Merge pull request #88 from terraform-google-modules/feature/default-to-creating-new-service-account-for-cluster

Change service account default to create a new SA per cluster

Author: aaron-lane

.kitchen.yml

@@ -98,8 +98,14 @@ suites:
       name: terraform
       color: false
       systems:
-        - name: simple_zonal
+        - name: gcloud
           backend: local
+          controls:
+            - gcloud
+        - name: gcp
+          backend: gcp
+          controls:
+            - gcp
     provisioner:
       name: terraform
   - name: "simple_zonal_private"

CHANGELOG.md

@@ -10,6 +10,11 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ## [v2.0.0] - 2019-YY-ZZ
 
+### Changed
+
+* The `service_account` variable defaults  to `"create"` which causes a
+  cluster-specific service account to be created.
+
 ## [v1.0.1] - 2019-04-04
 
 ### Added

README.md

@@ -135,7 +135,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | region | The region to host the cluster in (required) | string | n/a | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no |
 | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no |
-| service\_account | The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account | string | `""` | no |
+| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |

autogen/variables.tf

@@ -214,8 +214,8 @@ variable "monitoring_service" {
 }
 
 variable "service_account" {
-  description = "The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account"
-  default     = ""
+  description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
+  default     = "create"
 }
 {% if private_cluster %}
 variable "enable_private_endpoint" {

docs/upgrading_to_v2.0.md

@@ -4,3 +4,40 @@ The v2.0 release of *kubernetes-engine* is a backwards incompatible
 release.
 
 ## Migration Instructions
+
+### Using Default Service Account
+
+In previous versions of *kubernetes-engine*, the default service
+account of the hosting project was used by the Node VMs if no other
+service account was explicitly configured. A dedicated service account
+is now created for the Node VMs if no other service account is
+explicitly configured.
+
+The default service account of the hosting project can still be used if
+desired, as shown in the following example:
+
+```hcl
+module "project_factory" {
+  source  = "terraform-google-modules/project-factory/google"
+  version = "~> 2.1"
+
+  billing_account = "XXXXXX-YYYYYY-ZZZZZZ"
+  name            = "example"
+  org_id          = "XXXXXXXXXXXX"
+}
+
+module "kubernetes_engine" {
+  source  = "terraform-google-modules/kubernetes-engine/google"
+  version = "~> 2.0"
+
+  ip_range_pods     = "secondary-subnet-ip-range-pods"
+  ip_range_services = "secondary-subnet-ip-range-services"
+  name              = "example"
+  network           = "cluster-network"
+  project_id        = "${module.project_factory.project_id}"
+  region            = "northamerica-northeast"
+  subnetwork        = "cluster-subnetwork"
+
+  service_account = "${module.project_factory.service_account_email}"
+}
+```

modules/private-cluster/README.md

@@ -143,7 +143,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | region | The region to host the cluster in (required) | string | n/a | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no |
 | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no |
-| service\_account | The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account | string | `""` | no |
+| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |

modules/private-cluster/variables.tf

@@ -214,8 +214,8 @@ variable "monitoring_service" {
 }
 
 variable "service_account" {
-  description = "The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account"
-  default     = ""
+  description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
+  default     = "create"
 }
 variable "enable_private_endpoint" {
   description  = "(Beta) Whether the master's internal IP address is used as the cluster endpoint"

test/integration/simple_zonal/controls/gcp.rb

@@ -0,0 +1,31 @@
+# Copyright 2018 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+control "gcp" do
+  title "Native InSpec Resources"
+
+  service_account = attribute("service_account")
+  project_id = attribute("project_id")
+
+  if service_account.start_with? "projects/"
+    service_account_name = service_account
+  else
+    service_account_name = "projects/#{project_id}/serviceAccounts/#{service_account}"
+  end
+
+  describe google_service_account name: service_account_name do
+    its("display_name") { should eq "Terraform-managed service account for cluster #{attribute("cluster_name")}" }
+    its("project_id") { should eq project_id }
+  end
+end

test/integration/simple_zonal/inspec.yml

@@ -1,4 +1,8 @@
 name: simple_zonal
+depends:
+  - name: inspec-gcp
+    git: https://github.com/inspec/inspec-gcp.git
+    tag: v0.10.0
 attributes:
   - name: project_id
     required: true
@@ -21,3 +25,6 @@ attributes:
   - name: service_account
     required: true
     type: string
+  - name: service_account
+    required: true
+    type: string

variables.tf

@@ -214,6 +214,6 @@ variable "monitoring_service" {
 }
 
 variable "service_account" {
-  description = "The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account"
-  default     = ""
+  description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created."
+  default     = "create"
 }