WIP

Author: Jberlinsky

autogen/cluster_regional.tf

@@ -81,7 +81,7 @@ resource "google_container_cluster" "primary" {
     name = "default-pool"
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", var.service_account)}"
+      service_account = "${lookup(var.node_pools[0], "service_account", (var.service_account == "create") ? element(concat(google_service_account.cluster_service_account.*.email, list("")), 0) : var.service_account)}"
     }
   }
 {% if private_cluster %}
@@ -127,7 +127,7 @@ resource "google_container_node_pool" "pools" {
 
     disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
     disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", var.service_account)}"
+    service_account = "${lookup(var.node_pools[count.index], "service_account", (var.service_account == "create") ? element(concat(google_service_account.cluster_service_account.*.email, list("")), 0) : var.service_account)}"
     preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
 
     oauth_scopes = [

autogen/cluster_zonal.tf

@@ -81,7 +81,7 @@ resource "google_container_cluster" "zonal_primary" {
     name = "default-pool"
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", var.service_account)}"
+      service_account = "${lookup(var.node_pools[0], "service_account", (var.service_account == "create") ? element(concat(google_service_account.cluster_service_account.*.email, list("")), 0) : var.service_account)}"
     }
   }
 {% if private_cluster %}
@@ -127,7 +127,7 @@ resource "google_container_node_pool" "zonal_pools" {
 
     disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
     disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", var.service_account)}"
+    service_account = "${lookup(var.node_pools[count.index], "service_account", (var.service_account == "create") ? element(concat(google_service_account.cluster_service_account.*.email, list("")), 0) : var.service_account)}"
     preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
 
     oauth_scopes = [

autogen/sa.tf

@@ -0,0 +1,23 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+{{ autogeneration_note }}
+
+resource "google_service_account" "cluster_service_account" {
+  count = "${(var.service_account == "create") ? 1 : 0}"
+  account_id = "tf-gke-${var.name}"
+  display_name = "Terraform-managed service account for cluster ${var.name}"
+}

autogen/variables.tf

@@ -208,7 +208,7 @@ variable "monitoring_service" {
 }
 
 variable "service_account" {
-  description = "The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account"
+  description = "The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account"
   default     = ""
 }
 {% if private_cluster %}

cluster_regional.tf

@@ -81,7 +81,7 @@ resource "google_container_cluster" "primary" {
     name = "default-pool"
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", var.service_account)}"
+      service_account = "${lookup(var.node_pools[0], "service_account", (var.service_account == "create") ? element(concat(google_service_account.cluster_service_account.*.email, list("")), 0) : var.service_account)}"
     }
   }
 
@@ -121,7 +121,7 @@ resource "google_container_node_pool" "pools" {
 
     disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
     disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", var.service_account)}"
+    service_account = "${lookup(var.node_pools[count.index], "service_account", (var.service_account == "create") ? element(concat(google_service_account.cluster_service_account.*.email, list("")), 0) : var.service_account)}"
     preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
 
     oauth_scopes = [

cluster_zonal.tf

@@ -81,7 +81,7 @@ resource "google_container_cluster" "zonal_primary" {
     name = "default-pool"
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", var.service_account)}"
+      service_account = "${lookup(var.node_pools[0], "service_account", (var.service_account == "create") ? element(concat(google_service_account.cluster_service_account.*.email, list("")), 0) : var.service_account)}"
     }
   }
 
@@ -121,7 +121,7 @@ resource "google_container_node_pool" "zonal_pools" {
 
     disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
     disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", var.service_account)}"
+    service_account = "${lookup(var.node_pools[count.index], "service_account", (var.service_account == "create") ? element(concat(google_service_account.cluster_service_account.*.email, list("")), 0) : var.service_account)}"
     preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
 
     oauth_scopes = [

examples/simple_zonal/main.tf

@@ -34,7 +34,7 @@ module "gke" {
   subnetwork        = "${var.subnetwork}"
   ip_range_pods     = "${var.ip_range_pods}"
   ip_range_services = "${var.ip_range_services}"
-  service_account   = "${var.compute_engine_service_account}"
+  service_account   = "create"
 }
 
 data "google_client_config" "default" {}

examples/simple_zonal/variables.tf

@@ -51,7 +51,3 @@ variable "ip_range_pods" {
 variable "ip_range_services" {
   description = "The secondary ip range to use for pods"
 }
-
-variable "compute_engine_service_account" {
-  description = "Service account to associate to the nodes in the cluster"
-}

sa.tf

@@ -0,0 +1,23 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This file was automatically generated from a template in ./autogen
+
+resource "google_service_account" "cluster_service_account" {
+  count = "${(var.service_account == "create") ? 1 : 0}"
+  account_id = "tf-gke-${var.name}"
+  display_name = "Terraform-managed service account for cluster ${var.name}"
+}

test/fixtures/simple_zonal/example.tf

@@ -26,5 +26,4 @@ module "example" {
   subnetwork                     = "${google_compute_subnetwork.main.name}"
   ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
   ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
-  compute_engine_service_account = "${var.compute_engine_service_account}"
 }

test/integration/simple_zonal/controls/gcloud.rb

@@ -79,6 +79,10 @@
     describe "node pool" do
       let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" } }
 
+      it "uses an automatically created service account" do
+        raise node_pools.to_json.inspect
+      end
+
       it "has autoscaling enabled" do
         expect(node_pools).to include(
           including(

variables.tf

@@ -208,6 +208,6 @@ variable "monitoring_service" {
 }
 
 variable "service_account" {
-  description = "The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account"
+  description = "The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account"
   default     = ""
 }