feat: Need to make compute-vm service_account configuration "optional"

[eandresr]

Hello Team,

we need to have the capabilit of disable service_account configuration when creating a compute-vm as our security policies recognize it as a threat. Previously we used an ad-hoc module with a dynamic block for the service_account, can you implement this in your fabric module?

Thank you.

[ludoo]

It's already possible AFAIK, just pass null to the service account email field and disable service account creation. Can you try and report back?

[eandresr]

Hello,

tested, but unfortunally didn't work, passed var.service_account to null and false for the creation and it created the instance with the default compute SA and with the following:

service_account {
  email :    Known after apply
  scopes : [
             - "https://www.googleapis.com/auth/devstorage.read_only"
             - "https://www.googleapis.com/auth/logging.write"
             - "https://www.googleapis.com/auth/monitoring.write"
   ]
}

The call:

module "vm-test" {
  source            = "localterraform.com/catalog/module-compute-vm/google"
  version           = "26.0.0"
  project_id       = var.project_id
  zone               = "europe-west1-b"
  name              = var.hostname
  hostname       = var.hostname
  instance_type = "custom-2-4096"
  boot_disk       = {
    image = "debian-cloud/debian-11"
    size  = 65
  }
  network_interfaces = [
    {
      network       = var.network
      subnetwork = var.subnetwork
      addresses    = {
        internal =var.ip
        external = null
      }
    }
  ]
  service_account_create = false
  service_account            = null
}

[ludoo]

Ok, let me fix this :) Thanks for checking.

[eandresr]

Great, tested and working as expected, thank you Ludo!

[ludoo]

Fantastic, thanks for confirming, and of course raising the issue in the first place!