Support to add a Service Account (at the time of its provisioning) to an existing VPC-SC access level

[anubbhavm]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

This new resource is intended to be used in cases where it is not possible to compile a full list of service accounts before hand to include in a google_access_context_manager_access_level. This new resource will enable the service accounts to be added separately as soon as the new service account is provisioned. This new resource will follow a similar concept as the google_access_context_manager_service_perimeter_resource resource.

[danawillow]

If the list of service accounts becomes known later, why not just add it to the google_access_context_manager_access_level resource at that time?

[anubbhavm]

We've seen with the customers that the google_access_context_manager_access_level resource is created as an organization resource and maintained in a separate workspace/ state file. The service accounts are created as a part of different workspaces/ state files and the customer would like to add the service account to the access level at the time of SA creation in the SA workspace instead of going back and updating the access level org resource every single time a SA is created.

[megan07]

Hi @anubbhavm! Thanks for opening this issue. I'm beginning to work on it now. I'm assuming that this service account would be appended to a list of accessLevel.basic.conditions.members, but conditions is an array, so I'm wondering if you have a preference on how to specify which condition to add the service account to. Thanks!

[anubbhavm]

Hey @megan07! No preference really - whatever is easier for you to implement.

[megan07]

Hi @anubbhavm! I'm so sorry, I'm struggling to figure out the best way to represent this as it's own resource. I almost think the only way we can do it is to make the entire condition a resource instead of just the service account. Would that work?

[anubbhavm]

Hey @megan07! Yes, that should work.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!