From 4f5ddeded6dd2dbe47342a948e1fb2c011002eee Mon Sep 17 00:00:00 2001 From: ykyr Date: Thu, 30 Jun 2022 01:50:35 +0200 Subject: [PATCH] feat: WorkloadIdenity allow to use k8s sa from the different project (#1275) * feat: allow to use k8s sa from the different project * chore: generate docs Co-authored-by: Bharath KKB --- modules/workload-identity/README.md | 1 + modules/workload-identity/main.tf | 7 ++++--- modules/workload-identity/variables.tf | 6 ++++++ 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md index 40a32eccf..8e5beb002 100644 --- a/modules/workload-identity/README.md +++ b/modules/workload-identity/README.md @@ -101,6 +101,7 @@ already bear the `"iam.gke.io/gcp-service-account"` annotation. | gcp\_sa\_name | Name for the Google service account; overrides `var.name`. | `string` | `null` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | k8s\_sa\_name | Name for the Kubernetes service account; overrides `var.name`. `cluster_name` and `location` must be set when this input is specified. | `string` | `null` | no | +| k8s\_sa\_project\_id | GCP project ID of the k8s service account; overrides `var.project_id`. | `string` | `null` | no | | location | Cluster location (region if regional cluster, zone if zonal cluster). Required if using existing KSA. | `string` | `""` | no | | name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | `string` | n/a | yes | | namespace | Namespace for the Kubernetes service account | `string` | `"default"` | no | diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index bb44e4122..69b17df1f 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -26,7 +26,8 @@ locals { output_k8s_name = var.use_existing_k8s_sa ? local.k8s_given_name : kubernetes_service_account.main[0].metadata[0].name output_k8s_namespace = var.use_existing_k8s_sa ? var.namespace : kubernetes_service_account.main[0].metadata[0].namespace - k8s_sa_gcp_derived_name = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]" + k8s_sa_project_id = var.k8s_sa_project_id != null ? var.k8s_sa_project_id : var.project_id + k8s_sa_gcp_derived_name = "serviceAccount:${local.k8s_sa_project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]" } data "google_service_account" "cluster_service_account" { @@ -40,7 +41,7 @@ resource "google_service_account" "cluster_service_account" { count = var.use_existing_gcp_sa ? 0 : 1 account_id = local.gcp_given_name - display_name = substr("GCP SA bound to K8S SA ${local.k8s_given_name}", 0, 100) + display_name = substr("GCP SA bound to K8S SA ${local.k8s_sa_project_id}[${local.k8s_given_name}]", 0, 100) project = var.project_id } @@ -65,7 +66,7 @@ module "annotate-sa" { skip_download = true cluster_name = var.cluster_name cluster_location = var.location - project_id = var.project_id + project_id = local.k8s_sa_project_id impersonate_service_account = var.impersonate_service_account kubectl_create_command = "kubectl annotate --overwrite sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}" diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf index d19c2c9b6..ef8b1811e 100644 --- a/modules/workload-identity/variables.tf +++ b/modules/workload-identity/variables.tf @@ -54,6 +54,12 @@ variable "k8s_sa_name" { default = null } +variable "k8s_sa_project_id" { + description = "GCP project ID of the k8s service account; overrides `var.project_id`." + type = string + default = null +} + variable "namespace" { description = "Namespace for the Kubernetes service account" type = string