From 4a61f7627946489b9ff7e6c0ae978c38c95c5adf Mon Sep 17 00:00:00 2001 From: Don Petersen Date: Tue, 29 Dec 2020 13:49:23 -0800 Subject: [PATCH] feat: Set auto-provisioned node pools to use configured service account (#639) --- autogen/main/cluster.tf.tmpl | 10 +++++++++- autogen/main/sa.tf.tmpl | 2 +- modules/beta-private-cluster-update-variant/cluster.tf | 10 +++++++++- modules/beta-private-cluster-update-variant/sa.tf | 2 +- modules/beta-private-cluster/cluster.tf | 10 +++++++++- modules/beta-private-cluster/sa.tf | 2 +- modules/beta-public-cluster-update-variant/cluster.tf | 10 +++++++++- modules/beta-public-cluster-update-variant/sa.tf | 2 +- modules/beta-public-cluster/cluster.tf | 10 +++++++++- modules/beta-public-cluster/sa.tf | 2 +- modules/private-cluster-update-variant/sa.tf | 2 +- modules/private-cluster/sa.tf | 2 +- sa.tf | 2 +- test/integration/node_pool/controls/gcloud.rb | 2 +- 14 files changed, 54 insertions(+), 14 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 1597d2b80..4b66ba837 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -77,8 +77,16 @@ resource "google_container_cluster" "primary" { {% endif %} cluster_autoscaling { - enabled = var.cluster_autoscaling.enabled + enabled = var.cluster_autoscaling.enabled {% if beta_cluster %} + dynamic "auto_provisioning_defaults" { + for_each = var.cluster_autoscaling.enabled ? [1] : [] + + content { + service_account = local.service_account + oauth_scopes = local.node_pools_oauth_scopes["all"] + } + } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" {% endif %} dynamic "resource_limits" { diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl index 68a0a67f1..6eddbfea1 100644 --- a/autogen/main/sa.tf.tmpl +++ b/autogen/main/sa.tf.tmpl @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - // if user set var.service_accont it will be used even if var.create_service_account==true, so service account will be created but not used + // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account } diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 29919705c..be5e4132e 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -66,7 +66,15 @@ resource "google_container_cluster" "primary" { monitoring_service = local.cluster_telemetry_type_is_set ? null : var.monitoring_service cluster_autoscaling { - enabled = var.cluster_autoscaling.enabled + enabled = var.cluster_autoscaling.enabled + dynamic "auto_provisioning_defaults" { + for_each = var.cluster_autoscaling.enabled ? [1] : [] + + content { + service_account = local.service_account + oauth_scopes = local.node_pools_oauth_scopes["all"] + } + } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" dynamic "resource_limits" { for_each = local.autoscalling_resource_limits diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf index 6b79badb2..8c1e57860 100644 --- a/modules/beta-private-cluster-update-variant/sa.tf +++ b/modules/beta-private-cluster-update-variant/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - // if user set var.service_accont it will be used even if var.create_service_account==true, so service account will be created but not used + // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account } diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 6403d5dc4..a91c2b3ec 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -66,7 +66,15 @@ resource "google_container_cluster" "primary" { monitoring_service = local.cluster_telemetry_type_is_set ? null : var.monitoring_service cluster_autoscaling { - enabled = var.cluster_autoscaling.enabled + enabled = var.cluster_autoscaling.enabled + dynamic "auto_provisioning_defaults" { + for_each = var.cluster_autoscaling.enabled ? [1] : [] + + content { + service_account = local.service_account + oauth_scopes = local.node_pools_oauth_scopes["all"] + } + } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" dynamic "resource_limits" { for_each = local.autoscalling_resource_limits diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index 6b79badb2..8c1e57860 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - // if user set var.service_accont it will be used even if var.create_service_account==true, so service account will be created but not used + // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account } diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 1279b2b6b..df9979c05 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -66,7 +66,15 @@ resource "google_container_cluster" "primary" { monitoring_service = local.cluster_telemetry_type_is_set ? null : var.monitoring_service cluster_autoscaling { - enabled = var.cluster_autoscaling.enabled + enabled = var.cluster_autoscaling.enabled + dynamic "auto_provisioning_defaults" { + for_each = var.cluster_autoscaling.enabled ? [1] : [] + + content { + service_account = local.service_account + oauth_scopes = local.node_pools_oauth_scopes["all"] + } + } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" dynamic "resource_limits" { for_each = local.autoscalling_resource_limits diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf index 6b79badb2..8c1e57860 100644 --- a/modules/beta-public-cluster-update-variant/sa.tf +++ b/modules/beta-public-cluster-update-variant/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - // if user set var.service_accont it will be used even if var.create_service_account==true, so service account will be created but not used + // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account } diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 0c60df924..551b6d6e7 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -66,7 +66,15 @@ resource "google_container_cluster" "primary" { monitoring_service = local.cluster_telemetry_type_is_set ? null : var.monitoring_service cluster_autoscaling { - enabled = var.cluster_autoscaling.enabled + enabled = var.cluster_autoscaling.enabled + dynamic "auto_provisioning_defaults" { + for_each = var.cluster_autoscaling.enabled ? [1] : [] + + content { + service_account = local.service_account + oauth_scopes = local.node_pools_oauth_scopes["all"] + } + } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" dynamic "resource_limits" { for_each = local.autoscalling_resource_limits diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index 6b79badb2..8c1e57860 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - // if user set var.service_accont it will be used even if var.create_service_account==true, so service account will be created but not used + // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account } diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf index 6b79badb2..8c1e57860 100644 --- a/modules/private-cluster-update-variant/sa.tf +++ b/modules/private-cluster-update-variant/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - // if user set var.service_accont it will be used even if var.create_service_account==true, so service account will be created but not used + // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account } diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf index 6b79badb2..8c1e57860 100644 --- a/modules/private-cluster/sa.tf +++ b/modules/private-cluster/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - // if user set var.service_accont it will be used even if var.create_service_account==true, so service account will be created but not used + // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account } diff --git a/sa.tf b/sa.tf index 6b79badb2..8c1e57860 100644 --- a/sa.tf +++ b/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - // if user set var.service_accont it will be used even if var.create_service_account==true, so service account will be created but not used + // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account } diff --git a/test/integration/node_pool/controls/gcloud.rb b/test/integration/node_pool/controls/gcloud.rb index 03ee609fd..281455794 100644 --- a/test/integration/node_pool/controls/gcloud.rb +++ b/test/integration/node_pool/controls/gcloud.rb @@ -37,7 +37,7 @@ it "has the expected cluster autoscaling settings" do expect(data['autoscaling']).to eq({ "autoprovisioningNodePoolDefaults" => { - "oauthScopes" => %w(https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/monitoring), + "oauthScopes" => %w(https://www.googleapis.com/auth/cloud-platform), "serviceAccount" => "default" }, "autoscalingProfile" => "OPTIMIZE_UTILIZATION",