feat!: Update least privilege default service account (#1844)

Co-authored-by: Jirka Korejtko <[email protected]>

Author: gorge511

autogen/main/sa.tf.tmpl

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.defaultNodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

docs/upgrading_to_v30.0.md

@@ -4,4 +4,5 @@ release.
 
 ### Default cluster service account permissions modified
 
-When `create_service_account` is `true`, the service account will now be created with the `Logs Writer`, `Monitoring Metric Writer`, `Monitoring Viewer` and `Stackdriver Resource Metadata Writer` roles instead of the deprecated `Kubernetes Engine Node Service Account` role.
+When `create_service_account` is `true`, the service account will now be created with `Kubernetes Engine Default Node Service Account` role instead of `Kubernetes Engine Node Service Account` roles which is deprecated now.
+This is the Google recommended least privileged role to be used for the service account attached to the GKE Nodes.

modules/beta-autopilot-private-cluster/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.defaultNodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

modules/beta-autopilot-public-cluster/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.defaultNodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

modules/beta-private-cluster-update-variant/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.defaultNodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

modules/beta-private-cluster/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.defaultNodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

modules/beta-public-cluster-update-variant/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.defaultNodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

modules/beta-public-cluster/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.defaultNodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

modules/private-cluster-update-variant/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.defaultNodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

modules/private-cluster/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.defaultNodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.defaultNodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }