fix: Shorten GSA account_id if necessary (#666)

Author: Jacob Ferriero

modules/workload-identity/README.md

@@ -72,7 +72,7 @@ module "my-app-workload-identity" {
 | cluster\_name | Cluster name. Required if using existing KSA. | string | `""` | no |
 | k8s\_sa\_name | Name for the existing Kubernetes service account | string | `"null"` | no |
 | location | Cluster location (region if regional cluster, zone if zonal cluster). Required if using existing KSA. | string | `""` | no |
-| name | Name for both service accounts | string | n/a | yes |
+| name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | string | n/a | yes |
 | namespace | Namespace for k8s service account | string | `"default"` | no |
 | project\_id | GCP project ID | string | n/a | yes |
 | use\_existing\_k8s\_sa | Use an existing kubernetes service account instead of creating one | bool | `"false"` | no |

modules/workload-identity/main.tf

@@ -25,7 +25,9 @@ locals {
 }
 
 resource "google_service_account" "cluster_service_account" {
-  account_id   = var.name
+  # GCP service account ids must be < 30 chars matching regex ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$
+  # KSA do not have this naming restriction.
+  account_id   = substr(var.name, 0, 30)
   display_name = substr("GCP SA bound to K8S SA ${local.k8s_given_name}", 0, 100)
   project      = var.project_id
 }

modules/workload-identity/scripts/kubectl_wrapper.sh

@@ -15,7 +15,7 @@
  */
 
 variable "name" {
-  description = "Name for both service accounts"
+  description = "Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary."
   type        = string
 }