diff --git a/README.md b/README.md index 0351383dfb..da19bc5059 100644 --- a/README.md +++ b/README.md @@ -136,6 +136,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index ecf305b7b6..20cbf0a425 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -536,13 +536,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - - upgrade = var.gcloud_upgrade + upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/autogen/main/scripts/wait-for-cluster.sh b/autogen/main/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/autogen/main/scripts/wait-for-cluster.sh +++ b/autogen/main/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index de4af2700a..fb71d30944 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -555,3 +555,9 @@ variable "disable_default_snat" { default = false } {% endif %} + +variable "impersonate_service_account" { + type = string + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} diff --git a/cluster.tf b/cluster.tf index 9b1ecde459..243c458980 100644 --- a/cluster.tf +++ b/cluster.tf @@ -320,13 +320,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index a6b0d2e780..a063c28ec3 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -180,6 +180,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index ca06467760..b9cf27b6e3 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -494,13 +494,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/modules/beta-private-cluster-update-variant/scripts/wait-for-cluster.sh b/modules/beta-private-cluster-update-variant/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/modules/beta-private-cluster-update-variant/scripts/wait-for-cluster.sh +++ b/modules/beta-private-cluster-update-variant/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 2b1452adc2..1e3094875f 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -539,3 +539,9 @@ variable "disable_default_snat" { description = "Whether to disable the default SNAT to support the private use of public IP addresses" default = false } + +variable "impersonate_service_account" { + type = string + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 6fd297ff9c..e9ecbbb5c5 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -158,6 +158,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 3324d25b45..ed581a383b 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -421,13 +421,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/modules/beta-private-cluster/scripts/wait-for-cluster.sh b/modules/beta-private-cluster/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/modules/beta-private-cluster/scripts/wait-for-cluster.sh +++ b/modules/beta-private-cluster/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 2b1452adc2..1e3094875f 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -539,3 +539,9 @@ variable "disable_default_snat" { description = "Whether to disable the default SNAT to support the private use of public IP addresses" default = false } + +variable "impersonate_service_account" { + type = string + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 7781e81326..c03f38f5fb 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -171,6 +171,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index aa4d2ea2f1..ad9a3a877b 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -475,13 +475,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/modules/beta-public-cluster-update-variant/scripts/wait-for-cluster.sh b/modules/beta-public-cluster-update-variant/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/modules/beta-public-cluster-update-variant/scripts/wait-for-cluster.sh +++ b/modules/beta-public-cluster-update-variant/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 00393835bc..04a6bf54de 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -508,3 +508,9 @@ variable "disable_default_snat" { description = "Whether to disable the default SNAT to support the private use of public IP addresses" default = false } + +variable "impersonate_service_account" { + type = string + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index f827e3cbe1..705db2a22b 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -149,6 +149,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 0391c1afe7..3acae2d2cd 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -402,13 +402,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/modules/beta-public-cluster/scripts/wait-for-cluster.sh b/modules/beta-public-cluster/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/modules/beta-public-cluster/scripts/wait-for-cluster.sh +++ b/modules/beta-public-cluster/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 00393835bc..04a6bf54de 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -508,3 +508,9 @@ variable "disable_default_snat" { description = "Whether to disable the default SNAT to support the private use of public IP addresses" default = false } + +variable "impersonate_service_account" { + type = string + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 94c27f5097..a6fcab2e57 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -167,6 +167,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 9b6e69b1b1..a5eeae7262 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -406,13 +406,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/modules/private-cluster-update-variant/scripts/wait-for-cluster.sh b/modules/private-cluster-update-variant/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/modules/private-cluster-update-variant/scripts/wait-for-cluster.sh +++ b/modules/private-cluster-update-variant/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 2c9f1b6bc8..3acc6218b0 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -437,3 +437,9 @@ variable "gcloud_upgrade" { default = false } + +variable "impersonate_service_account" { + type = string + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 17a1195f90..c5f6ce7a0b 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -145,6 +145,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index e61ad00d7e..a4ca5bdc01 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -333,13 +333,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/modules/private-cluster/scripts/wait-for-cluster.sh b/modules/private-cluster/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/modules/private-cluster/scripts/wait-for-cluster.sh +++ b/modules/private-cluster/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 2c9f1b6bc8..3acc6218b0 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -437,3 +437,9 @@ variable "gcloud_upgrade" { default = false } + +variable "impersonate_service_account" { + type = string + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} diff --git a/scripts/wait-for-cluster.sh b/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/scripts/wait-for-cluster.sh +++ b/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/variables.tf b/variables.tf index 6e3a8bf5cf..40a0b91b25 100644 --- a/variables.tf +++ b/variables.tf @@ -413,3 +413,9 @@ variable "gcloud_upgrade" { default = false } + +variable "impersonate_service_account" { + type = string + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +}