Skip to content

Commit

Permalink
fix(acm)!: prevent conflicts in IAM binding (#1576)
Browse files Browse the repository at this point in the history
  • Loading branch information
evenh authored Mar 3, 2023
1 parent 23e9c96 commit a7cfe92
Showing 1 changed file with 10 additions and 13 deletions.
23 changes: 10 additions & 13 deletions modules/acm/creds.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@
locals {
# GCP service account ids must be <= 30 chars matching regex ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$
service_account_name = trimsuffix(substr(var.metrics_gcp_sa_name, 0, 30), "-")

iam_ksa_binding_members = var.create_metrics_gcp_sa ? [
var.enable_config_sync ? "config-management-monitoring/default" : null,
var.enable_policy_controller ? "gatekeeper-system/gatekeeper-admin" : null,
] : []
}

resource "tls_private_key" "k8sop_creds" {
Expand All @@ -33,22 +38,14 @@ resource "time_sleep" "wait_acm" {
create_duration = "300s"
}

resource "google_service_account_iam_binding" "config-management-monitoring-iam" {
count = var.enable_config_sync && var.create_metrics_gcp_sa ? 1 : 0
service_account_id = google_service_account.acm_metrics_writer_sa[0].name
role = "roles/iam.workloadIdentityUser"

members = ["serviceAccount:${var.project_id}.svc.id.goog[config-management-monitoring/default]"]

depends_on = [google_gke_hub_feature_membership.main]
}

resource "google_service_account_iam_binding" "gatekeeper-system-iam" {
count = var.enable_policy_controller && var.create_metrics_gcp_sa ? 1 : 0
resource "google_service_account_iam_binding" "ksa_iam" {
count = length(local.iam_ksa_binding_members) > 0 ? 1 : 0
service_account_id = google_service_account.acm_metrics_writer_sa[0].name
role = "roles/iam.workloadIdentityUser"

members = ["serviceAccount:${var.project_id}.svc.id.goog[gatekeeper-system/gatekeeper-admin]"]
members = [
for ksa in local.iam_ksa_binding_members : "serviceAccount:${var.project_id}.svc.id.goog[${ksa}]"
]

depends_on = [google_gke_hub_feature_membership.main]
}
Expand Down

0 comments on commit a7cfe92

Please sign in to comment.