feat: add cross project fleet service agent for beta clusters

Author: apeabody

autogen/main/outputs.tf.tmpl

@@ -239,3 +239,10 @@ output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership
 }
+{% if beta_cluster %}
+
+output "fleet_project_service_agent_email" {
+  description = "Fleet project service agent email (if granted)"
+  value       = try(google_project_service_identity.fleet_project[0].email, null)
+}
+{% endif %}

autogen/main/sa.tf.tmpl

@@ -65,3 +65,19 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+{% if beta_cluster %}
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project_grant_service_agent ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+  for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}
+{% endif %}

autogen/main/variables.tf.tmpl

@@ -863,3 +863,11 @@ variable "fleet_project" {
   type = string
   default = null
 }
+{% if beta_cluster %}
+
+variable "fleet_project_grant_service_agent" {
+  description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+  type = bool
+  default = false
+}
+{% endif %}

modules/beta-autopilot-private-cluster/README.md

@@ -99,6 +99,7 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
+| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
 | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
@@ -155,6 +156,7 @@ Then perform the following commands on the root folder:
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
 | fleet\_membership | Fleet membership (if registered) |
+| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |

modules/beta-autopilot-private-cluster/outputs.tf

@@ -193,3 +193,8 @@ output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership
 }
+
+output "fleet_project_service_agent_email" {
+  description = "Fleet project service agent email (if granted)"
+  value       = try(google_project_service_identity.fleet_project[0].email, null)
+}

modules/beta-autopilot-private-cluster/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project_grant_service_agent ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+  for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}

modules/beta-autopilot-private-cluster/variables.tf

@@ -466,3 +466,9 @@ variable "fleet_project" {
   type        = string
   default     = null
 }
+
+variable "fleet_project_grant_service_agent" {
+  description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+  type        = bool
+  default     = false
+}

modules/beta-autopilot-public-cluster/README.md

@@ -90,6 +90,7 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
+| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
 | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
@@ -144,6 +145,7 @@ Then perform the following commands on the root folder:
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
 | fleet\_membership | Fleet membership (if registered) |
+| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |

modules/beta-autopilot-public-cluster/outputs.tf

@@ -183,3 +183,8 @@ output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership
 }
+
+output "fleet_project_service_agent_email" {
+  description = "Fleet project service agent email (if granted)"
+  value       = try(google_project_service_identity.fleet_project[0].email, null)
+}

modules/beta-autopilot-public-cluster/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project_grant_service_agent ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+  for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}

modules/beta-autopilot-public-cluster/variables.tf

@@ -436,3 +436,9 @@ variable "fleet_project" {
   type        = string
   default     = null
 }
+
+variable "fleet_project_grant_service_agent" {
+  description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+  type        = bool
+  default     = false
+}

modules/beta-private-cluster-update-variant/README.md

@@ -212,6 +212,7 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
+| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
 | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
 | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
 | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
@@ -295,6 +296,7 @@ Then perform the following commands on the root folder:
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
 | fleet\_membership | Fleet membership (if registered) |
+| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |

modules/beta-private-cluster-update-variant/outputs.tf

@@ -219,3 +219,8 @@ output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership
 }
+
+output "fleet_project_service_agent_email" {
+  description = "Fleet project service agent email (if granted)"
+  value       = try(google_project_service_identity.fleet_project[0].email, null)
+}

modules/beta-private-cluster-update-variant/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project_grant_service_agent ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+  for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}

modules/beta-private-cluster-update-variant/variables.tf

@@ -817,3 +817,9 @@ variable "fleet_project" {
   type        = string
   default     = null
 }
+
+variable "fleet_project_grant_service_agent" {
+  description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+  type        = bool
+  default     = false
+}

modules/beta-private-cluster/README.md

@@ -190,6 +190,7 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
+| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
 | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
 | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
 | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
@@ -273,6 +274,7 @@ Then perform the following commands on the root folder:
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
 | fleet\_membership | Fleet membership (if registered) |
+| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |

modules/beta-private-cluster/outputs.tf

@@ -219,3 +219,8 @@ output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership
 }
+
+output "fleet_project_service_agent_email" {
+  description = "Fleet project service agent email (if granted)"
+  value       = try(google_project_service_identity.fleet_project[0].email, null)
+}

modules/beta-private-cluster/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project_grant_service_agent ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+  for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}

modules/beta-private-cluster/variables.tf

@@ -817,3 +817,9 @@ variable "fleet_project" {
   type        = string
   default     = null
 }
+
+variable "fleet_project_grant_service_agent" {
+  description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+  type        = bool
+  default     = false
+}

modules/beta-public-cluster-update-variant/README.md

@@ -203,6 +203,7 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
+| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
 | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
 | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
 | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
@@ -284,6 +285,7 @@ Then perform the following commands on the root folder:
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
 | fleet\_membership | Fleet membership (if registered) |
+| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |

modules/beta-public-cluster-update-variant/outputs.tf

@@ -209,3 +209,8 @@ output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership
 }
+
+output "fleet_project_service_agent_email" {
+  description = "Fleet project service agent email (if granted)"
+  value       = try(google_project_service_identity.fleet_project[0].email, null)
+}

modules/beta-public-cluster-update-variant/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project_grant_service_agent ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+  for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}

modules/beta-public-cluster-update-variant/variables.tf

@@ -787,3 +787,9 @@ variable "fleet_project" {
   type        = string
   default     = null
 }
+
+variable "fleet_project_grant_service_agent" {
+  description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+  type        = bool
+  default     = false
+}

modules/beta-public-cluster/README.md

@@ -181,6 +181,7 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
+| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
 | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
 | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
 | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
@@ -262,6 +263,7 @@ Then perform the following commands on the root folder:
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
 | fleet\_membership | Fleet membership (if registered) |
+| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |

modules/beta-public-cluster/outputs.tf

@@ -209,3 +209,8 @@ output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership
 }
+
+output "fleet_project_service_agent_email" {
+  description = "Fleet project service agent email (if granted)"
+  value       = try(google_project_service_identity.fleet_project[0].email, null)
+}