diff --git a/modules/gke-cluster-standard/README.md b/modules/gke-cluster-standard/README.md
index 3c9b1eb8b1..dc2b4139e3 100644
--- a/modules/gke-cluster-standard/README.md
+++ b/modules/gke-cluster-standard/README.md
@@ -309,7 +309,7 @@ module "cluster-1" {
| [location](variables.tf#L138) | Cluster zone or region. | string | ✓ | |
| [name](variables.tf#L249) | Cluster name. | string | ✓ | |
| [project_id](variables.tf#L275) | Cluster project id. | string | ✓ | |
-| [vpc_config](variables.tf#L292) | VPC-level configuration. | object({…}) | ✓ | |
+| [vpc_config](variables.tf#L298) | VPC-level configuration. | object({…}) | ✓ | |
| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | object({…}) | | {} |
| [cluster_autoscaling](variables.tf#L37) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | object({…}) | | null |
| [description](variables.tf#L58) | Cluster description. | string | | null |
@@ -325,7 +325,8 @@ module "cluster-1" {
| [node_locations](variables.tf#L254) | Zones in which the cluster's nodes are located. | list(string) | | [] |
| [private_cluster_config](variables.tf#L261) | Private cluster configuration. | object({…}) | | null |
| [release_channel](variables.tf#L280) | Release channel for GKE upgrades. | string | | null |
-| [tags](variables.tf#L286) | Network tags applied to nodes. | list(string) | | null |
+| [service_account](variables.tf#L286) | Service account used for the default node pool, only useful if the default GCE service account has been disabled. | string | | null |
+| [tags](variables.tf#L292) | Network tags applied to nodes. | list(string) | | null |
## Outputs
diff --git a/modules/gke-cluster-standard/main.tf b/modules/gke-cluster-standard/main.tf
index d27f6ab36c..622c2e431d 100644
--- a/modules/gke-cluster-standard/main.tf
+++ b/modules/gke-cluster-standard/main.tf
@@ -43,6 +43,7 @@ resource "google_container_cluster" "cluster" {
# the default node pool is deleted here, use the gke-nodepool module instead.
# the default node pool configuration is based on a shielded_nodes variable.
node_config {
+ service_account = var.service_account
dynamic "shielded_instance_config" {
for_each = var.enable_features.shielded_nodes ? [""] : []
content {
@@ -203,7 +204,7 @@ resource "google_container_cluster" "cluster" {
]))
}
}
- # Don't send any GKE cluster logs to Cloud Logging. Input variable validation
+ # Don't send any GKE cluster logs to Cloud Logging. Input variable validation
# makes sure every other log source is false when enable_system_logs is false.
dynamic "logging_config" {
for_each = var.logging_config.enable_system_logs == false ? [""] : []
diff --git a/modules/gke-cluster-standard/variables.tf b/modules/gke-cluster-standard/variables.tf
index 6b76efa701..c470dcfa8b 100644
--- a/modules/gke-cluster-standard/variables.tf
+++ b/modules/gke-cluster-standard/variables.tf
@@ -151,7 +151,7 @@ variable "logging_config" {
})
default = {}
nullable = false
- # System logs are the minimum required component for enabling log collection.
+ # System logs are the minimum required component for enabling log collection.
# So either everything is off (false), or enable_system_logs must be true.
validation {
condition = (
@@ -283,6 +283,12 @@ variable "release_channel" {
default = null
}
+variable "service_account" {
+ description = "Service account used for the default node pool, only useful if the default GCE service account has been disabled."
+ type = string
+ default = null
+}
+
variable "tags" {
description = "Network tags applied to nodes."
type = list(string)