google_service_account_key broken in 1.14.0 - regression bug

[primeroz]

Hi there,

In version 1.14.0 there seems to be a regression bug where the google_service_account_key resource does not work anymore.

According to the docs the resource does not expect a key for project. It is , i assume, going to inherit it from the keyring it belongs to

Starting in version 1.14.0 there seem to be a validation error during apply

If i don't have a project key specified in the resource i get:

Error: Error applying plan:

1 error(s) occurred:

* google_service_account_key.test-bug: 1 error(s) occurred:

* google_service_account_key.test-bug: project: required field is not set

If i do add the project to the resource i get a vlidation error during plan

Error: google_service_account_key.test-bug: : invalid or unknown key: project

In version 1.13.0 this work as expected.

Interesting enough if i add the project key to the provider it then works also in version 1.14.0

Terraform Version

~/tmp/tf-google-bug >>> terraform -v
Terraform v0.11.7
+ provider.google v1.14.0

Affected Resource(s)

• google_service_account_key

Terraform Configuration Files

variable "project_id" {}
variable "region" {}

provider "google" {
  #version = "= 1.13.0"
  version     = "= 1.14.0"
  region      = "${var.region}"
  credentials = "${file("~/.config/gcloud/terraform-account.json")}"
}

resource "google_service_account" "test-bug" {
  account_id   = "test-bug"
  display_name = "test-bug"
  project      = "${var.project_id}"
}

resource "google_service_account_key" "test-bug" {
  service_account_id = "${google_service_account.test-bug.id}"
  #project            = "${var.project_id}"
  public_key_type    = "TYPE_X509_PEM_FILE"
  private_key_type   = "TYPE_GOOGLE_CREDENTIALS_FILE"
}

Debug Output

https://paste.debian.net/hidden/def5b763/

Expected Behavior

google_service_account_key is created

Actual Behavior

Terraform fails to run

Steps to Reproduce

1. Copy example HCL Configuration from above
2. terraform init
   3.terraform apply -var project_id=YOURPROJECT -var region=europe-west1

Important Factoids

References

[petemounce]

Confirmed by me.

[vishen]

I believe I broke this in commit 8f31fec, although I thought that went in for v1.13.0 so I am a little confused about why it is only failing in v1.14.0? (i was looking at the release notes wrong)

The functionality I added is the same as the previous, but I first try and get the project and I was unaware that getProject(d, config) would error if there wasn't a project, sorry!

I think this can either safely be reverted, or don't error if getProject errors because serviceAccountFQN (8f31fec#diff-d9f99248626432c3fc0b32182bf3a6faR366) doesn't actually require the project to be available.

I am not sure what is the best solution?

[vishen]

@danawillow I have what I believe to be a fix to this issue I casued here, but if that looks to be too much effort (or not comfortable with the change) I can revert the original change completely and submit a PR with the reverted change?

[danawillow]

Cool! I was planning on fixing this today but I'm happy to review a PR instead if you have one.

[vishen]

I have created the following PR #1664 :)

[primeroz]

@vishen @danawillow is this merged in any release ? I am still hitting the same issue for any provider > 1.13 ( including current 1.16.2 ) even if i can see it in the changelog for version 1.15

[vishen]

@primeroz I just checked and it works for 1.13, fails for 1.14 and works for 1.16. Do you have a repro case?

[primeroz]

@vishen i tried rerunning the example i put in the case when i created and that works.

I am having the issue with a "real" configuration, there must be something different i can't see yet , i will see to reproduce it and understand what is causing it.

[primeroz]

@vishen

FYI my issue was that i was using "unique_id" rather than "id" in the service_account_id parameter

resource "google_service_account_key" "viewer-account" {
  service_account_id = "${google_service_account.viewer-account.unique_id}"
  public_key_type    = "TYPE_X509_PEM_FILE"
  private_key_type   = "TYPE_GOOGLE_CREDENTIALS_FILE"
  pgp_key = ""
}

what's strange is that i was getting the very same error, that's why i thought it was not merged

Error: Error applying plan:                                                                                                                                                                    
                                                                                                                                                                                               
1 error(s) occurred:                                                                                                                                                                           
                                                                                                                                                                                               
* google_service_account_key.viewer-account: 1 error(s) occurred:                                                                                                                          
                                                                                                                                                                                               
* google_service_account_key.viewer-account: project: required field is not set  

[danawillow]

FYI @primeroz I'd highly recommend not depending on the resource id. We purposely don't put any information about them in the documentation because we want to be able to change how we store them at any moment. For service accounts specifically, you should be able to use the name or email without having to specify a project.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!