Attach correct permission to cluster SA

Author: Jberlinsky

autogen/sa.tf

@@ -18,7 +18,7 @@
 
 locals {
   service_account_list = "${compact(concat(google_service_account.cluster_service_account.*.email, list("dummy")))}"
-  service_account = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
+  service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
 }
 
 resource "google_service_account" "cluster_service_account" {
@@ -27,3 +27,24 @@ resource "google_service_account" "cluster_service_account" {
   account_id   = "tf-gke-${substr(var.name, 0, 20)}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
+
+resource "google_project_iam_member" "cluster_service_account-log_writer" {
+  count   = "${var.service_account == "create" ? 1 : 0}"
+  project = "${google_service_account.cluster_service_account.project}"
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}
+
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  count   = "${var.service_account == "create" ? 1 : 0}"
+  project = "${google_project_iam_member.cluster_service_account-log_writer.project}"
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}
+
+resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
+  count   = "${var.service_account == "create" ? 1 : 0}"
+  project = "${google_project_iam_member.cluster_service_account-metric_writer.project}"
+  role    = "roles/monitoring.viewer"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}

modules/private-cluster/sa.tf

@@ -27,3 +27,24 @@ resource "google_service_account" "cluster_service_account" {
   account_id   = "tf-gke-${substr(var.name, 0, 20)}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
+
+resource "google_project_iam_member" "cluster_service_account-log_writer" {
+  count   = "${var.service_account == "create" ? 1 : 0}"
+  project = "${google_service_account.cluster_service_account.project}"
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}
+
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  count   = "${var.service_account == "create" ? 1 : 0}"
+  project = "${google_project_iam_member.cluster_service_account-log_writer.project}"
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}
+
+resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
+  count   = "${var.service_account == "create" ? 1 : 0}"
+  project = "${google_project_iam_member.cluster_service_account-metric_writer.project}"
+  role    = "roles/monitoring.viewer"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}

sa.tf

@@ -27,3 +27,24 @@ resource "google_service_account" "cluster_service_account" {
   account_id   = "tf-gke-${substr(var.name, 0, 20)}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
+
+resource "google_project_iam_member" "cluster_service_account-log_writer" {
+  count   = "${var.service_account == "create" ? 1 : 0}"
+  project = "${google_service_account.cluster_service_account.project}"
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}
+
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  count   = "${var.service_account == "create" ? 1 : 0}"
+  project = "${google_project_iam_member.cluster_service_account-log_writer.project}"
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}
+
+resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
+  count   = "${var.service_account == "create" ? 1 : 0}"
+  project = "${google_project_iam_member.cluster_service_account-metric_writer.project}"
+  role    = "roles/monitoring.viewer"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}

test/integration/simple_zonal/controls/gcloud.rb

@@ -80,7 +80,13 @@
       let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" } }
 
       it "uses an automatically created service account" do
-        raise node_pools.to_json.inspect
+        expect(node_pools).to include(
+          including(
+            "config" => including(
+              "serviceAccount" => starting_with("tf-gke-simple-zonal-cluster@"),
+            ),
+          ),
+        )
       end
 
       it "has autoscaling enabled" do