service_accounts.key should be service_accounts.key.rendered in version 3.0
raj-saxena opened this issue · 0 comments
We create the service-account and generate key for it and write it to a file. Example (module version 2.0):
module "service_accounts" {
source = "terraform-google-modules/service-accounts/google"
version = "~> 2.0"
project_id = var.project_id
names = [local.service_account_name]
project_roles = [
"${var.project_id}=>roles/storage.objectAdmin",
"${var.project_id}=>roles/compute.instanceAdmin",
...<other-roles>
]
generate_keys = true
}
resource "local_file" "service_key" {
sensitive_content = module.service_accounts.key
filename = "${var.secrets_path}/${local.service_account_name}.json"
file_permission = "0400"
}
I upgraded from version 2.0 to version 3.0 with the migrate script and ran terraform plan
to see if everything is as expected and now I get the following error:
90: sensitive_content = module.service_accounts.key
|----------------
| module.service_accounts.key is object with 5 attributes
Inappropriate value for attribute "sensitive_content": string required.
Investigating a bit, I figured out that the value of output key
is different than the keys
result and the value is actually a map, where the variable rendered
contains the actual value.
I have fixed it locally with:
resource "local_file" "service_key" {
sensitive_content = module.service_accounts.key.rendered
filename = "${var.secrets_path}/${local.service_account_name}.json"
file_permission = "0400"
}
I am not sure if this was on purpose or accidental but it breaks the existing configuration and might be frustrating when there are a lot of service accounts created with this.
Going to raise a PR next to make it backwards compatible