Cloud build trigger include the option of setting user specific service account

[vongohren]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

There is a way to set service accounts per build so that you dont have to affect the originating service account: https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts#json

But I cannot seem to find it in: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloudbuild_trigger

New or Affected Resource(s)

• google_cloudbuild_trigger

Potential Terraform Configuration

Unsure how to add this, but it is a simple attribute in my mind under the trigger itself.

# Propose what you think the configuration to take advantage of this feature should look like.
# We may not use it verbatim, but it's helpful in understanding your intent.

References

[edwardmedia]

@vongohren can't you provide the account in the cloudbuild.yaml?

steps:
- name: 'bash'
  args: ['echo', 'Hello world!']
logsBucket: 'LOGS_BUCKET_LOCATION'
serviceAccount: 'projects/PROJECT_NAME/serviceAccounts/SERVICE_ACCOUNT'

and then

resource "google_cloudbuild_trigger" "filename-trigger" {
  trigger_template {
    branch_name = "master"
    repo_name   = "my-repo"
  }

  substitutions = {
    _FOO = "bar"
    _BAZ = "qux"
  }

  filename = "cloudbuild.yaml". <<<< here
}

[vongohren]

@edwardmedia I can, but we are building up the steps inline because that was what we saw as the easiest way of doing inline substitutions of other terraform resources. So I have come to enjoy building it that way. But I guess one can use the substitions and fill it inn with all the variables one is using and make a cloudbuild.yaml? It just seems to me as an extra step.

But why not have this attribute available I Wonder?

Currently I gave my build service account access to the resource, but I would try to avoid this preferebly

[edwardmedia]

@vongohren the provider is more aligned with the api schema. That could be broken unless there is no workaround, or requested by majority users. I don't think adding the service account here is a case. Closing this for now

[vongohren]

Is there something I can read or look at to understand how a simple attribute like this, which is in their API, is not something that fits in for the terraform provider?

I can add steps in terraform, then why not service accounts?

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.