From f9d738bc0ed45fede06e59829655ea3a24f3fb6f Mon Sep 17 00:00:00 2001 From: Dev Date: Mon, 2 Nov 2020 16:22:12 +0000 Subject: [PATCH 1/3] Rebase impersonation support PR for scripts Signed-off-by: Dev --- README.md | 3 ++- autogen/main/cluster.tf.tmpl | 7 +++---- autogen/main/scripts/wait-for-cluster.sh | 3 ++- autogen/main/variables.tf.tmpl | 5 +++++ cluster.tf | 5 ++--- modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 5 ++--- .../scripts/wait-for-cluster.sh | 3 ++- modules/beta-private-cluster-update-variant/variables.tf | 5 +++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 5 ++--- modules/beta-private-cluster/scripts/wait-for-cluster.sh | 3 ++- modules/beta-private-cluster/variables.tf | 5 +++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 5 ++--- .../scripts/wait-for-cluster.sh | 3 ++- modules/beta-public-cluster-update-variant/variables.tf | 5 +++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 5 ++--- modules/beta-public-cluster/scripts/wait-for-cluster.sh | 3 ++- modules/beta-public-cluster/variables.tf | 5 +++++ modules/private-cluster-update-variant/README.md | 3 ++- modules/private-cluster-update-variant/cluster.tf | 5 ++--- .../scripts/wait-for-cluster.sh | 3 ++- modules/private-cluster-update-variant/variables.tf | 5 +++++ modules/private-cluster/README.md | 3 ++- modules/private-cluster/cluster.tf | 5 ++--- modules/private-cluster/scripts/wait-for-cluster.sh | 3 ++- modules/private-cluster/variables.tf | 5 +++++ scripts/wait-for-cluster.sh | 3 ++- variables.tf | 5 +++++ 31 files changed, 83 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index 0351383dfb..6aa2d64cbe 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled       = bool
    min_cpu_cores = number
    max_cpu_cores = number
    min_memory_gb = number
    max_memory_gb = number
  })
| 
{
  "enabled": false,
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
  })
| 
{
  "enabled": false,
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `any` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | @@ -136,6 +136,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index ecf305b7b6..20cbf0a425 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -536,13 +536,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - - upgrade = var.gcloud_upgrade + upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/autogen/main/scripts/wait-for-cluster.sh b/autogen/main/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/autogen/main/scripts/wait-for-cluster.sh +++ b/autogen/main/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index de4af2700a..90631bee00 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -555,3 +555,8 @@ variable "disable_default_snat" { default = false } {% endif %} + +variable "impersonate_service_account" { + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} diff --git a/cluster.tf b/cluster.tf index 9b1ecde459..243c458980 100644 --- a/cluster.tf +++ b/cluster.tf @@ -320,13 +320,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index a6b0d2e780..a063c28ec3 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -180,6 +180,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index ca06467760..b9cf27b6e3 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -494,13 +494,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/modules/beta-private-cluster-update-variant/scripts/wait-for-cluster.sh b/modules/beta-private-cluster-update-variant/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/modules/beta-private-cluster-update-variant/scripts/wait-for-cluster.sh +++ b/modules/beta-private-cluster-update-variant/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 2b1452adc2..f0dee8866b 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -539,3 +539,8 @@ variable "disable_default_snat" { description = "Whether to disable the default SNAT to support the private use of public IP addresses" default = false } + +variable "impersonate_service_account" { + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 6fd297ff9c..e9ecbbb5c5 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -158,6 +158,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 3324d25b45..ed581a383b 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -421,13 +421,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/modules/beta-private-cluster/scripts/wait-for-cluster.sh b/modules/beta-private-cluster/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/modules/beta-private-cluster/scripts/wait-for-cluster.sh +++ b/modules/beta-private-cluster/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 2b1452adc2..f0dee8866b 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -539,3 +539,8 @@ variable "disable_default_snat" { description = "Whether to disable the default SNAT to support the private use of public IP addresses" default = false } + +variable "impersonate_service_account" { + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 7781e81326..c03f38f5fb 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -171,6 +171,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index aa4d2ea2f1..ad9a3a877b 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -475,13 +475,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/modules/beta-public-cluster-update-variant/scripts/wait-for-cluster.sh b/modules/beta-public-cluster-update-variant/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/modules/beta-public-cluster-update-variant/scripts/wait-for-cluster.sh +++ b/modules/beta-public-cluster-update-variant/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 00393835bc..67a785b0cf 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -508,3 +508,8 @@ variable "disable_default_snat" { description = "Whether to disable the default SNAT to support the private use of public IP addresses" default = false } + +variable "impersonate_service_account" { + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index f827e3cbe1..705db2a22b 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -149,6 +149,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 0391c1afe7..3acae2d2cd 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -402,13 +402,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/modules/beta-public-cluster/scripts/wait-for-cluster.sh b/modules/beta-public-cluster/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/modules/beta-public-cluster/scripts/wait-for-cluster.sh +++ b/modules/beta-public-cluster/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 00393835bc..67a785b0cf 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -508,3 +508,8 @@ variable "disable_default_snat" { description = "Whether to disable the default SNAT to support the private use of public IP addresses" default = false } + +variable "impersonate_service_account" { + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 94c27f5097..56b70fe8a2 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -144,7 +144,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled       = bool
    min_cpu_cores = number
    max_cpu_cores = number
    min_memory_gb = number
    max_memory_gb = number
  })
| 
{
  "enabled": false,
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
  })
| 
{
  "enabled": false,
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `any` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | @@ -167,6 +167,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 9b6e69b1b1..a5eeae7262 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -406,13 +406,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/modules/private-cluster-update-variant/scripts/wait-for-cluster.sh b/modules/private-cluster-update-variant/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/modules/private-cluster-update-variant/scripts/wait-for-cluster.sh +++ b/modules/private-cluster-update-variant/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 2c9f1b6bc8..9a59ad55c4 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -437,3 +437,8 @@ variable "gcloud_upgrade" { default = false } + +variable "impersonate_service_account" { + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 17a1195f90..a770ae58dc 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -122,7 +122,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled       = bool
    min_cpu_cores = number
    max_cpu_cores = number
    min_memory_gb = number
    max_memory_gb = number
  })
| 
{
  "enabled": false,
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
  })
| 
{
  "enabled": false,
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `any` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | @@ -145,6 +145,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index e61ad00d7e..a4ca5bdc01 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -333,13 +333,12 @@ module "gcloud_wait_for_cluster" { source = "terraform-google-modules/gcloud/google" version = "~> 2.0.2" enabled = ! var.skip_provisioners - upgrade = var.gcloud_upgrade create_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - create_cmd_body = "${var.project_id} ${var.name}" + create_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh" - destroy_cmd_body = "${var.project_id} ${var.name}" + destroy_cmd_body = "${var.project_id} ${var.name} ${var.impersonate_service_account}" module_depends_on = concat( [google_container_cluster.primary.master_version], diff --git a/modules/private-cluster/scripts/wait-for-cluster.sh b/modules/private-cluster/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/modules/private-cluster/scripts/wait-for-cluster.sh +++ b/modules/private-cluster/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 2c9f1b6bc8..9a59ad55c4 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -437,3 +437,8 @@ variable "gcloud_upgrade" { default = false } + +variable "impersonate_service_account" { + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} diff --git a/scripts/wait-for-cluster.sh b/scripts/wait-for-cluster.sh index 16c3952230..f5049ece9c 100755 --- a/scripts/wait-for-cluster.sh +++ b/scripts/wait-for-cluster.sh @@ -22,11 +22,12 @@ fi PROJECT=$1 CLUSTER_NAME=$2 +IMPERSONATE_SERVICE_ACCOUNT=$3 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..." while - current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)") + current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT") [[ "${current_status}" != "RUNNING" ]] do printf ".";sleep 5; done diff --git a/variables.tf b/variables.tf index 6e3a8bf5cf..cdc3aecc9a 100644 --- a/variables.tf +++ b/variables.tf @@ -413,3 +413,8 @@ variable "gcloud_upgrade" { default = false } + +variable "impersonate_service_account" { + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} From 12d452b9700fa3a94a6641ebf48747e6c7a81862 Mon Sep 17 00:00:00 2001 From: Dev Date: Mon, 2 Nov 2020 16:55:56 +0000 Subject: [PATCH 2/3] Set var type to string Signed-off-by: Dev --- autogen/main/variables.tf.tmpl | 1 + modules/beta-private-cluster-update-variant/variables.tf | 1 + modules/beta-private-cluster/variables.tf | 1 + modules/beta-public-cluster-update-variant/variables.tf | 1 + modules/beta-public-cluster/variables.tf | 1 + modules/private-cluster-update-variant/variables.tf | 1 + modules/private-cluster/variables.tf | 1 + variables.tf | 1 + 8 files changed, 8 insertions(+) diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 90631bee00..fb71d30944 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -557,6 +557,7 @@ variable "disable_default_snat" { {% endif %} variable "impersonate_service_account" { + type = string description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." default = "" } diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index f0dee8866b..1e3094875f 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -541,6 +541,7 @@ variable "disable_default_snat" { } variable "impersonate_service_account" { + type = string description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." default = "" } diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index f0dee8866b..1e3094875f 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -541,6 +541,7 @@ variable "disable_default_snat" { } variable "impersonate_service_account" { + type = string description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." default = "" } diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 67a785b0cf..04a6bf54de 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -510,6 +510,7 @@ variable "disable_default_snat" { } variable "impersonate_service_account" { + type = string description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." default = "" } diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 67a785b0cf..04a6bf54de 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -510,6 +510,7 @@ variable "disable_default_snat" { } variable "impersonate_service_account" { + type = string description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." default = "" } diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 9a59ad55c4..3acc6218b0 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -439,6 +439,7 @@ variable "gcloud_upgrade" { variable "impersonate_service_account" { + type = string description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." default = "" } diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 9a59ad55c4..3acc6218b0 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -439,6 +439,7 @@ variable "gcloud_upgrade" { variable "impersonate_service_account" { + type = string description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." default = "" } diff --git a/variables.tf b/variables.tf index cdc3aecc9a..40a0b91b25 100644 --- a/variables.tf +++ b/variables.tf @@ -415,6 +415,7 @@ variable "gcloud_upgrade" { variable "impersonate_service_account" { + type = string description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." default = "" } From 0521eae46f302ea4352c83782a9df919bf17bce5 Mon Sep 17 00:00:00 2001 From: Dev Date: Mon, 2 Nov 2020 17:16:00 +0000 Subject: [PATCH 3/3] Rerun make docker_generate_docs Signed-off-by: Dev --- README.md | 2 +- modules/private-cluster-update-variant/README.md | 2 +- modules/private-cluster/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6aa2d64cbe..da19bc5059 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
  })
| 
{
  "enabled": false,
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled       = bool
    min_cpu_cores = number
    max_cpu_cores = number
    min_memory_gb = number
    max_memory_gb = number
  })
| 
{
  "enabled": false,
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `any` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 56b70fe8a2..a6fcab2e57 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -144,7 +144,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
  })
| 
{
  "enabled": false,
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled       = bool
    min_cpu_cores = number
    max_cpu_cores = number
    min_memory_gb = number
    max_memory_gb = number
  })
| 
{
  "enabled": false,
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `any` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index a770ae58dc..c5f6ce7a0b 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -122,7 +122,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
  })
| 
{
  "enabled": false,
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled       = bool
    min_cpu_cores = number
    max_cpu_cores = number
    min_memory_gb = number
    max_memory_gb = number
  })
| 
{
  "enabled": false,
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `any` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no |