Skip to content

appengine: add service_account to google_app_engine_application (#18718)#78

Open
jbbqqf wants to merge 11 commits into
mainfrom
feat/18718-appengine-service-account
Open

appengine: add service_account to google_app_engine_application (#18718)#78
jbbqqf wants to merge 11 commits into
mainfrom
feat/18718-appengine-service-account

Conversation

@jbbqqf
Copy link
Copy Markdown
Owner

@jbbqqf jbbqqf commented May 9, 2026

Summary

Add the optional service_account argument to google_app_engine_application, surfacing the Application.serviceAccount field that the AppEngine Admin API has long supported. The field is the app-level default identity used by deployed App Engine versions when no per-version identity is supplied.

Fixes hashicorp/terraform-provider-google#18718 — see hashicorp/terraform-provider-google#18718

Why

Today users provisioning an AppEngine application via Terraform cannot pin a custom service account; the API only accepts it on Create (it is immutable post-creation), so the gap forces a gcloud app create --service-account= workaround that fights with subsequent terraform apply. Surfacing the field on the resource is the standard fix.

GCP API reference:

What changed

This change is to a hand-written Terraform resource (Type=Handwritten in the meta yaml; source-of-truth lives at mmv1/third_party/terraform/services/appengine/resource_app_engine_application.go in magic-modules).

  • New schema attribute: service_accountOptional, Computed, ForceNew (the API rejects updates to this field).
  • Wired into the expandAppEngineApplication constructor and the resourceAppEngineApplicationRead flatten loop.
  • Added to the meta yaml's fields: map (api_field: 'serviceAccount').
  • Added to the registry docs page.

Edge cases tested

# Scenario HCL excerpt Expected Verified by
1 Default (field unset) # service_account omitted API picks the default GAE service account; terraform plan shows no diff after refresh Computed: true lets the API-assigned default round-trip cleanly
2 Set to a custom SA on create service_account = "my-app-sa@my-proj.iam.gserviceaccount.com" API accepts; subsequent reads return the same value manual flatten of app.ServiceAccount
3 Edge: attempt to change after create service_account = "different-sa@..." Plan shows forces replacement and the user gets a clear "must destroy + recreate" message ForceNew: true (the AppEngine API does not list this field in Apps.Patch's supported updateMask)

A live before/after smoke against an AppEngine application was not run because:

  • AppEngine application creation is permanent — the resource cannot be deleted in this provider (resourceAppEngineApplicationDelete only logs a warning), and even at the GCP API level it lives until project deletion.
  • Burning a sandbox project per smoke iteration is wasteful when the gap is a clean schema addition that terraform validate proves on its own.

The static gap is provable directly: an HCL config with service_account = "..." returns Error: Unsupported argument on origin/main and validates cleanly on this branch.

Test protocol

Test Result Notes
go run ./mmv1 -product=appengine -version=ga OK mmv1 third_party file pulled through cleanly
go run ./mmv1 -product=appengine -version=beta OK
go build ./google/services/appengine/... (TPG) OK
go build ./google-beta/services/appengine/... (TPGB) OK
go vet ./google/services/appengine/... (both) OK no new warnings

Related PRs

Disclosure

This PR was implemented with assistance from Claude Code as part of a focused contribution batch on hand-written AppEngine resources. The diff was reviewed manually against the GCP API documentation linked above.

The author (a human) reviewed the diff and the build/vet output before opening this PR.

jcromanu and others added 11 commits May 8, 2026 16:43
@jcromanu
Migrated Compute router status to use transport_tpg.SendRequest (Goog…
28c0142 
…leCloudPlatform#17070)
@zli82016
tgc-revival: add google_colab_notebook_execution (GoogleCloudPlatform…
8ef6479 
…#17468)
@apratimutkarsh
Correct description of the cluster field in RestorePlan (GoogleCloudP…
b00da7a 
…latform#17480)
@Ray784
Custom MAC addresses and NEG based Dynamic NICs support (GoogleCloudP…
07652b5 
…latform#17455)
@shuyama1
Fix data lineage config tests (GoogleCloudPlatform#17482)
202ca26
@melinath
Moved compute-related bootstrapping into the compute package (GoogleC…
37b4def 
…loudPlatform#17461)
@shuyama1
Bump TeamCity execution timeout (GoogleCloudPlatform#17484)
77ef00b
@shuyama1
support sample-based templates in unused-template-check (GoogleCloudP…
a18ab4f 
…latform#17474)
@ota2000
fix(bigqueryconnection): flatten authentication fields from API respo…
ac45a1e 
…nse (GoogleCloudPlatform#17341)
@zli82016
tgc: fix TestAccDatastreamPrivateConnection test (GoogleCloudPlatform…
8d7f85b 
…#17486)
@jbbqqf @claude
appengine: add service_account to google_app_engine_application (#18718)
cad36e7 
Surface the optional Application.serviceAccount field that the AppEngine
Admin API has long supported. The field sets the app-level default
identity used by deployed App Engine versions when no per-version
identity is supplied; it is immutable post-creation, so the schema is
ForceNew + Computed (the API may set a default).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add the possibility to specify a custom service account during AppEngine application creation

8 participants

@jbbqqf @jcromanu @zli82016 @apratimutkarsh @Ray784 @shuyama1 @melinath @ota2000