feat: Update script to have unique service account name generated (#56)

README.md

@@ -63,7 +63,7 @@ Functional examples are included in the
 | ba\_name | Provide a name for the backup/recovery appliance. The name will be suffixed with four random characters. | `string` | n/a | yes |
 | ba\_project\_id | Provide the project ID where you want to deploy the backup/recovery appliance. | `string` | n/a | yes |
 | ba\_registration | Flag to register the backup/recovery appliance with the management console. We recommend changing it to false, once the appliance is successfully registered. | `string` | `"true"` | no |
-| ba\_service\_account | Use this if you want to use an existing service account with the backup/recovery appliance. This variable will be ignored if the create\_ba\_service\_account variable is set to true. | `string` | `"none"` | no |
+| ba\_service\_account | Use this if you want to use an existing service account with the backup/recovery appliance. This variable will be ignored if the create\_ba\_service\_account variable is set to true. A unique service account should be used for each new BA deployment else deployment will fail. | `string` | `"none"` | no |
 | boot\_image | Provide the boot image for backup/recovery appliance.  Don’t modify this variable to update or upgrade the appliance version. You can upgrade the appliance only through the Backup and DR Service management console. | `string` | `"projects/backupdr-images/global/images/sky-11-0-13-278"` | no |
 | create\_ba\_service\_account | Flag to create a service account for backup/recovery appliance. | `bool` | n/a | yes |
 | firewall\_source\_ip\_ranges | Provide the IP ranges to allow the firewall communication between the management console, the appliance, and other subnets where workloads need to be backed up. | `list(string)` | `[]` | no |

main.tf

@@ -50,10 +50,11 @@ locals {
 }
 
 locals {
-  timestamp_sanitized = sum([time_static.activation_date.unix, 86400])
-  shared_secret       = "${random_string.shared_secret.result}00000000${format("%x", local.timestamp_sanitized)}"
-  ba_service_account  = var.create_ba_service_account ? join("", google_service_account.ba_service_account[*].email) : var.ba_service_account
-  ba_randomised_name  = join("-", tolist([var.ba_name, random_string.id.id]))
+  timestamp_sanitized   = sum([time_static.activation_date.unix, 86400])
+  shared_secret         = "${random_string.shared_secret.result}00000000${format("%x", local.timestamp_sanitized)}"
+  ba_service_account    = var.create_ba_service_account ? join("", google_service_account.ba_service_account[*].email) : var.ba_service_account
+  ba_randomised_name    = join("-", tolist([var.ba_name, random_string.id.id]))
+  ba_sa_randomised_name = join("-", [length(var.ba_name) + length(random_string.id.id) > 30 ? substr(var.ba_name, 0, 30 - length(random_string.id.id) - 1) : var.ba_name, random_string.id.id])
 }
 
 # make sure the subnet exist.
@@ -83,7 +84,7 @@ resource "google_project_service" "enable_services" {
 resource "google_service_account" "ba_service_account" {
   project      = var.ba_project_id
   count        = var.create_ba_service_account ? 1 : 0
-  account_id   = var.ba_name
+  account_id   = local.ba_sa_randomised_name
   display_name = "Backup DR Appliance Service Account"
   depends_on   = [google_project_service.enable_services]
 }

variables.tf

@@ -101,7 +101,7 @@ variable "assign_roles_to_ba_sa" {
 
 variable "ba_service_account" {
   type        = string
-  description = "Use this if you want to use an existing service account with the backup/recovery appliance. This variable will be ignored if the create_ba_service_account variable is set to true."
+  description = "Use this if you want to use an existing service account with the backup/recovery appliance. This variable will be ignored if the create_ba_service_account variable is set to true. A unique service account should be used for each new BA deployment else deployment will fail."
   default     = "none"
 }