|
| 1 | +# Upgrading to v3.0 |
| 2 | + |
| 3 | +The v3.0 release is a backwards-incompatible release. |
| 4 | + |
| 5 | +### for_each |
| 6 | +The resources in this module have been updated to use `for_each` instead of `count`. This allows adding/removing service accounts without causing a diff on unrelated resources. |
| 7 | + |
| 8 | +Updating to this new format requires running a state migration. Note that this migration **must** be run with **Terraform v0.12.20**. You can use a [script](../helpers/migrate.py) we provided to automatically make the required state migration. |
| 9 | + |
| 10 | +1. Download the script |
| 11 | + |
| 12 | + ```sh |
| 13 | + curl -O https://raw.githubusercontent.com/terraform-google-modules/terraform-google-service-accounts/master/helpers/migrate.py |
| 14 | + chmod +x migrate.py |
| 15 | + ``` |
| 16 | + |
| 17 | +2. Run the script in dryrun mode to confirm the expected changes: |
| 18 | + |
| 19 | + ```sh |
| 20 | + $ ./migrate.py --dryrun |
| 21 | +
|
| 22 | + ---- Migrating the following modules: |
| 23 | + -- module.service_accounts |
| 24 | + ---- Commands to run: |
| 25 | + terraform state mv 'module.service_accounts.google_service_account.service_accounts[0]' 'module.service_accounts.google_service_account.service_accounts["test-first"]' |
| 26 | + terraform state mv 'module.service_accounts.google_service_account.service_accounts[1]' 'module.service_accounts.google_service_account.service_accounts["test-second"]' |
| 27 | + terraform state mv 'module.service_accounts.google_service_account_key.keys[0]' 'module.service_accounts.google_service_account_key.keys["test-first"]' |
| 28 | + terraform state mv 'module.service_accounts.google_service_account_key.keys[1]' 'module.service_accounts.google_service_account_key.keys["test-second"]' |
| 29 | + ``` |
| 30 | + |
| 31 | +3. Execute the migration script |
| 32 | + |
| 33 | + ```sh |
| 34 | + $ ./migrate.py |
| 35 | +
|
| 36 | + ---- Migrating the following modules: |
| 37 | + -- module.service_accounts |
| 38 | + ---- Commands to run: |
| 39 | + Move "module.service_accounts.google_service_account.service_accounts[0]" to "module.service_accounts.google_service_account.service_accounts[\"test-first\"]" |
| 40 | + Successfully moved 1 object(s). |
| 41 | + Move "module.service_accounts.google_service_account.service_accounts[1]" to "module.service_accounts.google_service_account.service_accounts[\"test-second\"]" |
| 42 | + Successfully moved 1 object(s). |
| 43 | + Move "module.service_accounts.google_service_account_key.keys[0]" to "module.service_accounts.google_service_account_key.keys[\"test-first\"]" |
| 44 | + Successfully moved 1 object(s). |
| 45 | + Move "module.service_accounts.google_service_account_key.keys[1]" to "module.service_accounts.google_service_account_key.keys[\"test-second\"]" |
| 46 | + Successfully moved 1 object(s). |
| 47 | + ``` |
| 48 | + |
| 49 | +4. Run `terraform plan` to confirm only 4 IAM changes will be made. |
| 50 | + |
| 51 | + ``` |
| 52 | + Terraform will perform the following actions: |
| 53 | + |
| 54 | + # module.service_accounts.google_project_iam_member.project-roles will be destroyed |
| 55 | + - resource "google_project_iam_member" "project-roles" { |
| 56 | + - etag = "BwWlo2qcwSc=" -> null |
| 57 | + - id = "PROJECT_ID/roles/viewer/serviceAccount:test-first@PROJECT_ID.iam.gserviceaccount.com" -> null |
| 58 | + - member = "serviceAccount:test-first@PROJECT_ID.iam.gserviceaccount.com" -> null |
| 59 | + - project = "PROJECT_ID" -> null |
| 60 | + - role = "roles/viewer" -> null |
| 61 | + } |
| 62 | + |
| 63 | + # module.service_accounts.google_project_iam_member.project-roles[1] will be destroyed |
| 64 | + - resource "google_project_iam_member" "project-roles" { |
| 65 | + - etag = "BwWlo2qcwSc=" -> null |
| 66 | + - id = "PROJECT_ID/roles/storage.objectViewer/serviceAccount:test-first@PROJECT_ID.iam.gserviceaccount.com" -> null |
| 67 | + - member = "serviceAccount:test-first@PROJECT_ID.iam.gserviceaccount.com" -> null |
| 68 | + - project = "PROJECT_ID" -> null |
| 69 | + - role = "roles/storage.objectViewer" -> null |
| 70 | + } |
| 71 | + |
| 72 | + # module.service_accounts.google_project_iam_member.project-roles[2] will be destroyed |
| 73 | + - resource "google_project_iam_member" "project-roles" { |
| 74 | + - etag = "BwWlo2qcwSc=" -> null |
| 75 | + - id = "PROJECT_ID/roles/viewer/serviceAccount:test-second@PROJECT_ID.iam.gserviceaccount.com" -> null |
| 76 | + - member = "serviceAccount:test-second@PROJECT_ID.iam.gserviceaccount.com" -> null |
| 77 | + - project = "PROJECT_ID" -> null |
| 78 | + - role = "roles/viewer" -> null |
| 79 | + } |
| 80 | + |
| 81 | + # module.service_accounts.google_project_iam_member.project-roles[3] will be destroyed |
| 82 | + - resource "google_project_iam_member" "project-roles" { |
| 83 | + - etag = "BwWlo2qcwSc=" -> null |
| 84 | + - id = "PROJECT_ID/roles/storage.objectViewer/serviceAccount:test-second@PROJECT_ID.iam.gserviceaccount.com" -> null |
| 85 | + - member = "serviceAccount:test-second@PROJECT_ID.iam.gserviceaccount.com" -> null |
| 86 | + - project = "PROJECT_ID" -> null |
| 87 | + - role = "roles/storage.objectViewer" -> null |
| 88 | + } |
| 89 | + |
| 90 | + # module.service_accounts.google_project_iam_member.project-roles["test-first-PROJECT_ID=>roles/storage.objectViewer"] will be created |
| 91 | + + resource "google_project_iam_member" "project-roles" { |
| 92 | + + etag = (known after apply) |
| 93 | + + id = (known after apply) |
| 94 | + + member = "serviceAccount:test-first@PROJECT_ID.iam.gserviceaccount.com" |
| 95 | + + project = "PROJECT_ID" |
| 96 | + + role = "roles/storage.objectViewer" |
| 97 | + } |
| 98 | + |
| 99 | + # module.service_accounts.google_project_iam_member.project-roles["test-first-PROJECT_ID=>roles/viewer"] will be created |
| 100 | + + resource "google_project_iam_member" "project-roles" { |
| 101 | + + etag = (known after apply) |
| 102 | + + id = (known after apply) |
| 103 | + + member = "serviceAccount:test-first@PROJECT_ID.iam.gserviceaccount.com" |
| 104 | + + project = "PROJECT_ID" |
| 105 | + + role = "roles/viewer" |
| 106 | + } |
| 107 | + |
| 108 | + # module.service_accounts.google_project_iam_member.project-roles["test-second-PROJECT_ID=>roles/storage.objectViewer"] will be created |
| 109 | + + resource "google_project_iam_member" "project-roles" { |
| 110 | + + etag = (known after apply) |
| 111 | + + id = (known after apply) |
| 112 | + + member = "serviceAccount:test-second@PROJECT_ID.iam.gserviceaccount.com" |
| 113 | + + project = "PROJECT_ID" |
| 114 | + + role = "roles/storage.objectViewer" |
| 115 | + } |
| 116 | + |
| 117 | + # module.service_accounts.google_project_iam_member.project-roles["test-second-PROJECT_ID=>roles/viewer"] will be created |
| 118 | + + resource "google_project_iam_member" "project-roles" { |
| 119 | + + etag = (known after apply) |
| 120 | + + id = (known after apply) |
| 121 | + + member = "serviceAccount:test-second@PROJECT_ID.iam.gserviceaccount.com" |
| 122 | + + project = "PROJECT_ID" |
| 123 | + + role = "roles/viewer" |
| 124 | + } |
| 125 | + |
| 126 | + Plan: 4 to add, 0 to change, 4 to destroy. |
| 127 | + ``` |
| 128 | + |
| 129 | +5. Run `terraform apply` to finalize the migration. |
| 130 | + |
| 131 | + ``` |
| 132 | + Apply complete! Resources: 4 added, 0 changed, 4 destroyed. |
| 133 | + ``` |
0 commit comments