terraform-google-modules · bharathkkb · Mar 9, 2021 · Mar 3, 2021 · Mar 4, 2021 · Mar 4, 2021
@@ -9,7 +9,7 @@ It creates a [kind](https://kind.sigs.k8s.io/) cluster, sets current kubecontext
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| project\_id | The project ID (environ) to register the cluster in | `any` | n/a | yes |
+| project\_id | The project ID to host the cluster in | `any` | n/a | yes |
 
 ## Outputs
 

@@ -15,5 +15,5 @@
  */
 
 variable "project_id" {
-  description = "The project ID (environ) to register the cluster in"
+  description = "The project ID to host the cluster in"
 }
@@ -39,6 +39,7 @@ To deploy this config:
 | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no |
 | gke\_hub\_membership\_name | Membership name that uniquely represents the cluster being registered on the Hub | `string` | `"gke-hub-membership"` | no |
 | gke\_hub\_sa\_name | Name for the GKE Hub SA stored as a secret `creds-gcp` in the `gke-connect` namespace. | `string` | `"gke-hub-sa"` | no |
+| hub\_project\_id | The project in which the GKE Hub belongs. | `string` | `""` | no |
 | labels | Comma separated labels in the format name=value to apply to cluster in the GCP Console. | `string` | `""` | no |
 | location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes |
 | module\_depends\_on | List of modules or resources this module depends on. | `list` | `[]` | no |

@@ -17,30 +17,58 @@
 locals {
   gke_hub_sa_key = var.use_existing_sa ? var.sa_private_key : google_service_account_key.gke_hub_key[0].private_key
 
-  is_gke_flag               = var.use_kubeconfig ? 0 : 1
+  is_gke_flag = var.use_kubeconfig ? 0 : 1
+  hub_project = var.hub_project_id == "" ? var.project_id : var.hub_project_id
+
+  cluster_uri               = "https://container.googleapis.com/projects/${var.project_id}/locations/${var.location}/clusters/${var.cluster_name}"
   create_cmd_gke_entrypoint = "${path.module}/scripts/gke_hub_registration.sh"
-  create_cmd_gke_body       = "${local.is_gke_flag} ${var.gke_hub_membership_name} ${var.location} ${var.cluster_name} ${local.gke_hub_sa_key} ${var.project_id} ${var.labels}"
+  create_cmd_gke_body       = "${local.is_gke_flag} ${var.gke_hub_membership_name} ${local.gke_hub_sa_key} ${local.cluster_uri} ${local.hub_project} ${var.labels}"
   destroy_gke_entrypoint    = "${path.module}/scripts/gke_hub_unregister.sh"
-  destroy_gke_body          = "${local.is_gke_flag} ${var.gke_hub_membership_name} ${var.location} ${var.cluster_name} ${var.project_id}"
+  destroy_gke_body          = "${local.is_gke_flag} ${var.gke_hub_membership_name} ${local.cluster_uri} ${local.hub_project}"
 }
 
 data "google_client_config" "default" {
 }
 
+data "google_project" "hub_project" {
+  project_id = local.hub_project
+}
+
 resource "google_service_account" "gke_hub_sa" {
   count        = var.use_existing_sa ? 0 : 1
   account_id   = var.gke_hub_sa_name
-  project      = var.project_id
+  project      = local.hub_project
   display_name = "Service Account for GKE Hub Registration"
 }
 
 resource "google_project_iam_member" "gke_hub_member" {
   count   = var.use_existing_sa ? 0 : 1
-  project = var.project_id
+  project = local.hub_project
   role    = "roles/gkehub.connect"
   member  = "serviceAccount:${google_service_account.gke_hub_sa[0].email}"
 }
 
+resource "google_project_iam_member" "hub_service_agent_gke" {
+  count   = var.hub_project_id == "" ? 0 : 1
+  project = var.project_id
+  role    = "roles/gkehub.serviceAgent"
+  member  = "serviceAccount:${google_project_service_identity.sa_gkehub[0].email}"
+}
+
+resource "google_project_iam_member" "hub_service_agent_hub" {
+  count   = var.hub_project_id == "" ? 0 : 1
+  project = local.hub_project
+  role    = "roles/gkehub.serviceAgent"
+  member  = "serviceAccount:${google_project_service_identity.sa_gkehub[0].email}"
+}
+
+resource "google_project_service_identity" "sa_gkehub" {
+  count    = var.hub_project_id == "" ? 0 : 1
+  provider = google-beta
+  project  = local.hub_project
+  service  = "gkehub.googleapis.com"
+}
+
 resource "google_service_account_key" "gke_hub_key" {
   count              = var.use_existing_sa ? 0 : 1
   service_account_id = google_service_account.gke_hub_sa[0].name

@@ -22,11 +22,10 @@ fi
 
 GKE_CLUSTER_FLAG=$1
 MEMBERSHIP_NAME=$2
-CLUSTER_LOCATION=$3
-CLUSTER_NAME=$4
-SERVICE_ACCOUNT_KEY=$5
-PROJECT_ID=$6
-LABELS=$7
+SERVICE_ACCOUNT_KEY=$3
+CLUSTER_URI=$4
+HUB_PROJECT_ID=$5
+LABELS=$6
 
 #write temp key, cleanup at exit
 tmp_file=$(mktemp)
@@ -37,18 +36,18 @@ echo "${SERVICE_ACCOUNT_KEY}" | base64 ${B64_ARG} > "$tmp_file"
 
 if [[ ${GKE_CLUSTER_FLAG} == 1 ]]; then
     echo "Registering GKE Cluster."
-    gcloud container hub memberships register "${MEMBERSHIP_NAME}" --gke-cluster="${CLUSTER_LOCATION}"/"${CLUSTER_NAME}" --service-account-key-file="${tmp_file}" --project="${PROJECT_ID}" --quiet
+    gcloud container hub memberships register "${MEMBERSHIP_NAME}" --gke-uri="${CLUSTER_URI}" --service-account-key-file="${tmp_file}" --project="${HUB_PROJECT_ID}" --quiet
 else
     echo "Registering a non-GKE Cluster. Using current-context to register Hub membership."
     #Get the kubeconfig
     CONTEXT=$(kubectl config current-context)
-    gcloud container hub memberships register "${MEMBERSHIP_NAME}" --context="${CONTEXT}" --service-account-key-file="${tmp_file}" --project="${PROJECT_ID}" --quiet
+    gcloud container hub memberships register "${MEMBERSHIP_NAME}" --context="${CONTEXT}" --service-account-key-file="${tmp_file}" --project="${HUB_PROJECT_ID}" --quiet
 fi
 
 
 # Add labels to the registered cluster
 if [ -z ${LABELS+x} ]; then
     echo "No hub labels to apply."
 else
-    gcloud container hub memberships update "${MEMBERSHIP_NAME}" --update-labels "$LABELS" --project="${PROJECT_ID}"
+    gcloud container hub memberships update "${MEMBERSHIP_NAME}" --update-labels "$LABELS" --project="${HUB_PROJECT_ID}"
 fi
@@ -15,25 +15,22 @@
 
 set -e
 
-if [ "$#" -lt 5 ]; then
+if [ "$#" -lt 4 ]; then
     >&2 echo "Not all expected arguments set."
     exit 1
 fi
 
 GKE_CLUSTER_FLAG=$1
 MEMBERSHIP_NAME=$2
-CLUSTER_LOCATION=$3
-CLUSTER_NAME=$4
-PROJECT_ID=$5
-
-
+CLUSTER_URI=$3
+HUB_PROJECT_ID=$4
 
 if [[ ${GKE_CLUSTER_FLAG} == 1 ]]; then
     echo "Un-Registering GKE Cluster."
-    gcloud container hub memberships unregister "${MEMBERSHIP_NAME}" --gke-cluster="${CLUSTER_LOCATION}"/"${CLUSTER_NAME}" --project "${PROJECT_ID}"
+    gcloud container hub memberships unregister "${MEMBERSHIP_NAME}" --gke-uri="${CLUSTER_URI}" --project "${HUB_PROJECT_ID}"
 else
     echo "Un-Registering a non-GKE Cluster. Using current-context to unregister Hub membership."
     #Get Current context
     CONTEXT=$(kubectl config current-context)
-    gcloud container hub memberships unregister "${MEMBERSHIP_NAME}" --context="${CONTEXT}" --project="${PROJECT_ID}"
+    gcloud container hub memberships unregister "${MEMBERSHIP_NAME}" --context="${CONTEXT}" --project="${HUB_PROJECT_ID}"
 fi
@@ -29,6 +29,12 @@ variable "project_id" {
   type        = string
 }
 
+variable "hub_project_id" {
+  description = "The project in which the GKE Hub belongs."
+  type        = string
+  default     = ""
+}
+
 variable "location" {
   description = "The location (zone or region) this cluster has been created in."
   type        = string