From 0589de798f6935174aa017fe44ef197de71d1d3a Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 27 Oct 2022 15:47:11 +0200 Subject: [PATCH 1/3] fix service account create --- modules/gke-nodepool/README.md | 8 ++-- modules/gke-nodepool/main.tf | 13 +++---- modules/gke-nodepool/variables.tf | 8 ++-- tests/modules/gke_nodepool/fixture/main.tf | 39 ++++++++++++------- .../modules/gke_nodepool/fixture/variables.tf | 6 +-- tests/modules/gke_nodepool/test_plan.py | 4 +- 6 files changed, 43 insertions(+), 35 deletions(-) diff --git a/modules/gke-nodepool/README.md b/modules/gke-nodepool/README.md index d464656f45..1e4a939fd0 100644 --- a/modules/gke-nodepool/README.md +++ b/modules/gke-nodepool/README.md @@ -53,10 +53,10 @@ module "cluster-1-nodepool-1" { | [nodepool_config](variables.tf#L109) | Nodepool-level configuration. | object({…}) | | null | | [pod_range](variables.tf#L131) | Pod secondary range configuration. | object({…}) | | null | | [reservation_affinity](variables.tf#L148) | Configuration of the desired reservation which instances could take capacity from. | object({…}) | | null | -| [service_account](variables.tf#L158) | Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used. | object({…}) | | null | -| [sole_tenant_nodegroup](variables.tf#L167) | Sole tenant node group. | string | | null | -| [tags](variables.tf#L173) | Network tags applied to nodes. | list(string) | | null | -| [taints](variables.tf#L179) | Kubernetes taints applied to all nodes. | list(object({…})) | | null | +| [service_account](variables.tf#L158) | Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used. | object({…}) | | {} | +| [sole_tenant_nodegroup](variables.tf#L169) | Sole tenant node group. | string | | null | +| [tags](variables.tf#L175) | Network tags applied to nodes. | list(string) | | null | +| [taints](variables.tf#L181) | Kubernetes taints applied to all nodes. | list(object({…})) | | null | ## Outputs diff --git a/modules/gke-nodepool/main.tf b/modules/gke-nodepool/main.tf index 6a3714f0fe..67257735c4 100644 --- a/modules/gke-nodepool/main.tf +++ b/modules/gke-nodepool/main.tf @@ -31,17 +31,14 @@ locals { ) # if no attributes passed for service account, use the GCE default # if no email specified, create service account - service_account_create = ( - var.service_account != null && try(var.service_account.email, null) == null - ) service_account_email = ( - local.service_account_create + var.service_account.create ? google_service_account.service_account[0].email - : try(var.service_account.email, null) + : var.service_account.email ) service_account_scopes = ( - try(var.service_account.scopes, null) != null - ? var.service_account.scopes + var.service_account.oauth_scopes != null + ? var.service_account.oauth_scopes : [ "https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", @@ -60,7 +57,7 @@ locals { } resource "google_service_account" "service_account" { - count = local.service_account_create ? 1 : 0 + count = var.service_account.create ? 1 : 0 project = var.project_id account_id = "tf-gke-${var.name}" display_name = "Terraform GKE ${var.cluster_name} ${var.name}." diff --git a/modules/gke-nodepool/variables.tf b/modules/gke-nodepool/variables.tf index dec5b8232f..15c8a15155 100644 --- a/modules/gke-nodepool/variables.tf +++ b/modules/gke-nodepool/variables.tf @@ -158,10 +158,12 @@ variable "reservation_affinity" { variable "service_account" { description = "Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used." type = object({ - email = optional(string) - oauth_scopes = optional(list(string)) + create = optional(bool, false) + email = optional(string, null) + oauth_scopes = optional(list(string), null) }) - default = null + default = {} + nullable = false } variable "sole_tenant_nodegroup" { diff --git a/tests/modules/gke_nodepool/fixture/main.tf b/tests/modules/gke_nodepool/fixture/main.tf index aaa030b931..4ee274828c 100644 --- a/tests/modules/gke_nodepool/fixture/main.tf +++ b/tests/modules/gke_nodepool/fixture/main.tf @@ -14,22 +14,31 @@ * limitations under the License. */ +resource "google_service_account" "test" { + project = "my-project" + account_id = "gke-nodepool-test" + display_name = "Test Service Account" +} + module "test" { - source = "../../../../modules/gke-nodepool" - project_id = "my-project" - cluster_name = "cluster-1" - location = "europe-west1-b" - name = "nodepool-1" - gke_version = var.gke_version - labels = var.labels - max_pods_per_node = var.max_pods_per_node - node_config = var.node_config - node_count = var.node_count - node_locations = var.node_locations - nodepool_config = var.nodepool_config - pod_range = var.pod_range - reservation_affinity = var.reservation_affinity - service_account = var.service_account + source = "../../../../modules/gke-nodepool" + project_id = "my-project" + cluster_name = "cluster-1" + location = "europe-west1-b" + name = "nodepool-1" + gke_version = var.gke_version + labels = var.labels + max_pods_per_node = var.max_pods_per_node + node_config = var.node_config + node_count = var.node_count + node_locations = var.node_locations + nodepool_config = var.nodepool_config + pod_range = var.pod_range + reservation_affinity = var.reservation_affinity + service_account = { + create = var.service_account_create + email = google_service_account.test.email + } sole_tenant_nodegroup = var.sole_tenant_nodegroup tags = var.tags taints = var.taints diff --git a/tests/modules/gke_nodepool/fixture/variables.tf b/tests/modules/gke_nodepool/fixture/variables.tf index 420b9eb014..18376ec532 100644 --- a/tests/modules/gke_nodepool/fixture/variables.tf +++ b/tests/modules/gke_nodepool/fixture/variables.tf @@ -65,9 +65,9 @@ variable "reservation_affinity" { default = null } -variable "service_account" { - type = any - default = null +variable "service_account_create" { + type = bool + default = false } variable "sole_tenant_nodegroup" { diff --git a/tests/modules/gke_nodepool/test_plan.py b/tests/modules/gke_nodepool/test_plan.py index fd63f33202..75d1cc14bc 100644 --- a/tests/modules/gke_nodepool/test_plan.py +++ b/tests/modules/gke_nodepool/test_plan.py @@ -21,9 +21,9 @@ def test_defaults(plan_runner): def test_service_account(plan_runner): - _, resources = plan_runner(service_account='{email="foo@example.org"}') + _, resources = plan_runner() assert len(resources) == 1 - _, resources = plan_runner(service_account='{}') + _, resources = plan_runner(service_account_create='true') assert len(resources) == 2 assert 'google_service_account' in [r['type'] for r in resources] From cb2a2a135ebb8b5e60e65b641998357d569b895c Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Thu, 27 Oct 2022 16:28:20 +0200 Subject: [PATCH 2/3] Fix tests --- blueprints/gke/binauthz/main.tf | 16 ++++++++------- .../multi-cluster-mesh-gke-fleet-api/gke.tf | 20 ++++++++++--------- blueprints/networking/shared-vpc-gke/main.tf | 16 ++++++++------- modules/gke-hub/README.md | 4 +++- modules/gke-nodepool/README.md | 4 +++- 5 files changed, 35 insertions(+), 25 deletions(-) diff --git a/blueprints/gke/binauthz/main.tf b/blueprints/gke/binauthz/main.tf index 7932394369..0c3655e400 100644 --- a/blueprints/gke/binauthz/main.tf +++ b/blueprints/gke/binauthz/main.tf @@ -99,13 +99,15 @@ module "cluster" { } module "cluster_nodepool" { - source = "../../../modules/gke-nodepool" - project_id = module.project.project_id - cluster_name = module.cluster.name - location = var.zone - name = "nodepool" - service_account = {} - node_count = { initial = 3 } + source = "../../../modules/gke-nodepool" + project_id = module.project.project_id + cluster_name = module.cluster.name + location = var.zone + name = "nodepool" + service_account = { + create = true + } + node_count = { initial = 3 } } module "kms" { diff --git a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/gke.tf b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/gke.tf index 73ab19b10b..6c769d9201 100644 --- a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/gke.tf +++ b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/gke.tf @@ -44,15 +44,17 @@ module "clusters" { } module "cluster_nodepools" { - for_each = var.clusters_config - source = "../../../modules/gke-nodepool" - project_id = module.fleet_project.project_id - cluster_name = module.clusters[each.key].name - location = var.region - name = "nodepool-${each.key}" - node_count = { initial = 1 } - service_account = {} - tags = ["${each.key}-node"] + for_each = var.clusters_config + source = "../../../modules/gke-nodepool" + project_id = module.fleet_project.project_id + cluster_name = module.clusters[each.key].name + location = var.region + name = "nodepool-${each.key}" + node_count = { initial = 1 } + service_account = { + create = true + } + tags = ["${each.key}-node"] } module "hub" { diff --git a/blueprints/networking/shared-vpc-gke/main.tf b/blueprints/networking/shared-vpc-gke/main.tf index 9d141acc6c..59d07d2dd5 100644 --- a/blueprints/networking/shared-vpc-gke/main.tf +++ b/blueprints/networking/shared-vpc-gke/main.tf @@ -219,11 +219,13 @@ module "cluster-1" { } module "cluster-1-nodepool-1" { - source = "../../../modules/gke-nodepool" - count = var.cluster_create ? 1 : 0 - name = "nodepool-1" - project_id = module.project-svc-gke.project_id - location = module.cluster-1.0.location - cluster_name = module.cluster-1.0.name - service_account = {} + source = "../../../modules/gke-nodepool" + count = var.cluster_create ? 1 : 0 + name = "nodepool-1" + project_id = module.project-svc-gke.project_id + location = module.cluster-1.0.location + cluster_name = module.cluster-1.0.name + service_account = { + create = true + } } diff --git a/modules/gke-hub/README.md b/modules/gke-hub/README.md index 2573ac9dff..2f6ae6011f 100644 --- a/modules/gke-hub/README.md +++ b/modules/gke-hub/README.md @@ -257,7 +257,9 @@ module "cluster_1_nodepool" { location = "europe-west1" name = "nodepool" node_count = { initial = 1 } - service_account = {} + service_account = { + create = true + } tags = ["cluster-1-node"] } diff --git a/modules/gke-nodepool/README.md b/modules/gke-nodepool/README.md index 1e4a939fd0..4b404ee990 100644 --- a/modules/gke-nodepool/README.md +++ b/modules/gke-nodepool/README.md @@ -30,7 +30,9 @@ module "cluster-1-nodepool-1" { cluster_name = "cluster-1" location = "europe-west1-b" name = "nodepool-1" - service_account = {} + service_account = { + create = true + } } # tftest modules=1 resources=2 ``` From b176752bcbabf4f2d5807b5952babfa2bb5a04b4 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 27 Oct 2022 16:59:24 +0200 Subject: [PATCH 3/3] improve docs, fix gke hub module example tests --- modules/gke-hub/README.md | 6 ++--- modules/gke-nodepool/README.md | 43 +++++++++++++++++++++++++++++++++- modules/gke-nodepool/main.tf | 10 +++++--- 3 files changed, 51 insertions(+), 8 deletions(-) diff --git a/modules/gke-hub/README.md b/modules/gke-hub/README.md index 2f6ae6011f..1a3c547c60 100644 --- a/modules/gke-hub/README.md +++ b/modules/gke-hub/README.md @@ -257,9 +257,7 @@ module "cluster_1_nodepool" { location = "europe-west1" name = "nodepool" node_count = { initial = 1 } - service_account = { - create = true - } + service_account = { create = true } tags = ["cluster-1-node"] } @@ -294,7 +292,7 @@ module "cluster_2_nodepool" { location = "europe-west4" name = "nodepool" node_count = { initial = 1 } - service_account = {} + service_account = { create = true } tags = ["cluster-2-node"] } diff --git a/modules/gke-nodepool/README.md b/modules/gke-nodepool/README.md index 4b404ee990..4c471c606c 100644 --- a/modules/gke-nodepool/README.md +++ b/modules/gke-nodepool/README.md @@ -21,7 +21,46 @@ module "cluster-1-nodepool-1" { ### Internally managed service account -To have the module auto-create a service account for the nodes, define the `service_account` variable without setting its `email` attribute. You can then specify service account scopes, or use the default. The service account resource and email (in both plain and IAM formats) are then available in outputs to assign IAM roles from your own code. +There are three different approaches to defining the nodes service account, all depending on the `service_account` variable where the `create` attribute controls creation of a new service account by this module, and the `email` attribute controls the actual service account to use. + +If you create a new service account, its resource and email (in both plain and IAM formats) are then available in outputs to reference it in other modules or resources. + +#### GCE default service account + +To use the GCE default service account, you can ignore the variable which is equivalent to `{ create = null, email = null }`. + +```hcl +module "cluster-1-nodepool-1" { + source = "./fabric/modules/gke-nodepool" + project_id = "myproject" + cluster_name = "cluster-1" + location = "europe-west1-b" + name = "nodepool-1" +} +# tftest modules=1 resources=1 +``` + +#### Externally defined service account + +To use an existing service account, pass in just the `email` attribute. + +```hcl +module "cluster-1-nodepool-1" { + source = "./fabric/modules/gke-nodepool" + project_id = "myproject" + cluster_name = "cluster-1" + location = "europe-west1-b" + name = "nodepool-1" + service_account = { + email = "foo-bar@myproject.iam.gserviceaccount.com" + } +} +# tftest modules=1 resources=1 +``` + +#### Auto-created service account + +To have the module create a service account, set the `create` attribute to `true` and optionally pass the desired account id in `email`. ```hcl module "cluster-1-nodepool-1" { @@ -32,6 +71,8 @@ module "cluster-1-nodepool-1" { name = "nodepool-1" service_account = { create = true + # optional + email = "spam-eggs" } } # tftest modules=1 resources=2 diff --git a/modules/gke-nodepool/main.tf b/modules/gke-nodepool/main.tf index 67257735c4..0c35c8d0f8 100644 --- a/modules/gke-nodepool/main.tf +++ b/modules/gke-nodepool/main.tf @@ -57,9 +57,13 @@ locals { } resource "google_service_account" "service_account" { - count = var.service_account.create ? 1 : 0 - project = var.project_id - account_id = "tf-gke-${var.name}" + count = var.service_account.create ? 1 : 0 + project = var.project_id + account_id = ( + var.service_account.email != null + ? split("@", var.service_account.email)[0] + : "tf-gke-${var.name}" + ) display_name = "Terraform GKE ${var.cluster_name} ${var.name}." }