feat: Allow workload identity submodule to update existing k8s SA.

morgante · morgante · commit f3d0f16fdab6 · 2020-02-10T16:48:02.000-05:00
diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
@@ -15,16 +15,18 @@
  */
 
 locals {
-  k8s_sa_gcp_derived_name = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${var.name}]"
+  k8s_sa_gcp_derived_name = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]"
+  gcp_sa_email            = google_service_account.cluster_service_account.email
 
   # This will cause terraform to block returning outputs until the service account is created
-  output_k8s_name      = var.use_existing_k8s_sa ? var.name : kubernetes_service_account.main[0].metadata[0].name
+  k8s_given_name       = var.k8s_sa_name != null ? var.k8s_sa_name : var.name
+  output_k8s_name      = var.use_existing_k8s_sa ? local.k8s_given_name : kubernetes_service_account.main[0].metadata[0].name
   output_k8s_namespace = var.use_existing_k8s_sa ? var.namespace : kubernetes_service_account.main[0].metadata[0].namespace
 }
 
 resource "google_service_account" "cluster_service_account" {
   account_id   = var.name
-  display_name = substr("GCP SA bound to K8S SA ${local.k8s_sa_gcp_derived_name}", 0, 100)
+  display_name = substr("GCP SA bound to K8S SA ${local.k8s_given_name}", 0, 100)
   project      = var.project_id
 }
 
@@ -40,6 +42,23 @@ resource "kubernetes_service_account" "main" {
   }
 }
 
+# TODO: add the annotation to existing service accounts automatically
+module "annotate-sa" {
+  source  = "terraform-google-modules/gcloud/google"
+  version = "~> 0.5"
+
+  platform              = "linux"
+  additional_components = ["kubectl"]
+  enabled               = var.use_existing_k8s_sa
+  skip_download         = true
+
+  create_cmd_entrypoint = "kubectl"
+  create_cmd_body       = "annotate sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}"
+
+  destroy_cmd_entrypoint = "kubectl"
+  destroy_cmd_body       = "annotate sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account-"
+}
+
 resource "google_service_account_iam_member" "main" {
   service_account_id = google_service_account.cluster_service_account.name
   role               = "roles/iam.workloadIdentityUser"
diff --git a/modules/workload-identity/output.tf b/modules/workload-identity/output.tf
@@ -26,7 +26,7 @@ output "k8s_service_account_namespace" {
 
 output "gcp_service_account_email" {
   description = "Email address of GCP service account."
-  value       = google_service_account.cluster_service_account.email
+  value       = local.gcp_sa_email
 }
 
 output "gcp_service_account_fqn" {
diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf
@@ -19,6 +19,12 @@ variable "name" {
   type        = string
 }
 
+variable "k8s_sa_name" {
+  description = "Name for the existing Kubernetes service account"
+  type        = string
+  default     = null
+}
+
 variable "namespace" {
   description = "Namespace for k8s service account"
   default     = "default"

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ output "k8s_service_account_namespace" {`
`26`	`26`
`27`	`27`	`output "gcp_service_account_email" {`
`28`	`28`	`description = "Email address of GCP service account."`
`29`		`- value = google_service_account.cluster_service_account.email`
	`29`	`+ value = local.gcp_sa_email`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`output "gcp_service_account_fqn" {`