Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[workload-identity] Options to disable annotating existing service account #622

Closed
dhoeric opened this issue Aug 10, 2020 · 3 comments
Closed

[workload-identity] Options to disable annotating existing service account #622

dhoeric opened this issue Aug 10, 2020 · 3 comments

Comments

@dhoeric
Copy link
Contributor

dhoeric commented Aug 10, 2020

Thanks for the creating the workload-identity module and it saves me tons of time.
Now I have already set up the KSA's workload identity annotation via another source, which is helm.

So I am using the module to create the GCP Service Account resource to do the mapping, therefore I go ahead with use_existing_k8s_sa = true.

However, the annotate-sa will be keep re-created when I apply the terraform config, i.e.

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.vault_workload_identity.module.annotate-sa.null_resource.run_command[0] must be replaced
-/+ resource "null_resource" "run_command" {
      ~ id       = "7716742383294981629" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "arguments"              = "98c9e20dc25f83faf81364fb6a8e56b8" -> "a9c984dc6181e56976c2824ad45107d6"
          ~ "create_cmd_body"        = "xxx"
            "create_cmd_entrypoint"  = ".terraform/modules/vault_workload_identity/terraform-google-kubernetes-engine-10.0.0/modules/workload-identity/scripts/kubectl_wrapper.sh"
          ~ "destroy_cmd_body"       = "xxx"
            "destroy_cmd_entrypoint" = ".terraform/modules/vault_workload_identity/terraform-google-kubernetes-engine-10.0.0/modules/workload-identity/scripts/kubectl_wrapper.sh"
            "gcloud_bin_abs_path"    = "xxx"
            "md5"                    = "db357f7040b2589b799b5e90523802b5"
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

------------------------------------------------------------------------

To solve this issue, it would be possible via adding an option to disable annotating the existing KSA. But open to learn about other solutions.
@dhoeric
Copy link
Contributor Author

dhoeric commented Aug 10, 2020

Attached with the module config as reference:

module "vault_workload_identity" {
  source  = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  version = "~> 10.0.0"

  project_id = var.gcp_project_id
  name       = local.vault_sa_name

  use_existing_k8s_sa = true
  location            = var.gke_cluster_location
  cluster_name        = var.gke_cluster_name

  namespace   = local.vault_namespace
  k8s_sa_name = "vault"
}

@bharathkkb
Copy link
Member

Hi @dhoeric
Glad to hear that! :)

the annotate-sa will be keep re-created when I apply the terraform config

We recently fixed this with #602 and should be fixed with the 11.0 release.
You can give it a whirl now to see if it works as intended on master.

module "vault_workload_identity" {
  source     = "github.com/terraform-google-modules/terraform-google-kubernetes-engine//modules/workload-identity"
  project_id = var.gcp_project_id
  name       = local.vault_sa_name
  ...
}

@dhoeric
Copy link
Contributor Author

dhoeric commented Aug 10, 2020

It works, thanks!!

@dhoeric dhoeric closed this as completed Aug 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dhoeric @bharathkkb