feat: WorkloadIdenity allow to use k8s sa from the different project (#1275)

* feat: allow to use k8s sa from the different project

* chore: generate docs

Co-authored-by: Bharath KKB <[email protected]>

Author: ykyr

modules/workload-identity/README.md

@@ -101,6 +101,7 @@ already bear the `"iam.gke.io/gcp-service-account"` annotation.
 | gcp\_sa\_name | Name for the Google service account; overrides `var.name`. | `string` | `null` | no |
 | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
 | k8s\_sa\_name | Name for the Kubernetes service account; overrides `var.name`. `cluster_name` and `location` must be set when this input is specified. | `string` | `null` | no |
+| k8s\_sa\_project\_id | GCP project ID of the k8s service account; overrides `var.project_id`. | `string` | `null` | no |
 | location | Cluster location (region if regional cluster, zone if zonal cluster). Required if using existing KSA. | `string` | `""` | no |
 | name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | `string` | n/a | yes |
 | namespace | Namespace for the Kubernetes service account | `string` | `"default"` | no |

modules/workload-identity/main.tf

@@ -26,7 +26,8 @@ locals {
   output_k8s_name      = var.use_existing_k8s_sa ? local.k8s_given_name : kubernetes_service_account.main[0].metadata[0].name
   output_k8s_namespace = var.use_existing_k8s_sa ? var.namespace : kubernetes_service_account.main[0].metadata[0].namespace
 
-  k8s_sa_gcp_derived_name = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]"
+  k8s_sa_project_id       = var.k8s_sa_project_id != null ? var.k8s_sa_project_id : var.project_id
+  k8s_sa_gcp_derived_name = "serviceAccount:${local.k8s_sa_project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]"
 }
 
 data "google_service_account" "cluster_service_account" {
@@ -40,7 +41,7 @@ resource "google_service_account" "cluster_service_account" {
   count = var.use_existing_gcp_sa ? 0 : 1
 
   account_id   = local.gcp_given_name
-  display_name = substr("GCP SA bound to K8S SA ${local.k8s_given_name}", 0, 100)
+  display_name = substr("GCP SA bound to K8S SA ${local.k8s_sa_project_id}[${local.k8s_given_name}]", 0, 100)
   project      = var.project_id
 }
 
@@ -65,7 +66,7 @@ module "annotate-sa" {
   skip_download               = true
   cluster_name                = var.cluster_name
   cluster_location            = var.location
-  project_id                  = var.project_id
+  project_id                  = local.k8s_sa_project_id
   impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "kubectl annotate --overwrite sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}"

modules/workload-identity/variables.tf

@@ -54,6 +54,12 @@ variable "k8s_sa_name" {
   default     = null
 }
 
+variable "k8s_sa_project_id" {
+  description = "GCP project ID of the k8s service account; overrides `var.project_id`."
+  type        = string
+  default     = null
+}
+
 variable "namespace" {
   description = "Namespace for the Kubernetes service account"
   type        = string