From a6dce1a491956d536ecf969b3bf22c6dede4da18 Mon Sep 17 00:00:00 2001
From: Andrew Peabody <andrewpeabody@google.com>
Date: Wed, 17 Aug 2022 15:41:13 -0700
Subject: [PATCH] feat: add module_depends_on to workload-identity (#1341)

Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>
---
 modules/workload-identity/README.md    | 1 +
 modules/workload-identity/main.tf      | 2 ++
 modules/workload-identity/variables.tf | 6 ++++++
 3 files changed, 9 insertions(+)

diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md
index ec69dbb47..76c68883d 100644
--- a/modules/workload-identity/README.md
+++ b/modules/workload-identity/README.md
@@ -105,6 +105,7 @@ already bear the `"iam.gke.io/gcp-service-account"` annotation.
 | k8s\_sa\_name | Name for the Kubernetes service account; overrides `var.name`. `cluster_name` and `location` must be set when this input is specified. | `string` | `null` | no |
 | k8s\_sa\_project\_id | GCP project ID of the k8s service account; overrides `var.project_id`. | `string` | `null` | no |
 | location | Cluster location (region if regional cluster, zone if zonal cluster). Required if using existing KSA. | `string` | `""` | no |
+| module\_depends\_on | List of modules or resources to depend on before annotating KSA. If multiple, all items must be the same type. | `list(any)` | `[]` | no |
 | name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | `string` | n/a | yes |
 | namespace | Namespace for the Kubernetes service account | `string` | `"default"` | no |
 | project\_id | GCP project ID | `string` | n/a | yes |
diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
index 261b62e1c..f029692be 100644
--- a/modules/workload-identity/main.tf
+++ b/modules/workload-identity/main.tf
@@ -72,6 +72,8 @@ module "annotate-sa" {
 
   kubectl_create_command  = "kubectl annotate --overwrite sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}"
   kubectl_destroy_command = "kubectl annotate sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account-"
+
+  module_depends_on = var.module_depends_on
 }
 
 resource "google_service_account_iam_member" "main" {
diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf
index ecf85e64e..1e1c9b931 100644
--- a/modules/workload-identity/variables.tf
+++ b/modules/workload-identity/variables.tf
@@ -101,3 +101,9 @@ variable "use_existing_context" {
   type        = bool
   default     = false
 }
+
+variable "module_depends_on" {
+  description = "List of modules or resources to depend on before annotating KSA. If multiple, all items must be the same type."
+  type        = list(any)
+  default     = []
+}