76, in resource "google_service_account_iam_member" "main":
│   76:   service_account_id = var.use_existing_gcp_sa ? data.google_service_account.cluster_service_account[0].name : google_service_account.cluster_service_account[0].name
│
│ The argument "service_account_id" is required, but no definition was found.
╵

Looks like the WI module is trying to fetch information about the service account before it exists... The example introduced by #974 uses depends_on to force Terraform to wait:

# example with existing GSA
resource "google_service_account" "custom" {
  account_id = "custom-gsa"
  project    = var.project_id
}

module "workload_identity_existing_gsa" {
  source              = "../../modules/workload-identity"
  project_id          = var.project_id
  name                = google_service_account.custom.account_id
  use_existing_gcp_sa = true
  # wait till custom GSA is created to force module data source read during apply
  depends_on = [google_service_account.custom]
}

Should the README documentation be updated to match? Or is there a better way to define these dependencies for Terraform?
@morgante
Copy link
Contributor

Yes, please update the README. Unfortunately I don't think there's a way to fix this besides that workaround (since it's ultimately a bug in Terraform).

@tomasgareau tomasgareau mentioned this issue Nov 15, 2021
Merged
morgante added a commit that referenced this issue Nov 16, 2021
@tomasgareau @morgante
chore(docs): update Workload Identity README example for existing GSA (
5b16a50 
…#1062)

Addresses #1059 -- without the `depends_on` block, the WI module will
try to read a data source for a Google service account that has not yet
been created. This is alluded to in the Workload Identity examples but
not in the Workload Identity README. This commit updates the README to
include the `depends_on` block.

Co-authored-by: Morgante Pell <morgantep@google.com>
CPL-markus pushed a commit to WALTER-GROUP/terraform-google-kubernetes-engine that referenced this issue Jul 15, 2024
@tomasgareau @morgante
chore(docs): update Workload Identity README example for existing GSA (
5b2d73b 
…terraform-google-modules#1062)

Addresses terraform-google-modules#1059 -- without the `depends_on` block, the WI module will
try to read a data source for a Google service account that has not yet
been created. This is alluded to in the Workload Identity examples but
not in the Workload Identity README. This commit updates the README to
include the `depends_on` block.

Co-authored-by: Morgante Pell <morgantep@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@morgante @tomasgareau