Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Workload Identity module, to bind roles in various projects for the service account created #1574

Merged
merged 5 commits into from
Apr 4, 2023
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 8 additions & 5 deletions modules/workload-identity/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,13 @@ Kubernetes accounts.

```hcl
module "my-app-workload-identity" {
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
name = "my-application-name"
namespace = "default"
project_id = "my-gcp-project-name"
roles = ["roles/storage.admin", "roles/compute.admin"]
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
name = "my-application-name"
namespace = "default"
project_id = "my-gcp-project-name"
roles = ["roles/storage.admin", "roles/compute.admin"]
additional_projects = {"my-gcp-project-name1" : ["roles/storage.admin", "roles/compute.admin"],
"my-gcp-project-name2" : ["roles/storage.admin", "roles/compute.admin"]}
}
```

Expand Down Expand Up @@ -97,6 +99,7 @@ already bear the `"iam.gke.io/gcp-service-account"` annotation.

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| additional\_projects | A list of roles to be added to the created service account for additional projects | `map(list(string))` | `{}` | no |
| annotate\_k8s\_sa | Annotate the kubernetes service account with 'iam.gke.io/gcp-service-account' annotation. Valid in cases when an existing SA is used. | `bool` | `true` | no |
| automount\_service\_account\_token | Enable automatic mounting of the service account token | `bool` | `false` | no |
| cluster\_name | Cluster name. Required if using existing KSA. | `string` | `""` | no |
Expand Down
8 changes: 8 additions & 0 deletions modules/workload-identity/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -89,3 +89,11 @@ resource "google_project_iam_member" "workload_identity_sa_bindings" {
role = each.value
member = local.gcp_sa_fqn
}

resource "google_project_iam_member" "workload_identity_sa_bindings_additional_projects" {
for_each = toset(distinct(flatten([for project, roles in var.additional_projects : [for role in roles : join("=>", [project, role])]])))
apeabody marked this conversation as resolved.
Show resolved Hide resolved

project = element(split("=>", each.value), 0)
role = element(split("=>", each.value), 1)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would recommend using a map(list(string)) rather than string parsing.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed with your point.

member = local.gcp_sa_fqn
}
6 changes: 6 additions & 0 deletions modules/workload-identity/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -107,3 +107,9 @@ variable "module_depends_on" {
type = list(any)
default = []
}

variable "additional_projects" {
description = "A list of roles to be added to the created service account for additional projects"
type = map(list(string))
default = {}
}