Revert "feat(google_workload_identity): removed data source and updated outpu…" (#287)

dlactin · web-flow · commit c526d004bc4a · 2025-04-14T15:32:11.000-06:00
This reverts commit f06d51a.
diff --git a/google_workload_identity/README.md b/google_workload_identity/README.md
@@ -9,7 +9,6 @@ accounts to go with it
 |------|-------------|------|---------|:--------:|
 | <a name="input_automount_service_account_token"></a> [automount\_service\_account\_token](#input\_automount\_service\_account\_token) | Enable automatic mounting of the service account token | `bool` | `false` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Cluster name. Required if using existing KSA. | `string` | `""` | no |
-| <a name="input_gcp_sa_email"></a> [gcp\_sa\_email](#input\_gcp\_sa\_email) | Email for an existing Google service account. | `string` | `null` | no |
 | <a name="input_gcp_sa_name"></a> [gcp\_sa\_name](#input\_gcp\_sa\_name) | Name for the Google service account; overrides `var.name`. | `string` | `null` | no |
 | <a name="input_impersonate_service_account"></a> [impersonate\_service\_account](#input\_impersonate\_service\_account) | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
 | <a name="input_k8s_sa_name"></a> [k8s\_sa\_name](#input\_k8s\_sa\_name) | Name for the Kubernetes service account; overrides `var.name`. | `string` | `null` | no |
diff --git a/google_workload_identity/main.tf b/google_workload_identity/main.tf
@@ -6,7 +6,7 @@
 
 locals {
   gcp_given_name = var.gcp_sa_name != null ? var.gcp_sa_name : substr(var.name, 0, 30)
-  gcp_sa_email   = var.use_existing_gcp_sa ? var.gcp_sa_email : google_service_account.cluster_service_account[0].email
+  gcp_sa_email   = var.use_existing_gcp_sa ? data.google_service_account.cluster_service_account[0].email : google_service_account.cluster_service_account[0].email
   gcp_sa_fqn     = "serviceAccount:${local.gcp_sa_email}"
 
   # This will cause Terraform to block returning outputs until the service account is created
@@ -17,6 +17,13 @@ locals {
   k8s_sa_gcp_derived_name = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]"
 }
 
+data "google_service_account" "cluster_service_account" {
+  count = var.use_existing_gcp_sa ? 1 : 0
+
+  account_id = local.gcp_given_name
+  project    = var.project_id
+}
+
 resource "google_service_account" "cluster_service_account" {
   count = var.use_existing_gcp_sa ? 0 : 1
 
@@ -39,7 +46,7 @@ resource "kubernetes_service_account" "main" {
 }
 
 resource "google_service_account_iam_member" "main" {
-  service_account_id = var.use_existing_gcp_sa ? var.gcp_sa_name : google_service_account.cluster_service_account[0].name
+  service_account_id = var.use_existing_gcp_sa ? data.google_service_account.cluster_service_account[0].name : google_service_account.cluster_service_account[0].name
   role               = "roles/iam.workloadIdentityUser"
   member             = local.k8s_sa_gcp_derived_name
 }
@@ -50,4 +57,4 @@ resource "google_project_iam_member" "workload_identity_sa_bindings" {
   project = var.project_id
   role    = each.value
   member  = local.gcp_sa_fqn
-}
+}
diff --git a/google_workload_identity/outputs.tf b/google_workload_identity/outputs.tf
@@ -26,5 +26,5 @@ output "gcp_service_account_name" {
 
 output "gcp_service_account" {
   description = "GCP service account."
-  value       = var.use_existing_gcp_sa ? var.gcp_sa_name : google_service_account.cluster_service_account[0]
-}
+  value       = var.use_existing_gcp_sa ? data.google_service_account.cluster_service_account[0] : google_service_account.cluster_service_account[0]
+}
diff --git a/google_workload_identity/variables.tf b/google_workload_identity/variables.tf
@@ -14,12 +14,6 @@ variable "gcp_sa_name" {
   default     = null
 }
 
-variable "gcp_sa_email" {
-  description = "Email for an existing Google service account."
-  type        = string
-  default     = null
-}
-
 variable "use_existing_gcp_sa" {
   description = "Use an existing Google service account instead of creating one"
   type        = bool
@@ -72,4 +66,4 @@ variable "impersonate_service_account" {
   description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
   type        = string
   default     = ""
-}
+}
