From 33481eac515ac49711b76497ebdb02ad137451da Mon Sep 17 00:00:00 2001 From: Mmadu Manasseh Date: Fri, 9 Oct 2020 17:00:08 +0100 Subject: [PATCH 1/3] Workload Identity: allow passing roles to created service account --- modules/workload-identity/README.md | 1 + modules/workload-identity/main.tf | 9 +++++++++ modules/workload-identity/variables.tf | 6 ++++++ 3 files changed, 16 insertions(+) diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md index 1ae78776f2..a0c498928b 100644 --- a/modules/workload-identity/README.md +++ b/modules/workload-identity/README.md @@ -20,6 +20,7 @@ module "my-app-workload-identity" { name = "my-application-name" namespace = "default" project_id = "my-gcp-project-name" + roles = ["roles/storage.Admin", "roles/compute.Admin"] } ``` diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index 288f3fdb28..294068907e 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -64,3 +64,12 @@ resource "google_service_account_iam_member" "main" { role = "roles/iam.workloadIdentityUser" member = local.k8s_sa_gcp_derived_name } + + +resource "google_project_iam_member" "workload_identity_sa_bindings" { + count = length(var.roles) + + project = var.project_id + role = var.roles[count.index] + member = "serviceAccount:${google_service_account.cluster_service_account.email}" +} diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf index 8042f54320..05382f3348 100644 --- a/modules/workload-identity/variables.tf +++ b/modules/workload-identity/variables.tf @@ -59,3 +59,9 @@ variable "automount_service_account_token" { default = false type = bool } + +variable "roles" { + type = list(string) + default = [] + description = "(optional) A list of roles to be added to the created Service account" +} From 084dbef68976e370deb7316b35cd145083f64b60 Mon Sep 17 00:00:00 2001 From: Mmadu Manasseh Date: Fri, 9 Oct 2020 19:19:00 +0100 Subject: [PATCH 2/3] use for_each instead of count --- modules/workload-identity/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index 294068907e..316d771a3e 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -67,9 +67,9 @@ resource "google_service_account_iam_member" "main" { resource "google_project_iam_member" "workload_identity_sa_bindings" { - count = length(var.roles) + for_each = toset(var.roles) project = var.project_id - role = var.roles[count.index] + role = each.value member = "serviceAccount:${google_service_account.cluster_service_account.email}" } From 4335d9d443f5659bd096e41576d3c5efaad126b5 Mon Sep 17 00:00:00 2001 From: Mmadu Manasseh Date: Fri, 9 Oct 2020 20:25:48 +0100 Subject: [PATCH 3/3] Update README docs --- modules/workload-identity/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md index a0c498928b..9bab165020 100644 --- a/modules/workload-identity/README.md +++ b/modules/workload-identity/README.md @@ -76,6 +76,7 @@ module "my-app-workload-identity" { | name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | string | n/a | yes | | namespace | Namespace for k8s service account | string | `"default"` | no | | project\_id | GCP project ID | string | n/a | yes | +| roles | (optional) A list of roles to be added to the created Service account | list(string) | `` | no | | use\_existing\_k8s\_sa | Use an existing kubernetes service account instead of creating one | bool | `"false"` | no | ## Outputs