Breaking change in 4.1.1 - Attribute `iam_emails` returns full service account `id` / `name` instead of `account_id`

[philippeboyd]

TL;DR

Attribute iam_emails returns full service account id / name instead of account_id (same with return attribute emails)

Expected behavior

> module.service_accounts.iam_emails
{
  "first" = "serviceAccount:prefix-first@<project_id>.iam.gserviceaccount.com"
  "second" = "serviceAccount:prefix-second@<project_id>.iam.gserviceaccount.com"
}

Observed behavior

> module.service_accounts.iam_emails
{
  "projects/<project_id>/serviceAccounts/prefix-first@<project_id>.iam.gserviceaccount.com" = "serviceAccount:prefix-first@<project_id>.iam.gserviceaccount.com"
  "projects/<project_id>/serviceAccounts/prefix-second@<project_id>.iam.gserviceaccount.com" = "serviceAccount:prefix-second@<project_id>.iam.gserviceaccount.com"
}

Terraform Configuration

module "service_accounts" {
  source        = "terraform-google-modules/service-accounts/google"
  version       = "4.1.1"
  project_id    = "<project_id>"
  prefix        = "prefix"
  names         = ["first", "second"]
}

Terraform Version

Terraform v1.1.6
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v4.11.0
+ provider registry.terraform.io/hashicorp/google-beta v4.11.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/time v0.7.2

Additional information

Related to PR #57

Version 4.1.0 was convenient in the following use case:

module "service_accounts" {
  source        = "terraform-google-modules/service-accounts/google"
  version       = "4.1.0"
  project_id    = "<project_id>"
  prefix        = "prefix"
  names         = ["first", "second"]
}

module "buckets" {
  source  = "terraform-google-modules/cloud-storage/google"
  version = "~> 3.1"

  project_id = <project_id>
  location   = "northamerica-northeast1"
  prefix     = ""
  names = [
    "bucket-first",
    "bucket-second",
  ]

  set_viewer_roles = true
  bucket_viewers = {
    "bucket-first" = module.service_accounts.iam_emails["first"], # <- no longer works since key `first` doesn't exist
    "bucket-second" = module.service_accounts.iam_emails["second"], # <- no longer works since key `second` doesn't exist
  }
}

[philippeboyd]

Looping in PR owner @wkrysmann

[philippeboyd]

Attribute service_accounts_map returns proper module specified names as keys so a workaround is to use

  bucket_viewers = {
    "bucket-first" = "serviceAccount:${module.service_accounts.service_accounts_map["first"]["email"]}",
    "bucket-second" = "serviceAccount:${module.service_accounts.service_accounts_map["second"]["email"]}",
  }

Still a breaking change though...

[morgante]

This should be considered a bug, since we didn't intend to change the interface of service_accounts. If you can get a PR up to fix it, we can change it back quickly.

[philippeboyd]

Changing it back would be to revert PR #57 (commit cb0f7f0) but then the problem that @wkrysmann mentioned in his PR would be back. Hence I would like to get his inputs on this issue first.

[wkrysmann]

Hi @philippeboyd,
thanks for flagging this out, this is definitely a bug which I introduced unintentionally.
I'm wondering if we could use service_accounts_map, similarly to how you use it in workaround solution to fix iam_emails output.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[philippeboyd]

not stale

[mehdicopter]

Attribute service_accounts_map returns proper module specified names as keys so a workaround is to use

  bucket_viewers = {
    "bucket-first" = "serviceAccount:${module.service_accounts.service_accounts_map["first"]["email"]}",
    "bucket-second" = "serviceAccount:${module.service_accounts.service_accounts_map["second"]["email"]}",
  }

Still a breaking change though...

I did use this instead:

bucket_viewers = {
    "bucket-first" = "serviceAccount:${module.service_accounts.service_accounts_map.first.email}",
    "bucket-second" = "serviceAccount:${module.service_accounts.service_accounts_map.second.email}",
  }

[ccogan-lh]

Any update on this?

[corey-hammerton]

Is there any update to this issue? We do use the service_accounts_map output, but it renders the output variables emails and iam_emails effectively useless

[adrian-gierakowski]

just hit this problem: it was an unannounced breaking changed, would be great to get it fixed
for now this is my workaround:

locals {
  service_accounts_iam_emails_by_name = {
    for env, account in module.service-accounts.service_accounts_map:
      env => "serviceAccount:${account.email}"
  }
}

this issues affects the emails output as well

IMHO best approach would be a fix reverting to original behaviour released as a breaking change with major version update