GoogleCloudPlatform · juliocc · Sep 22, 2023 · Sep 22, 2023
diff --git a/modules/gke-cluster-standard/README.md b/modules/gke-cluster-standard/README.md
@@ -309,7 +309,7 @@ module "cluster-1" {
 | [location](variables.tf#L138) | Cluster zone or region. | <code>string</code> | ✓ |  |
 | [name](variables.tf#L249) | Cluster name. | <code>string</code> | ✓ |  |
 | [project_id](variables.tf#L275) | Cluster project id. | <code>string</code> | ✓ |  |
-| [vpc_config](variables.tf#L292) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
+| [vpc_config](variables.tf#L298) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
 | [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10;  enable_backup_agent &#61; optional&#40;bool, false&#41;&#10;  backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10;    encryption_key                    &#61; optional&#40;string&#41;&#10;    include_secrets                   &#61; optional&#40;bool, true&#41;&#10;    include_volume_data               &#61; optional&#40;bool, true&#41;&#10;    namespaces                        &#61; optional&#40;list&#40;string&#41;&#41;&#10;    region                            &#61; string&#10;    schedule                          &#61; string&#10;    retention_policy_days             &#61; optional&#40;string&#41;&#10;    retention_policy_lock             &#61; optional&#40;bool, false&#41;&#10;    retention_policy_delete_lock_days &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [cluster_autoscaling](variables.tf#L37) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10;  auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10;    boot_disk_kms_key &#61; optional&#40;string&#41;&#10;    image_type        &#61; optional&#40;string&#41;&#10;    oauth_scopes      &#61; optional&#40;list&#40;string&#41;&#41;&#10;    service_account   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  cpu_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  mem_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [description](variables.tf#L58) | Cluster description. | <code>string</code> |  | <code>null</code> |
@@ -325,7 +325,8 @@ module "cluster-1" {
 | [node_locations](variables.tf#L254) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
 | [private_cluster_config](variables.tf#L261) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [release_channel](variables.tf#L280) | Release channel for GKE upgrades. | <code>string</code> |  | <code>null</code> |
-| [tags](variables.tf#L286) | Network tags applied to nodes. | <code>list&#40;string&#41;</code> |  | <code>null</code> |
+| [service_account](variables.tf#L286) | Service account used for the default node pool, only useful if the default GCE service account has been disabled. | <code>string</code> |  | <code>null</code> |
+| [tags](variables.tf#L292) | Network tags applied to nodes. | <code>list&#40;string&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 

diff --git a/modules/gke-cluster-standard/main.tf b/modules/gke-cluster-standard/main.tf
@@ -43,6 +43,7 @@ resource "google_container_cluster" "cluster" {
   # the default node pool is deleted here, use the gke-nodepool module instead.
   # the default node pool configuration is based on a shielded_nodes variable.
   node_config {
+    service_account = var.service_account
     dynamic "shielded_instance_config" {
       for_each = var.enable_features.shielded_nodes ? [""] : []
       content {
@@ -203,7 +204,7 @@ resource "google_container_cluster" "cluster" {
       ]))
     }
   }
-  # Don't send any GKE cluster logs to Cloud Logging. Input variable validation 
+  # Don't send any GKE cluster logs to Cloud Logging. Input variable validation
   # makes sure every other log source is false when enable_system_logs is false.
   dynamic "logging_config" {
     for_each = var.logging_config.enable_system_logs == false ? [""] : []

diff --git a/modules/gke-cluster-standard/variables.tf b/modules/gke-cluster-standard/variables.tf
@@ -151,7 +151,7 @@ variable "logging_config" {
   })
   default  = {}
   nullable = false
-  # System logs are the minimum required component for enabling log collection. 
+  # System logs are the minimum required component for enabling log collection.
   # So either everything is off (false), or enable_system_logs must be true.
   validation {
     condition = (
@@ -283,6 +283,12 @@ variable "release_channel" {
   default     = null
 }
 
+variable "service_account" {
+  description = "Service account used for the default node pool, only useful if the default GCE service account has been disabled."
+  type        = string
+  default     = null
+}
+
 variable "tags" {
   description = "Network tags applied to nodes."
   type        = list(string)