google_cloudbuild_trigger support for service account

[remmelt]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

I would like to create a build trigger in GCP using Terraform that uses a specific service account.

My use case is that I need two different types of triggers:

• "build and push" these triggers are used when a team merges commits on their projects to main, the SA for this trigger only has permission to build and push artefacts.
• "terraform" the SA on this trigger has more permissions, e.g. create service accounts, cloud run, etc. We terraform using cloud build.

Setting the service account in cloudbuild.yaml is ignored when building in Cloud Build (and for good reasons, otherwise any team could add some tf code and a service account with elevated privileges), so that is not an option.

The documentation has serviceAccount as a first class citizen (although in beta). https://cloud.google.com/build/docs/api/reference/rest/v1/projects.triggers

Service account in the yaml is ignored by Cloud Build according to my findings and this documentation: https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts#running_builds_using_build_triggers

New or Affected Resource(s)

google_cloudbuild_trigger

Potential Terraform Configuration

resource "google_cloudbuild_trigger" "default" {
   ...
   service_account_email = "[email protected]"
   ...
}

References

I read the issue here:

#9296

and am unsure how to proceed.

[slevenick]

Looks like adding support for serviceAccount should fix this. Where do you see that it is in beta? I see that field on the v1 API

[remmelt]

I was puzzled by this... the field is in the v1 API, but on the GCP Console it is marked as "preview".

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.