-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add create_ignore_already_exists to workload_identity #2142
feat: Add create_ignore_already_exists to workload_identity #2142
Conversation
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
c018f10
to
04efb9c
Compare
/gcbrun |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution @flozzone!
From the linter:
Running terraform fmt
modules/workload-identity/main.tf
--- old/modules/workload-identity/main.tf
+++ new/modules/workload-identity/main.tf
@@ -42,11 +42,11 @@
resource "google_service_account" "cluster_service_account" {
count = var.use_existing_gcp_sa ? 0 : 1
- account_id = local.gcp_given_name
- display_name = coalesce(var.gcp_sa_display_name, substr("GCP SA bound to K8S SA ${local.k8s_sa_project_id}[${local.k8s_given_name}]", 0, 100))
- description = var.gcp_sa_description
- project = var.project_id
- create_ignore_already_exists = var.create_ignore_already_exists
+ account_id = local.gcp_given_name
+ display_name = coalesce(var.gcp_sa_display_name, substr("GCP SA bound to K8S SA ${local.k8s_sa_project_id}[${local.k8s_given_name}]", 0, 100))
+ description = var.gcp_sa_description
+ project = var.project_id
+ create_ignore_already_exists = var.create_ignore_already_exists
}
resource "kubernetes_service_account" "main" {
Error: terraform fmt failed with exit code 3
Check the output for diffs and correct using terraform fmt <dir>
2cde06f
to
791a97c
Compare
791a97c
to
c8b2903
Compare
/gcbrun |
c8b2903
to
203a0f6
Compare
Hi @apeabody, I've corrected linting errors but now the build is failing and I cannot see any logs at https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/2142/checks?check_run_id=31930708825 and I rebased now to see if that caused the issue. |
/gcbrun |
I've triggered the test, but we've been having unrelated intermittent test failures (timeout) that we are also working to resolve. |
/gcbrun |
/gcbrun |
/gcbrun |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution @flozzone!
A few small notes before we merge.
/gcbrun |
Hi @inverse-panda - Can you share the version of the provider ( I would also strongly recommend specifying the major version of the module such as:
|
@inverse-panda I get the point, it might be a bit misleading now. But gcp_sa_create_ignore_already_exists is used in case Terraform fails to create the SA due to GCP IAM eventual consistency principle. See hashicorp/terraform-provider-google#18087 And today I found out that recent versions of the Google Provider have fixed that problem on provider end https://github.com/hashicorp/terraform-provider-google/releases/tag/v6.7.0 with hashicorp/terraform-provider-google#19727 |
@apeabody It seems I should have checked provider version compatibility and bump the required version |
Hi @apeabody, I see So people having the Provider produced inconsistent result after apply when creating service accounts would either have to use TPGv6.7 for a proper fix or use |
Thanks @flozzone! Would you be able to open a PR bumping the version to |
Hi, I use TPG ~> 4.0 and got this
I need to upgrade the TPG or what ? currently I manually remove the
|
Hi @gustysap In v34 the |
Thanks a lot @flozzone, updating the version to |
Adds create_ignore_already_exists to workload-identity module to ignore an already existing google-service-account when hitting the Provider produced inconsistent result after apply issue.
Fixes #2141