feat: Allow workload identity submodule to update existing k8s SA. (#430

)
terraform-google-modules · Feb 11, 2020 · 51fba38 · 51fba38
1 parent 2cc64c8
commit 51fba38
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 4 deletions.
diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
@@ -15,16 +15,18 @@
  */
 
 locals {
-  k8s_sa_gcp_derived_name = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${var.name}]"
+  k8s_sa_gcp_derived_name = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]"
+  gcp_sa_email            = google_service_account.cluster_service_account.email
 
   # This will cause terraform to block returning outputs until the service account is created
-  output_k8s_name      = var.use_existing_k8s_sa ? var.name : kubernetes_service_account.main[0].metadata[0].name
+  k8s_given_name       = var.k8s_sa_name != null ? var.k8s_sa_name : var.name
+  output_k8s_name      = var.use_existing_k8s_sa ? local.k8s_given_name : kubernetes_service_account.main[0].metadata[0].name
   output_k8s_namespace = var.use_existing_k8s_sa ? var.namespace : kubernetes_service_account.main[0].metadata[0].namespace
 }
 
 resource "google_service_account" "cluster_service_account" {
   account_id   = var.name
-  display_name = substr("GCP SA bound to K8S SA ${local.k8s_sa_gcp_derived_name}", 0, 100)
+  display_name = substr("GCP SA bound to K8S SA ${local.k8s_given_name}", 0, 100)
   project      = var.project_id
 }
 
@@ -40,6 +42,22 @@ resource "kubernetes_service_account" "main" {
   }
 }
 
+module "annotate-sa" {
+  source  = "terraform-google-modules/gcloud/google"
+  version = "~> 0.5"
+
+  platform              = "linux"
+  additional_components = ["kubectl"]
+  enabled               = var.use_existing_k8s_sa
+  skip_download         = true
+
+  create_cmd_entrypoint = "kubectl"
+  create_cmd_body       = "annotate sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}"
+
+  destroy_cmd_entrypoint = "kubectl"
+  destroy_cmd_body       = "annotate sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account-"
+}
+
 resource "google_service_account_iam_member" "main" {
   service_account_id = google_service_account.cluster_service_account.name
   role               = "roles/iam.workloadIdentityUser"

diff --git a/modules/workload-identity/output.tf b/modules/workload-identity/output.tf
@@ -26,7 +26,7 @@ output "k8s_service_account_namespace" {
 
 output "gcp_service_account_email" {
   description = "Email address of GCP service account."
-  value       = google_service_account.cluster_service_account.email
+  value       = local.gcp_sa_email
 }
 
 output "gcp_service_account_fqn" {

diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf
@@ -19,6 +19,12 @@ variable "name" {
   type        = string
 }
 
+variable "k8s_sa_name" {
+  description = "Name for the existing Kubernetes service account"
+  type        = string
+  default     = null
+}
+
 variable "namespace" {
   description = "Namespace for k8s service account"
   default     = "default"