diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md index 1ae78776f..9bab16502 100644 --- a/modules/workload-identity/README.md +++ b/modules/workload-identity/README.md @@ -20,6 +20,7 @@ module "my-app-workload-identity" { name = "my-application-name" namespace = "default" project_id = "my-gcp-project-name" + roles = ["roles/storage.Admin", "roles/compute.Admin"] } ``` @@ -75,6 +76,7 @@ module "my-app-workload-identity" { | name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | string | n/a | yes | | namespace | Namespace for k8s service account | string | `"default"` | no | | project\_id | GCP project ID | string | n/a | yes | +| roles | (optional) A list of roles to be added to the created Service account | list(string) | `` | no | | use\_existing\_k8s\_sa | Use an existing kubernetes service account instead of creating one | bool | `"false"` | no | ## Outputs diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index 288f3fdb2..316d771a3 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -64,3 +64,12 @@ resource "google_service_account_iam_member" "main" { role = "roles/iam.workloadIdentityUser" member = local.k8s_sa_gcp_derived_name } + + +resource "google_project_iam_member" "workload_identity_sa_bindings" { + for_each = toset(var.roles) + + project = var.project_id + role = each.value + member = "serviceAccount:${google_service_account.cluster_service_account.email}" +} diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf index 8042f5432..05382f334 100644 --- a/modules/workload-identity/variables.tf +++ b/modules/workload-identity/variables.tf @@ -59,3 +59,9 @@ variable "automount_service_account_token" { default = false type = bool } + +variable "roles" { + type = list(string) + default = [] + description = "(optional) A list of roles to be added to the created Service account" +}