disable provider data source when not needed, explicitly depend on CI…

…/CD SAs
GoogleCloudPlatform · Jun 16, 2022 · a09eb39 · a09eb39
1 parent ee23694
commit a09eb39
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 10 deletions.
diff --git a/fast/stages/01-resman/cicd-data-platform.tf b/fast/stages/01-resman/cicd-data-platform.tf
@@ -47,6 +47,7 @@ module "branch-dp-dev-cicd-repo" {
       }
     }
   }
+  depends_on = [module.branch-dp-dev-sa-cicd]
 }
 
 module "branch-dp-prod-cicd-repo" {
@@ -78,6 +79,7 @@ module "branch-dp-prod-cicd-repo" {
       }
     }
   }
+  depends_on = [module.branch-dp-prod-sa-cicd]
 }
 
 # SAs used by CI/CD workflows to impersonate automation SAs
@@ -97,7 +99,7 @@ module "branch-dp-dev-sa-cicd" {
     each.value.type == "sourcerepo"
     # used directly from the cloud build trigger for source repos
     ? {
-      "roles/iam.serviceAccountUser" = [local.automation_resman_sa]
+      "roles/iam.serviceAccountUser" = local.automation_resman_sa
     }
     # impersonated via workload identity federation for external repos
     : {
@@ -138,7 +140,7 @@ module "branch-dp-prod-sa-cicd" {
     each.value.type == "sourcerepo"
     # used directly from the cloud build trigger for source repos
     ? {
-      "roles/iam.serviceAccountUser" = [local.automation_resman_sa]
+      "roles/iam.serviceAccountUser" = local.automation_resman_sa
     }
     # impersonated via workload identity federation for external repos
     : {

diff --git a/fast/stages/01-resman/cicd-networking.tf b/fast/stages/01-resman/cicd-networking.tf
@@ -45,6 +45,7 @@ module "branch-network-cicd-repo" {
       }
     }
   }
+  depends_on = [module.branch-network-sa-cicd]
 }
 
 # SA used by CI/CD workflows to impersonate automation SAs
@@ -64,7 +65,7 @@ module "branch-network-sa-cicd" {
     each.value.type == "sourcerepo"
     # used directly from the cloud build trigger for source repos
     ? {
-      "roles/iam.serviceAccountUser" = [local.automation_resman_sa]
+      "roles/iam.serviceAccountUser" = local.automation_resman_sa
     }
     # impersonated via workload identity federation for external repos
     : {

diff --git a/fast/stages/01-resman/cicd-security.tf b/fast/stages/01-resman/cicd-security.tf
@@ -45,6 +45,7 @@ module "branch-security-cicd-repo" {
       }
     }
   }
+  depends_on = [module.branch-security-sa-cicd]
 }
 
 # SA used by CI/CD workflows to impersonate automation SAs
@@ -64,7 +65,7 @@ module "branch-security-sa-cicd" {
     each.value.type == "sourcerepo"
     # used directly from the cloud build trigger for source repos
     ? {
-      "roles/iam.serviceAccountUser" = [local.automation_resman_sa]
+      "roles/iam.serviceAccountUser" = local.automation_resman_sa
     }
     # impersonated via workload identity federation for external repos
     : {

diff --git a/fast/stages/01-resman/cicd-teams.tf b/fast/stages/01-resman/cicd-teams.tf
@@ -47,6 +47,7 @@ module "branch-teams-dev-pf-cicd-repo" {
       }
     }
   }
+  depends_on = [module.branch-teams-dev-pf-sa-cicd]
 }
 
 module "branch-teams-prod-pf-cicd-repo" {
@@ -78,6 +79,7 @@ module "branch-teams-prod-pf-cicd-repo" {
       }
     }
   }
+  depends_on = [module.branch-teams-prod-pf-sa-cicd]
 }
 
 # SAs used by CI/CD workflows to impersonate automation SAs
@@ -97,7 +99,7 @@ module "branch-teams-dev-pf-sa-cicd" {
     each.value.type == "sourcerepo"
     # used directly from the cloud build trigger for source repos
     ? {
-      "roles/iam.serviceAccountUser" = [local.automation_resman_sa]
+      "roles/iam.serviceAccountUser" = local.automation_resman_sa
     }
     # impersonated via workload identity federation for external repos
     : {
@@ -138,7 +140,7 @@ module "branch-teams-prod-pf-sa-cicd" {
     each.value.type == "sourcerepo"
     # used directly from the cloud build trigger for source repos
     ? {
-      "roles/iam.serviceAccountUser" = [local.automation_resman_sa]
+      "roles/iam.serviceAccountUser" = local.automation_resman_sa
     }
     # impersonated via workload identity federation for external repos
     : {

diff --git a/fast/stages/01-resman/main.tf b/fast/stages/01-resman/main.tf
@@ -16,9 +16,12 @@
 
 locals {
   # convenience flags that express where billing account resides
-  automation_resman_sa = format(
-    "serviceAccount:%s",
-    data.google_client_openid_userinfo.provider_identity.email
+  automation_resman_sa = try(
+    [format(
+      "serviceAccount:%s",
+      data.google_client_openid_userinfo.provider_identity.0.email
+    )],
+    []
   )
   billing_ext     = var.billing_account.organization_id == null
   billing_org     = var.billing_account.organization_id == var.organization.id
@@ -69,4 +72,6 @@ locals {
   )
 }
 
-data "google_client_openid_userinfo" "provider_identity" {}
+data "google_client_openid_userinfo" "provider_identity" {
+  count = length(local.cicd_repositories) > 0 ? 1 : 0
+}