terraform-google-modules · bharathkkb · May 8, 2021 · Apr 24, 2021 · Apr 24, 2021 · Apr 25, 2021
@@ -31,6 +31,7 @@ module "kubectl" {
 | create\_cmd\_triggers | List of any additional triggers for the create command execution. | map | `<map>` | no |
 | enabled | Flag to optionally disable usage of this module. | bool | `"true"` | no |
 | gcloud\_sdk\_version | The gcloud sdk version to download. | string | `"281.0.0"` | no |
+| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | string | `""` | no |
 | internal\_ip | Use internal ip for the cluster endpoint. | bool | `"false"` | no |
 | kubectl\_create\_command | The kubectl command to create resources. | string | n/a | yes |
 | kubectl\_destroy\_command | The kubectl command to destroy resources. | string | n/a | yes |

@@ -29,8 +29,8 @@ module "gcloud_kubectl" {
   service_account_key_file = var.service_account_key_file
 
   create_cmd_entrypoint  = "${path.module}/scripts/kubectl_wrapper.sh"
-  create_cmd_body        = "${local.base_cmd} ${var.kubectl_create_command}"
+  create_cmd_body        = var.impersonate_service_account == "" ? "${local.base_cmd} ${var.kubectl_create_command}" : "${local.base_cmd} true ${var.impersonate_service_account} ${var.kubectl_create_command}"
   create_cmd_triggers    = var.create_cmd_triggers
   destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  destroy_cmd_body       = "${local.base_cmd} ${var.kubectl_destroy_command}"
+  destroy_cmd_body       = var.impersonate_service_account == "" ? "${local.base_cmd} ${var.kubectl_destroy_command}" : "${local.base_cmd} true ${var.impersonate_service_account} ${var.kubectl_destroy_command}"
 }
@@ -26,6 +26,8 @@ LOCATION=$2
 PROJECT_ID=$3
 INTERNAL=$4
 USE_EXISTING_CONTEXT=$5
+ENABLE_IMPERSONATE_SERVICE_ACCOUNT=$6
+IMPERSONATE_SERVICE_ACCOUNT=$7
 
 shift 5
 
@@ -50,6 +52,9 @@ else
     LOCATION_TYPE=$(grep -o "-" <<< "${LOCATION}" | wc -l)
 
     CMD="gcloud container clusters get-credentials ${CLUSTER_NAME} --project ${PROJECT_ID}"
+    if [[ "${ENABLE_IMPERSONATE_SERVICE_ACCOUNT}" == true ]]; then
+      CMD+=" --impersonate-service-account ${IMPERSONATE_SERVICE_ACCOUNT}"
+    fi
 
     if [[ $LOCATION_TYPE -eq 2 ]] ;then
         CMD+=" --zone ${LOCATION}"

@@ -98,3 +98,9 @@ variable "service_account_key_file" {
   description = "Path to service account key file to auth as for running `gcloud container clusters get-credentials`."
   default     = ""
 }
+
+variable "impersonate_service_account" {
+  type        = string
+  description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
+  default     = ""
+}