expose service account variable for ACM module (#667)

Author: cloud-pharaoh

modules/acm/README.md

@@ -56,6 +56,7 @@ By default, this module will attempt to download the ACM operator from Google di
 | policy\_dir | Subfolder containing configs in ACM Git repo. If un-set, uses Config Management default. | string | `""` | no |
 | project\_id | GCP project_id used to reach cluster. | string | n/a | yes |
 | secret\_type | git authentication secret type, is passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true | string | `"ssh"` | no |
+| service\_account\_key\_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | string | `""` | no |
 | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no |
 | source\_format | Configures a non-hierarchical repo if set to 'unstructured'. Uses [ACM defaults](https://cloud.google.com/anthos-config-management/docs/how-to/installing#configuring-config-management-operator) when unset. | string | `""` | no |
 | ssh\_auth\_key | Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function. | string | `"null"` | no |

modules/acm/main.tf

@@ -35,6 +35,7 @@ module "acm_operator" {
   source_format            = var.source_format
   hierarchy_controller     = var.hierarchy_controller
   enable_log_denies        = var.enable_log_denies
+  service_account_key_file = var.service_account_key_file
 
   operator_latest_manifest_url  = "gs://config-management-release/released/latest/config-management-operator.yaml"
   operator_cr_template_path     = "${path.module}/templates/acm-config.yml.tpl"

modules/acm/variables.tf

@@ -110,3 +110,8 @@ variable "enable_log_denies" {
   type        = bool
   default     = false
 }
+
+variable "service_account_key_file" {
+  description = "Path to service account key file to auth as for running `gcloud container clusters get-credentials`."
+  default     = ""
+}

modules/k8s-operator-crd-support/main.tf

@@ -40,13 +40,14 @@ module "k8sop_manifest" {
 
 
 module "k8s_operator" {
-  source            = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version           = "~> 2.0.2"
-  module_depends_on = [module.k8sop_manifest.wait, var.cluster_endpoint]
-  skip_download     = var.skip_gcloud_download
-  cluster_name      = var.cluster_name
-  cluster_location  = var.location
-  project_id        = var.project_id
+  source                   = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                  = "~> 2.0.2"
+  module_depends_on        = [module.k8sop_manifest.wait, var.cluster_endpoint]
+  skip_download            = var.skip_gcloud_download
+  cluster_name             = var.cluster_name
+  cluster_location         = var.location
+  project_id               = var.project_id
+  service_account_key_file = var.service_account_key_file
 
   kubectl_create_command  = "kubectl apply -f ${local.manifest_path}"
   kubectl_destroy_command = "kubectl delete -f ${local.manifest_path}"
@@ -60,13 +61,14 @@ resource "tls_private_key" "k8sop_creds" {
 }
 
 module "k8sop_creds_secret" {
-  source            = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version           = "~> 2.0.2"
-  module_depends_on = [module.k8s_operator.wait]
-  skip_download     = var.skip_gcloud_download
-  cluster_name      = var.cluster_name
-  cluster_location  = var.location
-  project_id        = var.project_id
+  source                   = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                  = "~> 2.0.2"
+  module_depends_on        = [module.k8s_operator.wait]
+  skip_download            = var.skip_gcloud_download
+  cluster_name             = var.cluster_name
+  cluster_location         = var.location
+  project_id               = var.project_id
+  service_account_key_file = var.service_account_key_file
 
   kubectl_create_command  = "kubectl create secret generic ${var.operator_credential_name} -n=${var.operator_credential_namespace} --from-literal=${local.k8sop_creds_secret_key}='${local.private_key}'"
   kubectl_destroy_command = "kubectl delete secret ${var.operator_credential_name} -n=${var.operator_credential_namespace}"
@@ -96,14 +98,15 @@ resource "local_file" "operator_cr" {
 }
 
 module "k8sop_config" {
-  source              = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version             = "~> 2.0.2"
-  module_depends_on   = [module.k8s_operator.wait, module.k8sop_creds_secret.wait]
-  skip_download       = var.skip_gcloud_download
-  cluster_name        = var.cluster_name
-  cluster_location    = var.location
-  project_id          = var.project_id
-  create_cmd_triggers = { configmanagement = local_file.operator_cr.content }
+  source                   = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                  = "~> 2.0.2"
+  module_depends_on        = [module.k8s_operator.wait, module.k8sop_creds_secret.wait]
+  skip_download            = var.skip_gcloud_download
+  cluster_name             = var.cluster_name
+  cluster_location         = var.location
+  project_id               = var.project_id
+  create_cmd_triggers      = { configmanagement = local_file.operator_cr.content }
+  service_account_key_file = var.service_account_key_file
 
   kubectl_create_command  = "kubectl apply -f ${local_file.operator_cr.filename}"
   kubectl_destroy_command = "kubectl delete -f ${local_file.operator_cr.filename}"

modules/k8s-operator-crd-support/variables.tf

@@ -134,3 +134,8 @@ variable "enable_log_denies" {
   type        = bool
   default     = false
 }
+
+variable "service_account_key_file" {
+  description = "Path to service account key file to auth as for running `gcloud container clusters get-credentials`."
+  default     = ""
+}