diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md index 40a32eccf6..ffcf82834e 100644 --- a/modules/workload-identity/README.md +++ b/modules/workload-identity/README.md @@ -101,6 +101,7 @@ already bear the `"iam.gke.io/gcp-service-account"` annotation. | gcp\_sa\_name | Name for the Google service account; overrides `var.name`. | `string` | `null` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | k8s\_sa\_name | Name for the Kubernetes service account; overrides `var.name`. `cluster_name` and `location` must be set when this input is specified. | `string` | `null` | no | +| k8s\_sa\_project\_id | GCP project ID of the k8s service account; overrides `var.project_id` | `string` | `null` | no | | location | Cluster location (region if regional cluster, zone if zonal cluster). Required if using existing KSA. | `string` | `""` | no | | name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | `string` | n/a | yes | | namespace | Namespace for the Kubernetes service account | `string` | `"default"` | no | diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index bb44e41223..69b17df1fe 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -26,7 +26,8 @@ locals { output_k8s_name = var.use_existing_k8s_sa ? local.k8s_given_name : kubernetes_service_account.main[0].metadata[0].name output_k8s_namespace = var.use_existing_k8s_sa ? var.namespace : kubernetes_service_account.main[0].metadata[0].namespace - k8s_sa_gcp_derived_name = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]" + k8s_sa_project_id = var.k8s_sa_project_id != null ? var.k8s_sa_project_id : var.project_id + k8s_sa_gcp_derived_name = "serviceAccount:${local.k8s_sa_project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]" } data "google_service_account" "cluster_service_account" { @@ -40,7 +41,7 @@ resource "google_service_account" "cluster_service_account" { count = var.use_existing_gcp_sa ? 0 : 1 account_id = local.gcp_given_name - display_name = substr("GCP SA bound to K8S SA ${local.k8s_given_name}", 0, 100) + display_name = substr("GCP SA bound to K8S SA ${local.k8s_sa_project_id}[${local.k8s_given_name}]", 0, 100) project = var.project_id } @@ -65,7 +66,7 @@ module "annotate-sa" { skip_download = true cluster_name = var.cluster_name cluster_location = var.location - project_id = var.project_id + project_id = local.k8s_sa_project_id impersonate_service_account = var.impersonate_service_account kubectl_create_command = "kubectl annotate --overwrite sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}" diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf index d19c2c9b68..ef8b1811e5 100644 --- a/modules/workload-identity/variables.tf +++ b/modules/workload-identity/variables.tf @@ -54,6 +54,12 @@ variable "k8s_sa_name" { default = null } +variable "k8s_sa_project_id" { + description = "GCP project ID of the k8s service account; overrides `var.project_id`." + type = string + default = null +} + variable "namespace" { description = "Namespace for the Kubernetes service account" type = string