Merge pull request #111 from terraform-google-modules/adrienthebo/bugfix/service-account-suffix

Add suffix to cluster service account

Author: aaron-lane

autogen/outputs.tf

@@ -107,3 +107,8 @@ output "node_pools_versions" {
   description = "List of node pools versions"
   value       = "${local.cluster_node_pools_versions}"
 }
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value = "${local.service_account}"
+}

autogen/sa.tf

@@ -21,10 +21,17 @@ locals {
   service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
 }
 
+resource "random_string" "cluster_service_account_suffix" {
+  upper   = "false"
+  lower   = "true"
+  special = "false"
+  length  = 4
+}
+
 resource "google_service_account" "cluster_service_account" {
   count        = "${var.service_account == "create" ? 1 : 0}"
   project      = "${var.project_id}"
-  account_id   = "tf-gke-${substr(var.name, 0, min(20, length(var.name)))}"
+  account_id   = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 

examples/deploy_service/outputs.tf

@@ -27,3 +27,8 @@ output "client_token" {
 output "ca_certificate" {
   value = "${module.gke.ca_certificate}"
 }
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = "${module.gke.service_account}"
+}

examples/node_pool/outputs.tf

@@ -27,3 +27,8 @@ output "client_token" {
 output "ca_certificate" {
   value = "${module.gke.ca_certificate}"
 }
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = "${module.gke.service_account}"
+}

examples/shared_vpc/outputs.tf

@@ -27,3 +27,8 @@ output "client_token" {
 output "ca_certificate" {
   value = "${module.gke.ca_certificate}"
 }
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = "${module.gke.service_account}"
+}

examples/simple_regional/outputs.tf

@@ -27,3 +27,8 @@ output "client_token" {
 output "ca_certificate" {
   value = "${module.gke.ca_certificate}"
 }
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = "${module.gke.service_account}"
+}

examples/simple_regional_private/outputs.tf

@@ -27,3 +27,8 @@ output "client_token" {
 output "ca_certificate" {
   value = "${module.gke.ca_certificate}"
 }
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = "${module.gke.service_account}"
+}

examples/simple_zonal/outputs.tf

@@ -27,3 +27,8 @@ output "client_token" {
 output "ca_certificate" {
   value = "${module.gke.ca_certificate}"
 }
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = "${module.gke.service_account}"
+}

examples/simple_zonal_private/outputs.tf

@@ -27,3 +27,8 @@ output "client_token" {
 output "ca_certificate" {
   value = "${module.gke.ca_certificate}"
 }
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = "${module.gke.service_account}"
+}

examples/stub_domains/outputs.tf

@@ -27,3 +27,8 @@ output "client_token" {
 output "ca_certificate" {
   value = "${module.gke.ca_certificate}"
 }
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = "${module.gke.service_account}"
+}

modules/private-cluster/outputs.tf

@@ -106,4 +106,9 @@ output "node_pools_names" {
 output "node_pools_versions" {
   description = "List of node pools versions"
   value       = "${local.cluster_node_pools_versions}"
+}
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value = "${local.service_account}"
 }

modules/private-cluster/sa.tf

@@ -21,10 +21,17 @@ locals {
   service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
 }
 
+resource "random_string" "cluster_service_account_suffix" {
+  upper   = "false"
+  lower   = "true"
+  special = "false"
+  length  = 4
+}
+
 resource "google_service_account" "cluster_service_account" {
   count        = "${var.service_account == "create" ? 1 : 0}"
   project      = "${var.project_id}"
-  account_id   = "tf-gke-${substr(var.name, 0, min(20, length(var.name)))}"
+  account_id   = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 

outputs.tf

@@ -106,4 +106,9 @@ output "node_pools_names" {
 output "node_pools_versions" {
   description = "List of node pools versions"
   value       = "${local.cluster_node_pools_versions}"
+}
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value = "${local.service_account}"
 }

sa.tf

@@ -21,10 +21,17 @@ locals {
   service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
 }
 
+resource "random_string" "cluster_service_account_suffix" {
+  upper   = "false"
+  lower   = "true"
+  special = "false"
+  length  = 4
+}
+
 resource "google_service_account" "cluster_service_account" {
   count        = "${var.service_account == "create" ? 1 : 0}"
   project      = "${var.project_id}"
-  account_id   = "tf-gke-${substr(var.name, 0, min(20, length(var.name)))}"
+  account_id   = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 

test/fixtures/shared/outputs.tf

@@ -77,3 +77,8 @@ output "ca_certificate" {
   description = "The cluster CA certificate"
   value       = "${module.example.ca_certificate}"
 }
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = "${module.example.service_account}"
+}

test/integration/simple_zonal/controls/gcloud.rb

@@ -15,6 +15,7 @@
 project_id = attribute('project_id')
 location = attribute('location')
 cluster_name = attribute('cluster_name')
+service_account = attribute('service_account')
 
 credentials_path = attribute('credentials_path')
 ENV['CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE'] = credentials_path
@@ -83,7 +84,7 @@
         expect(node_pools).to include(
           including(
             "config" => including(
-              "serviceAccount" => starting_with("tf-gke-simple-zonal-cluster@"),
+              "serviceAccount" => service_account,
             ),
           ),
         )

test/integration/simple_zonal/inspec.yml

@@ -21,3 +21,6 @@ attributes:
   - name: client_token
     required: true
     type: string
+  - name: service_account
+    required: true
+    type: string