feat: Workload Identity module, to bind roles in various projects for the service account created (#1574)

SudharsaneSivamany · web-flow · commit 53f0f58d5f0b · 2023-04-04T14:24:45.000-07:00
diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md
@@ -18,11 +18,13 @@ Kubernetes accounts.
 
 ```hcl
 module "my-app-workload-identity" {
-  source     = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
-  name       = "my-application-name"
-  namespace  = "default"
-  project_id = "my-gcp-project-name"
-  roles      = ["roles/storage.admin", "roles/compute.admin"]
+  source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+  name                = "my-application-name"
+  namespace           = "default"
+  project_id          = "my-gcp-project-name"
+  roles               = ["roles/storage.admin", "roles/compute.admin"]
+  additional_projects = {"my-gcp-project-name1" : ["roles/storage.admin", "roles/compute.admin"],
+                         "my-gcp-project-name2" : ["roles/storage.admin", "roles/compute.admin"]}
 }
 ```
 
@@ -97,6 +99,7 @@ already bear the `"iam.gke.io/gcp-service-account"` annotation.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| additional\_projects | A list of roles to be added to the created service account for additional projects | `map(list(string))` | `{}` | no |
 | annotate\_k8s\_sa | Annotate the kubernetes service account with 'iam.gke.io/gcp-service-account' annotation. Valid in cases when an existing SA is used. | `bool` | `true` | no |
 | automount\_service\_account\_token | Enable automatic mounting of the service account token | `bool` | `false` | no |
 | cluster\_name | Cluster name. Required if using existing KSA. | `string` | `""` | no |
diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
@@ -28,6 +28,8 @@ locals {
 
   k8s_sa_project_id       = var.k8s_sa_project_id != null ? var.k8s_sa_project_id : var.project_id
   k8s_sa_gcp_derived_name = "serviceAccount:${local.k8s_sa_project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]"
+
+  sa_binding_additional_project = distinct(flatten([for project, roles in var.additional_projects : [for role in roles : { project_id = project, role_name = role }]]))
 }
 
 data "google_service_account" "cluster_service_account" {
@@ -89,3 +91,11 @@ resource "google_project_iam_member" "workload_identity_sa_bindings" {
   role    = each.value
   member  = local.gcp_sa_fqn
 }
+
+resource "google_project_iam_member" "workload_identity_sa_bindings_additional_projects" {
+  for_each = { for entry in local.sa_binding_additional_project : "${entry.project_id}.${entry.role_name}" => entry }
+
+  project = each.value.project_id
+  role    = each.value.role_name
+  member  = local.gcp_sa_fqn
+}
diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf
@@ -107,3 +107,9 @@ variable "module_depends_on" {
   type        = list(any)
   default     = []
 }
+
+variable "additional_projects" {
+  description = "A list of roles to be added to the created service account for additional projects"
+  type        = map(list(string))
+  default     = {}
+}
