feat: add module_depends_on to workload-identity (#1341)

Co-authored-by: Bharath KKB <[email protected]>

Author: apeabody

modules/workload-identity/README.md

@@ -105,6 +105,7 @@ already bear the `"iam.gke.io/gcp-service-account"` annotation.
 | k8s\_sa\_name | Name for the Kubernetes service account; overrides `var.name`. `cluster_name` and `location` must be set when this input is specified. | `string` | `null` | no |
 | k8s\_sa\_project\_id | GCP project ID of the k8s service account; overrides `var.project_id`. | `string` | `null` | no |
 | location | Cluster location (region if regional cluster, zone if zonal cluster). Required if using existing KSA. | `string` | `""` | no |
+| module\_depends\_on | List of modules or resources to depend on before annotating KSA. If multiple, all items must be the same type. | `list(any)` | `[]` | no |
 | name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | `string` | n/a | yes |
 | namespace | Namespace for the Kubernetes service account | `string` | `"default"` | no |
 | project\_id | GCP project ID | `string` | n/a | yes |

modules/workload-identity/main.tf

@@ -72,6 +72,8 @@ module "annotate-sa" {
 
   kubectl_create_command  = "kubectl annotate --overwrite sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}"
   kubectl_destroy_command = "kubectl annotate sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account-"
+
+  module_depends_on = var.module_depends_on
 }
 
 resource "google_service_account_iam_member" "main" {

modules/workload-identity/variables.tf

@@ -101,3 +101,9 @@ variable "use_existing_context" {
   type        = bool
   default     = false
 }
+
+variable "module_depends_on" {
+  description = "List of modules or resources to depend on before annotating KSA. If multiple, all items must be the same type."
+  type        = list(any)
+  default     = []
+}