Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow Disabling Service Accounts #5169

Merged
merged 3 commits into from
Sep 8, 2021
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
allow disabling service accounts
Co-authored-by: upodroid <[email protected]>
  • Loading branch information
upodroid committed Sep 2, 2021
commit 0c14bf6b3389e96e7cea7f6de37039e29f684c16
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,12 @@ func resourceGoogleServiceAccount() *schema.Resource {
Optional: true,
Description: `The display name for the service account. Can be updated without creating a new resource.`,
},
"disabled": {
Type: schema.TypeBool,
Optional: true,
Default: false,
Description: `Whether the service account is disabled. Defaults to false`,
},
"description": {
Type: schema.TypeString,
Optional: true,
Expand Down Expand Up @@ -146,6 +152,9 @@ func resourceGoogleServiceAccountRead(d *schema.ResourceData, meta interface{})
if err := d.Set("description", sa.Description); err != nil {
return fmt.Errorf("Error setting description: %s", err)
}
if err := d.Set("disabled", sa.Disabled); err != nil {
return fmt.Errorf("Error setting disabled: %s", err)
}
return nil
}

Expand Down Expand Up @@ -181,6 +190,33 @@ func resourceGoogleServiceAccountUpdate(d *schema.ResourceData, meta interface{}
if d.HasChange("display_name") {
updateMask = append(updateMask, "display_name")
}

// We want to skip the Patch Call below if only the enabled field has been changed

if d.HasChange("disabled") && !d.Get("disabled").(bool) {

_, err = config.NewIamClient(userAgent).Projects.ServiceAccounts.Enable(d.Id(),
&iam.EnableServiceAccountRequest{}).Do()
if err != nil {
return err
}

if len(updateMask) == 0 {
return nil
}

} else if d.HasChange("disabled") && d.Get("disabled").(bool) {
_, err = config.NewIamClient(userAgent).Projects.ServiceAccounts.Disable(d.Id(),
&iam.DisableServiceAccountRequest{}).Do()
if err != nil {
return err
}

if len(updateMask) == 0 {
return nil
}
}

_, err = config.NewIamClient(userAgent).Projects.ServiceAccounts.Patch(d.Id(),
&iam.PatchServiceAccountRequest{
UpdateMask: strings.Join(updateMask, ","),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,65 @@ func TestAccServiceAccount_basic(t *testing.T) {
})
}

func TestAccServiceAccount_Disabled(t *testing.T) {
t.Parallel()

accountId := "a" + randString(t, 10)
uniqueId := ""
displayName := "Terraform Test"
desc := "test description"
project := getTestProjectFromEnv()
expectedEmail := fmt.Sprintf("%s@%s.iam.gserviceaccount.com", accountId, project)
vcrTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Steps: []resource.TestStep{
// The first step creates a basic service account
{
Config: testAccServiceAccountBasic(accountId, displayName, desc),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(
"google_service_account.acceptance", "project", project),
),
},
{
ResourceName: "google_service_account.acceptance",
ImportStateId: fmt.Sprintf("projects/%s/serviceAccounts/%s", project, expectedEmail),
ImportState: true,
ImportStateVerify: true,
},
// The second step disables the service account
{
Config: testAccServiceAccountBasicDisabled(accountId, displayName, desc, true),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(
"google_service_account.acceptance", "project", project),
testAccStoreServiceAccountUniqueId(&uniqueId),
),
},
{
ResourceName: "google_service_account.acceptance",
ImportState: true,
ImportStateVerify: true,
},
// The second step enables the disabled service account
{
Config: testAccServiceAccountBasicDisabled(accountId, displayName, desc, false),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(
"google_service_account.acceptance", "project", project),
testAccStoreServiceAccountUniqueId(&uniqueId),
),
},
{
ResourceName: "google_service_account.acceptance",
ImportState: true,
ImportStateVerify: true,
},
},
})
}

func testAccStoreServiceAccountUniqueId(uniqueId *string) resource.TestCheckFunc {
return func(s *terraform.State) error {
*uniqueId = s.RootModule().Resources["google_service_account.acceptance"].Primary.Attributes["unique_id"]
Expand Down Expand Up @@ -111,3 +170,14 @@ resource "google_service_account" "acceptance" {
}
`, project, account, name)
}

func testAccServiceAccountBasicDisabled(account, name, desc string, disabled bool) string {
return fmt.Sprintf(`
resource "google_service_account" "acceptance" {
account_id = "%v"
display_name = "%v"
description = "%v"
disabled = "%t"
}
`, account, name, desc, disabled)
}
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,8 @@ Allows management of a Google Cloud service account.
* How-to Guides
* [Official Documentation](https://cloud.google.com/compute/docs/access/service-accounts)

-> **Warning:** If you delete and recreate a service account, you must reapply any IAM roles that it had before.
-> **Warning:** If you delete and recreate a service account, you must reapply any IAM roles that it had before. Also don't use this resource to
import the Compute Engine default service account as account_id field **cannot** start with a number.

-> Creation of service accounts is eventually consistent, and that can lead to
errors when you try to apply ACLs to service accounts immediately after
Expand Down Expand Up @@ -48,6 +49,9 @@ The following arguments are supported:
* `description` - (Optional) A text description of the service account.
Must be less than or equal to 256 UTF-8 bytes.

* `disabled` - (Optional) Whether a service account is disabled or not. Defaults to `false`. This field has no effect during creation.
Must be set after creation to disable a service account.

* `project` - (Optional) The ID of the project that the service account will be created in.
Defaults to the provider project configuration.

Expand Down