From 51fba381e67bae686bd709fa2ffaf9d4377866f1 Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Tue, 11 Feb 2020 09:47:08 -0500 Subject: [PATCH] feat: Allow workload identity submodule to update existing k8s SA. (#430) --- modules/workload-identity/main.tf | 24 +++++++++++++++++++++--- modules/workload-identity/output.tf | 2 +- modules/workload-identity/variables.tf | 6 ++++++ 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index 7d0b652e9..cd0504549 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -15,16 +15,18 @@ */ locals { - k8s_sa_gcp_derived_name = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${var.name}]" + k8s_sa_gcp_derived_name = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]" + gcp_sa_email = google_service_account.cluster_service_account.email # This will cause terraform to block returning outputs until the service account is created - output_k8s_name = var.use_existing_k8s_sa ? var.name : kubernetes_service_account.main[0].metadata[0].name + k8s_given_name = var.k8s_sa_name != null ? var.k8s_sa_name : var.name + output_k8s_name = var.use_existing_k8s_sa ? local.k8s_given_name : kubernetes_service_account.main[0].metadata[0].name output_k8s_namespace = var.use_existing_k8s_sa ? var.namespace : kubernetes_service_account.main[0].metadata[0].namespace } resource "google_service_account" "cluster_service_account" { account_id = var.name - display_name = substr("GCP SA bound to K8S SA ${local.k8s_sa_gcp_derived_name}", 0, 100) + display_name = substr("GCP SA bound to K8S SA ${local.k8s_given_name}", 0, 100) project = var.project_id } @@ -40,6 +42,22 @@ resource "kubernetes_service_account" "main" { } } +module "annotate-sa" { + source = "terraform-google-modules/gcloud/google" + version = "~> 0.5" + + platform = "linux" + additional_components = ["kubectl"] + enabled = var.use_existing_k8s_sa + skip_download = true + + create_cmd_entrypoint = "kubectl" + create_cmd_body = "annotate sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}" + + destroy_cmd_entrypoint = "kubectl" + destroy_cmd_body = "annotate sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account-" +} + resource "google_service_account_iam_member" "main" { service_account_id = google_service_account.cluster_service_account.name role = "roles/iam.workloadIdentityUser" diff --git a/modules/workload-identity/output.tf b/modules/workload-identity/output.tf index 32b5a2d2d..c4c98986b 100644 --- a/modules/workload-identity/output.tf +++ b/modules/workload-identity/output.tf @@ -26,7 +26,7 @@ output "k8s_service_account_namespace" { output "gcp_service_account_email" { description = "Email address of GCP service account." - value = google_service_account.cluster_service_account.email + value = local.gcp_sa_email } output "gcp_service_account_fqn" { diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf index 6e7cf6f7e..db991097a 100644 --- a/modules/workload-identity/variables.tf +++ b/modules/workload-identity/variables.tf @@ -19,6 +19,12 @@ variable "name" { type = string } +variable "k8s_sa_name" { + description = "Name for the existing Kubernetes service account" + type = string + default = null +} + variable "namespace" { description = "Namespace for k8s service account" default = "default"