From c24149ecd939e683f37af4530e9b7f83cc83464b Mon Sep 17 00:00:00 2001 From: pp Date: Fri, 16 Aug 2019 11:25:14 +0300 Subject: [PATCH] Add storage.objectViewer role to SA * Added `sa_grant_gcs_access` variable to grant `roles/storage.objectViewer` to created SA (Fixes #229) --- CHANGELOG.md | 4 ++++ README.md | 1 + autogen/sa.tf | 8 ++++++++ autogen/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/sa.tf | 8 ++++++++ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/sa.tf | 8 ++++++++ modules/beta-public-cluster/variables.tf | 6 ++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/sa.tf | 8 ++++++++ modules/private-cluster/variables.tf | 6 ++++++ sa.tf | 8 ++++++++ variables.tf | 6 ++++++ 15 files changed, 78 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dcf45071b5..6d1d3e079a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,9 @@ Extending the adopted spec, each change should have a link to its corresponding ## [Unreleased] ### Added +* Added `sa_grant_gcs_access` variable to grant `roles/storage.objectViewer` to created SA [#236] +### Added + * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216] * Support for Workload Identity beta feature [#234] @@ -168,6 +171,7 @@ Extending the adopted spec, each change should have a link to its corresponding [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0 +[#236]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/236 [#216]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/216 [#214]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/214 [#210]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/210 diff --git a/README.md b/README.md index 8ea95f1635..5ad81004f1 100644 --- a/README.md +++ b/README.md @@ -168,6 +168,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | +| sa\_grant\_gcs\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | diff --git a/autogen/sa.tf b/autogen/sa.tf index c5f7f132a1..09db26b635 100644 --- a/autogen/sa.tf +++ b/autogen/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.sa_grant_gcs_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/autogen/variables.tf b/autogen/variables.tf index 48b5c97855..9f5835af84 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -261,6 +261,12 @@ variable "create_service_account" { default = true } +variable "sa_grant_gcs_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created." diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index f2cd8c925a..d4f953e129 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -189,6 +189,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | +| sa\_grant\_gcs\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index 0ebe86003d..3d86537937 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.sa_grant_gcs_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 3796c58e0f..f2348d8444 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -261,6 +261,12 @@ variable "create_service_account" { default = true } +variable "sa_grant_gcs_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created." diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 7240337192..f8d51cfa71 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -180,6 +180,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | +| sa\_grant\_gcs\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index 0ebe86003d..3d86537937 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.sa_grant_gcs_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 904d858b50..4ab6dd4101 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -261,6 +261,12 @@ variable "create_service_account" { default = true } +variable "sa_grant_gcs_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 035adc403e..0f7f22313f 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -177,6 +177,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | +| sa\_grant\_gcs\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf index 0ebe86003d..3d86537937 100644 --- a/modules/private-cluster/sa.tf +++ b/modules/private-cluster/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.sa_grant_gcs_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 1aba1057a2..4b312da803 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -261,6 +261,12 @@ variable "create_service_account" { default = true } +variable "sa_grant_gcs_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created." diff --git a/sa.tf b/sa.tf index 0ebe86003d..3d86537937 100644 --- a/sa.tf +++ b/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.sa_grant_gcs_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/variables.tf b/variables.tf index 3c64fd5562..fbf06dd6f7 100644 --- a/variables.tf +++ b/variables.tf @@ -261,6 +261,12 @@ variable "create_service_account" { default = true } +variable "sa_grant_gcs_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created."