From 4e4ce0287b6169a4554daa93138191844a100496 Mon Sep 17 00:00:00 2001
From: Martin Ivanov <martinivanov@users.noreply.github.com>
Date: Tue, 19 Jan 2021 03:34:07 +0200
Subject: [PATCH] feat: Add the option to disable Kubernetes SA annotation in
 workload-identity. (#787)

* Add the option to disable Kubernetes SA annotation in workload-identity.

* Add the option to disable Kubernetes SA annotation in workload-identity. Generated documentation.

Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>
---
 modules/workload-identity/README.md    | 1 +
 modules/workload-identity/main.tf      | 2 +-
 modules/workload-identity/variables.tf | 6 ++++++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md
index ddaf6020b..36f0349de 100644
--- a/modules/workload-identity/README.md
+++ b/modules/workload-identity/README.md
@@ -69,6 +69,7 @@ module "my-app-workload-identity" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| annotate\_k8s\_sa | Annotate the kubernetes service account with 'iam.gke.io/gcp-service-account' annotation. Valid in cases when an existing SA is used. | `bool` | `true` | no |
 | automount\_service\_account\_token | Enable automatic mounting of the service account token | `bool` | `false` | no |
 | cluster\_name | Cluster name. Required if using existing KSA. | `string` | `""` | no |
 | k8s\_sa\_name | Name for the existing Kubernetes service account | `string` | `null` | no |
diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
index 316d771a3..8deb6d7c6 100644
--- a/modules/workload-identity/main.tf
+++ b/modules/workload-identity/main.tf
@@ -49,7 +49,7 @@ module "annotate-sa" {
   source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
   version = "~> 2.0.2"
 
-  enabled          = var.use_existing_k8s_sa
+  enabled          = var.use_existing_k8s_sa && var.annotate_k8s_sa
   skip_download    = true
   cluster_name     = var.cluster_name
   cluster_location = var.location
diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf
index 05382f334..d9b06b853 100644
--- a/modules/workload-identity/variables.tf
+++ b/modules/workload-identity/variables.tf
@@ -54,6 +54,12 @@ variable "use_existing_k8s_sa" {
   type        = bool
 }
 
+variable "annotate_k8s_sa" {
+  description = "Annotate the kubernetes service account with 'iam.gke.io/gcp-service-account' annotation. Valid in cases when an existing SA is used."
+  default     = true
+  type        = bool
+}
+
 variable "automount_service_account_token" {
   description = "Enable automatic mounting of the service account token"
   default     = false