Allow service account for cluster to be created by the module

Author: Jberlinsky

README.md

@@ -125,7 +125,7 @@ Then perform the following commands on the root folder:
 | region | The region to host the cluster in (required) | string | - | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `true` | no |
 | remove_default_node_pool | Remove default node pool while setting up the cluster | string | `false` | no |
-| service_account | The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account | string | `` | no |
+| service_account | The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account | string | `` | no |
 | stub_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | - | yes |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |

autogen/README.md

@@ -1,6 +1,6 @@
 # Terraform Kubernetes Engine Module
 
-This module handles opinionated Google Cloud Platform Kubernetes Engine cluster creation and configuration with Node Pools, IP MASQ, Network Policy, etc. {% if private_cluster %}This particular submodule creates a [private cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters){% endif %}
+This module handles opinionated Google Cloud Platform Kubernetes Engine cluster creation and configuration with Node Pools, IP MASQ, Network Policy, etc.{% if private_cluster %} This particular submodule creates a [private cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters){% endif %}
 
 The resources/services/activations/deletions that this module will create/trigger are:
 - Create a GKE cluster with the provided addons

examples/simple_zonal/README.md

@@ -10,7 +10,6 @@ This example illustrates how to create a simple cluster.
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | cluster_name_suffix | A suffix to append to the default cluster name | string | `` | no |
-| compute_engine_service_account | Service account to associate to the nodes in the cluster | string | - | yes |
 | credentials_path | The path to the GCP credentials JSON file | string | - | yes |
 | ip_range_pods | The secondary ip range to use for pods | string | - | yes |
 | ip_range_services | The secondary ip range to use for pods | string | - | yes |

modules/private-cluster/README.md

@@ -131,7 +131,7 @@ Then perform the following commands on the root folder:
 | region | The region to host the cluster in (required) | string | - | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `true` | no |
 | remove_default_node_pool | Remove default node pool while setting up the cluster | string | `false` | no |
-| service_account | The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account | string | `` | no |
+| service_account | The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account | string | `` | no |
 | stub_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | - | yes |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |

modules/private-cluster/cluster_regional.tf

@@ -81,7 +81,7 @@ resource "google_container_cluster" "primary" {
     name = "default-pool"
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", var.service_account)}"
+      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
     }
   }
 
@@ -127,7 +127,7 @@ resource "google_container_node_pool" "pools" {
 
     disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
     disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", var.service_account)}"
+    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
     preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
 
     oauth_scopes = [

modules/private-cluster/cluster_zonal.tf

@@ -81,7 +81,7 @@ resource "google_container_cluster" "zonal_primary" {
     name = "default-pool"
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", var.service_account)}"
+      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
     }
   }
 
@@ -127,7 +127,7 @@ resource "google_container_node_pool" "zonal_pools" {
 
     disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
     disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", var.service_account)}"
+    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
     preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
 
     oauth_scopes = [

modules/private-cluster/sa.tf

@@ -0,0 +1,29 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This file was automatically generated from a template in ./autogen
+
+locals {
+  service_account_list = "${compact(concat(google_service_account.cluster_service_account.*.email, list("dummy")))}"
+  service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
+}
+
+resource "google_service_account" "cluster_service_account" {
+  count        = "${var.service_account == "create" ? 1 : 0}"
+  project      = "${var.project_id}"
+  account_id   = "tf-gke-${substr(var.name, 0, 20)}"
+  display_name = "Terraform-managed service account for cluster ${var.name}"
+}

modules/private-cluster/variables.tf

@@ -208,7 +208,7 @@ variable "monitoring_service" {
 }
 
 variable "service_account" {
-  description = "The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account"
+  description = "The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account"
   default     = ""
 }
 

sa.tf

@@ -18,12 +18,12 @@
 
 locals {
   service_account_list = "${compact(concat(google_service_account.cluster_service_account.*.email, list("dummy")))}"
-  service_account = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
+  service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
 }
 
 resource "google_service_account" "cluster_service_account" {
   count        = "${var.service_account == "create" ? 1 : 0}"
   project      = "${var.project_id}"
   account_id   = "tf-gke-${substr(var.name, 0, 20)}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
-}
+}

test/fixtures/simple_zonal/example.tf

@@ -17,13 +17,13 @@
 module "example" {
   source = "../../../examples/simple_zonal"
 
-  project_id                     = "${var.project_id}"
-  credentials_path               = "${local.credentials_path}"
-  cluster_name_suffix            = "-${random_string.suffix.result}"
-  region                         = "${var.region}"
-  zones                          = ["${slice(var.zones,0,1)}"]
-  network                        = "${google_compute_network.main.name}"
-  subnetwork                     = "${google_compute_subnetwork.main.name}"
-  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
-  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
+  project_id          = "${var.project_id}"
+  credentials_path    = "${local.credentials_path}"
+  cluster_name_suffix = "-${random_string.suffix.result}"
+  region              = "${var.region}"
+  zones               = ["${slice(var.zones,0,1)}"]
+  network             = "${google_compute_network.main.name}"
+  subnetwork          = "${google_compute_subnetwork.main.name}"
+  ip_range_pods       = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
+  ip_range_services   = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
 }