From ce0ee8646ad1afb3794541203a0c273a85409adf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20W=C3=BCrbach?= Date: Mon, 29 Apr 2024 12:12:46 +0200 Subject: [PATCH] feat: updated workload identity --- examples/gcp-pubsub/README.md | 16 ++++----- examples/gcp-pubsub/main.tf | 22 +++--------- examples/gcs/README.md | 8 ++--- examples/gcs/main.tf | 21 +++-------- examples/postgres/README.md | 10 ++---- examples/postgres/main.tf | 22 +++--------- .../workload/README.md | 2 +- .../workload/main.tf | 13 +++---- .../workload/outputs.tf | 0 .../workload/providers.tf | 0 .../workload/terraform.tfvars.example | 0 .../workload/variables.tf | 0 .../k8s/service-account/README.md | 32 ----------------- .../k8s/service-account/main.tf | 34 ------------------ .../k8s/service-account/outputs.tf | 3 -- .../k8s/service-account/providers.tf | 10 ------ .../service-account/terraform.tfvars.example | 1 - .../k8s/service-account/variables.tf | 4 --- modules/gcp-service-account/workload/main.tf | 35 ------------------- .../gcp-service-account/workload/outputs.tf | 7 ---- .../workload/README.md | 8 ++--- .../workload/bindings.tf | 22 +++++++++--- modules/k8s-service-account/workload/main.tf | 31 ++++++++++++++++ .../k8s-service-account/workload/outputs.tf | 8 +++++ .../workload/providers.tf | 0 .../workload/terraform.tfvars.example | 3 -- .../workload/variables.tf | 5 --- 27 files changed, 92 insertions(+), 225 deletions(-) rename humanitec-resource-defs/{gcp-service-account => k8s-service-account}/workload/README.md (98%) rename humanitec-resource-defs/{gcp-service-account => k8s-service-account}/workload/main.tf (75%) rename humanitec-resource-defs/{gcp-service-account => k8s-service-account}/workload/outputs.tf (100%) rename humanitec-resource-defs/{gcp-service-account => k8s-service-account}/workload/providers.tf (100%) rename humanitec-resource-defs/{gcp-service-account => k8s-service-account}/workload/terraform.tfvars.example (100%) rename humanitec-resource-defs/{gcp-service-account => k8s-service-account}/workload/variables.tf (100%) delete mode 100644 humanitec-resource-defs/k8s/service-account/README.md delete mode 100644 humanitec-resource-defs/k8s/service-account/main.tf delete mode 100644 humanitec-resource-defs/k8s/service-account/outputs.tf delete mode 100644 humanitec-resource-defs/k8s/service-account/providers.tf delete mode 100644 humanitec-resource-defs/k8s/service-account/terraform.tfvars.example delete mode 100644 humanitec-resource-defs/k8s/service-account/variables.tf delete mode 100644 modules/gcp-service-account/workload/main.tf delete mode 100644 modules/gcp-service-account/workload/outputs.tf rename modules/{gcp-service-account => k8s-service-account}/workload/README.md (79%) rename modules/{gcp-service-account => k8s-service-account}/workload/bindings.tf (67%) create mode 100644 modules/k8s-service-account/workload/main.tf create mode 100644 modules/k8s-service-account/workload/outputs.tf rename modules/{gcp-service-account => k8s-service-account}/workload/providers.tf (100%) rename modules/{gcp-service-account => k8s-service-account}/workload/terraform.tfvars.example (87%) rename modules/{gcp-service-account => k8s-service-account}/workload/variables.tf (87%) diff --git a/examples/gcp-pubsub/README.md b/examples/gcp-pubsub/README.md index 0aead6b..79b1f0f 100644 --- a/examples/gcp-pubsub/README.md +++ b/examples/gcp-pubsub/README.md @@ -53,18 +53,16 @@ The workload service account will be automatically assigned to the necessary rol graph TD; topic["GCP Pub/Sub topic"] sub["GCP Pub/Sub subscription"] - topic_account["GCP Service account"] - sub_account["GCP Service account"] subgraph GKE Cluster topic_pod[workload pod] - topic_service[Service Account] + topic_service[k8s service account] sub_pod[workload pod] - sub_service[Service Account] + sub_service[k8s service account] end - topic_service --> topic_account -- bind role on --> topic + topic_service -- bind role on --> topic topic_service --> topic_pod topic --> topic_pod - sub_service --> sub_account -- bind role on --> sub + sub_service -- bind role on --> sub sub_service --> sub_pod sub --> sub_pod sub --> topic @@ -105,12 +103,11 @@ graph LR; | Name | Source | Version | |------|--------|---------| -| gcp\_service\_account\_workload | ../../humanitec-resource-defs/gcp-service-account/workload | n/a | | gps\_basic\_subscriber | ../../humanitec-resource-defs/gcp-pubsub-subscription/delegator | n/a | | gpt\_basic\_publisher | ../../humanitec-resource-defs/gcp-pubsub-topic/delegator | n/a | | iam\_role\_binding\_gcp\_pubsub\_subscription\_subscriber | ../../humanitec-resource-defs/gcp-iam-policy-binding/basic | n/a | | iam\_role\_binding\_gcp\_pubsub\_topic\_publisher | ../../humanitec-resource-defs/gcp-iam-policy-binding/basic | n/a | -| k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a | +| k8s\_service\_account\_workload | ../../humanitec-resource-defs/k8s-service-account/workload | n/a | | pubsub\_subscription\_basic | ../../humanitec-resource-defs/gcp-pubsub-subscription/basic | n/a | | pubsub\_topic\_basic | ../../humanitec-resource-defs/gcp-pubsub-topic/basic | n/a | | workload | ../../humanitec-resource-defs/workload/service-account | n/a | @@ -124,12 +121,11 @@ graph LR; | [google_service_account_key.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource | | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource | | [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource | -| [humanitec_resource_definition_criteria.gcp_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.gps_basic_subscriber](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.gpt_basic_publisher](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.iam_role_binding_gcp_pubsub_subscription_subscriber](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.iam_role_binding_gcp_pubsub_topic_publisher](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | -| [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_resource_definition_criteria.k8s_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.pubsub_subscription_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.pubsub_topic_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | diff --git a/examples/gcp-pubsub/main.tf b/examples/gcp-pubsub/main.tf index 38f0868..b8dcb13 100644 --- a/examples/gcp-pubsub/main.tf +++ b/examples/gcp-pubsub/main.tf @@ -51,20 +51,8 @@ locals { # Required resources for workload identity -module "k8s_service_account" { - source = "../../humanitec-resource-defs/k8s/service-account" - - prefix = var.prefix -} - -resource "humanitec_resource_definition_criteria" "k8s_service_account" { - resource_definition_id = module.k8s_service_account.id - app_id = humanitec_application.example.id - force_delete = true -} - -module "gcp_service_account_workload" { - source = "../../humanitec-resource-defs/gcp-service-account/workload" +module "k8s_service_account_workload" { + source = "../../humanitec-resource-defs/k8s-service-account/workload" resource_packs_gcp_url = var.resource_packs_gcp_url resource_packs_gcp_rev = var.resource_packs_gcp_rev @@ -73,12 +61,10 @@ module "gcp_service_account_workload" { project = var.project prefix = var.prefix - - name = "hrp-ps-$${context.res.id}" } -resource "humanitec_resource_definition_criteria" "gcp_service_account_workload" { - resource_definition_id = module.gcp_service_account_workload.id +resource "humanitec_resource_definition_criteria" "k8s_service_account_workload" { + resource_definition_id = module.k8s_service_account_workload.id app_id = humanitec_application.example.id force_delete = true } diff --git a/examples/gcs/README.md b/examples/gcs/README.md index b43d63a..4d7b52b 100644 --- a/examples/gcs/README.md +++ b/examples/gcs/README.md @@ -37,7 +37,7 @@ graph TD; gcs["Google Cloud Storage"] subgraph GKE Cluster pod[workload pod] - service[Service Account] + service[k8s service account] end service -- bind role on --> gcs service --> pod @@ -78,13 +78,12 @@ graph LR; | Name | Source | Version | |------|--------|---------| -| gcp\_service\_account\_workload | ../../humanitec-resource-defs/gcp-service-account/workload | n/a | | gcs\_basic | ../../humanitec-resource-defs/gcs/basic | n/a | | gcs\_basic\_admin | ../../humanitec-resource-defs/gcs/delegator | n/a | | gcs\_basic\_read\_only | ../../humanitec-resource-defs/gcs/delegator | n/a | | iam\_role\_binding\_gcs\_admin | ../../humanitec-resource-defs/gcp-iam-policy-binding/basic | n/a | | iam\_role\_binding\_gcs\_read\_only | ../../humanitec-resource-defs/gcp-iam-policy-binding/basic | n/a | -| k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a | +| k8s\_service\_account\_workload | ../../humanitec-resource-defs/k8s-service-account/workload | n/a | | workload | ../../humanitec-resource-defs/workload/service-account | n/a | ### Resources @@ -96,13 +95,12 @@ graph LR; | [google_service_account_key.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource | | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource | | [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource | -| [humanitec_resource_definition_criteria.gcp_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.gcs_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.gcs_basic_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.gcs_basic_read_only](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.iam_role_binding_gcs_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.iam_role_binding_gcs_read_only](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | -| [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_resource_definition_criteria.k8s_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | ### Inputs diff --git a/examples/gcs/main.tf b/examples/gcs/main.tf index 4d2da2f..91fe860 100644 --- a/examples/gcs/main.tf +++ b/examples/gcs/main.tf @@ -155,21 +155,8 @@ resource "humanitec_resource_definition_criteria" "gcs_basic_read_only" { # Required resources for workload identity - -module "k8s_service_account" { - source = "../../humanitec-resource-defs/k8s/service-account" - - prefix = var.prefix -} - -resource "humanitec_resource_definition_criteria" "k8s_service_account" { - resource_definition_id = module.k8s_service_account.id - app_id = humanitec_application.example.id - force_delete = true -} - -module "gcp_service_account_workload" { - source = "../../humanitec-resource-defs/gcp-service-account/workload" +module "k8s_service_account_workload" { + source = "../../humanitec-resource-defs/k8s-service-account/workload" resource_packs_gcp_url = var.resource_packs_gcp_url resource_packs_gcp_rev = var.resource_packs_gcp_rev @@ -180,8 +167,8 @@ module "gcp_service_account_workload" { prefix = var.prefix } -resource "humanitec_resource_definition_criteria" "gcp_service_account_workload" { - resource_definition_id = module.gcp_service_account_workload.id +resource "humanitec_resource_definition_criteria" "k8s_service_account_workload" { + resource_definition_id = module.k8s_service_account_workload.id app_id = humanitec_application.example.id force_delete = true } diff --git a/examples/postgres/README.md b/examples/postgres/README.md index 3f266cb..3a129fa 100644 --- a/examples/postgres/README.md +++ b/examples/postgres/README.md @@ -37,7 +37,6 @@ CloudSQL IAM Authentication is enabled by automatically injecting the [Cloud SQL graph TD subgraph GCP IAM gcp_db_serviceaccount[GCP Service Account - db user] - gcp_k8s_serviceaccount[GCP Service Account - k8s user] end subgraph VPC @@ -51,9 +50,8 @@ subgraph VPC workload-container --> cloud-sql-proxy-container cloud-sql-proxy-container -- CloudSQL User with iam authentication using GCP Service Account [db user] --> database end - service[K8s Service Account] --> gcp_k8s_serviceaccount + k8s_serviceaccount[K8s Service Account] -- workload identity user --> gcp_db_serviceaccount end - gcp_k8s_serviceaccount -- workload identity user --> gcp_db_serviceaccount end gcp_db_serviceaccount --> user @@ -95,9 +93,8 @@ graph LR; | Name | Source | Version | |------|--------|---------| -| gcp\_service\_account\_workload | ../../humanitec-resource-defs/gcp-service-account/workload | n/a | | iam\_role\_binding\_service\_account\_workload\_identity | ../../humanitec-resource-defs/gcp-iam-policy-binding/basic | n/a | -| k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a | +| k8s\_service\_account\_workload | ../../humanitec-resource-defs/k8s-service-account/workload | n/a | | postgres | ../../humanitec-resource-defs/postgres/workload-identity | n/a | | postgres\_instance | ../../humanitec-resource-defs/postgres-instance/basic | n/a | | workload | ../../humanitec-resource-defs/workload/service-account | n/a | @@ -114,9 +111,8 @@ graph LR; | [google_service_networking_connection.private_vpc_connection](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_networking_connection) | resource | | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource | | [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource | -| [humanitec_resource_definition_criteria.gcp_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.iam_role_binding_service_account_workload_identity](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | -| [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_resource_definition_criteria.k8s_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.postgres](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.postgres_instance](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | diff --git a/examples/postgres/main.tf b/examples/postgres/main.tf index 52d7f56..3b4dbbe 100644 --- a/examples/postgres/main.tf +++ b/examples/postgres/main.tf @@ -149,20 +149,8 @@ resource "humanitec_resource_definition_criteria" "iam_role_binding_service_acco # Required resources for workload identity -module "k8s_service_account" { - source = "../../humanitec-resource-defs/k8s/service-account" - - prefix = var.prefix -} - -resource "humanitec_resource_definition_criteria" "k8s_service_account" { - resource_definition_id = module.k8s_service_account.id - app_id = humanitec_application.example.id - force_delete = true -} - -module "gcp_service_account_workload" { - source = "../../humanitec-resource-defs/gcp-service-account/workload" +module "k8s_service_account_workload" { + source = "../../humanitec-resource-defs/k8s-service-account/workload" resource_packs_gcp_url = var.resource_packs_gcp_url resource_packs_gcp_rev = var.resource_packs_gcp_rev @@ -171,12 +159,10 @@ module "gcp_service_account_workload" { project = var.project prefix = var.prefix - - name = "hrp-pg-$${context.res.id}" } -resource "humanitec_resource_definition_criteria" "gcp_service_account_workload" { - resource_definition_id = module.gcp_service_account_workload.id +resource "humanitec_resource_definition_criteria" "k8s_service_account_workload" { + resource_definition_id = module.k8s_service_account_workload.id app_id = humanitec_application.example.id force_delete = true } diff --git a/humanitec-resource-defs/gcp-service-account/workload/README.md b/humanitec-resource-defs/k8s-service-account/workload/README.md similarity index 98% rename from humanitec-resource-defs/gcp-service-account/workload/README.md rename to humanitec-resource-defs/k8s-service-account/workload/README.md index b2e7a89..226f9e7 100644 --- a/humanitec-resource-defs/gcp-service-account/workload/README.md +++ b/humanitec-resource-defs/k8s-service-account/workload/README.md @@ -36,4 +36,4 @@ | Name | Description | |------|-------------| | id | n/a | - + \ No newline at end of file diff --git a/humanitec-resource-defs/gcp-service-account/workload/main.tf b/humanitec-resource-defs/k8s-service-account/workload/main.tf similarity index 75% rename from humanitec-resource-defs/gcp-service-account/workload/main.tf rename to humanitec-resource-defs/k8s-service-account/workload/main.tf index 008a639..ac3a935 100644 --- a/humanitec-resource-defs/gcp-service-account/workload/main.tf +++ b/humanitec-resource-defs/k8s-service-account/workload/main.tf @@ -1,14 +1,14 @@ resource "humanitec_resource_definition" "main" { driver_type = "humanitec/terraform" - id = "${var.prefix}gcp-service-account-workload" - name = "${var.prefix}gcp-service-account-workload" - type = "gcp-service-account" + id = "${var.prefix}k8s-service-account-workload" + name = "${var.prefix}k8s-service-account-workload" + type = "k8s-service-account" driver_account = var.driver_account driver_inputs = { values_string = jsonencode({ source = { - path = "modules/gcp-service-account/workload" + path = "modules/k8s-service-account/workload" rev = var.resource_packs_gcp_rev url = var.resource_packs_gcp_url } @@ -25,8 +25,7 @@ resource "humanitec_resource_definition" "main" { project = var.project roles = var.roles - prefix = var.prefix - name = var.name + name = var.name namespace = "$${resources.k8s-namespace#k8s-namespace.outputs.namespace}" @@ -36,6 +35,8 @@ resource "humanitec_resource_definition" "main" { app_id = "$${context.app.id}" env_id = "$${context.env.id}" } + + manifests_output = "manifests" }) } } diff --git a/humanitec-resource-defs/gcp-service-account/workload/outputs.tf b/humanitec-resource-defs/k8s-service-account/workload/outputs.tf similarity index 100% rename from humanitec-resource-defs/gcp-service-account/workload/outputs.tf rename to humanitec-resource-defs/k8s-service-account/workload/outputs.tf diff --git a/humanitec-resource-defs/gcp-service-account/workload/providers.tf b/humanitec-resource-defs/k8s-service-account/workload/providers.tf similarity index 100% rename from humanitec-resource-defs/gcp-service-account/workload/providers.tf rename to humanitec-resource-defs/k8s-service-account/workload/providers.tf diff --git a/humanitec-resource-defs/gcp-service-account/workload/terraform.tfvars.example b/humanitec-resource-defs/k8s-service-account/workload/terraform.tfvars.example similarity index 100% rename from humanitec-resource-defs/gcp-service-account/workload/terraform.tfvars.example rename to humanitec-resource-defs/k8s-service-account/workload/terraform.tfvars.example diff --git a/humanitec-resource-defs/gcp-service-account/workload/variables.tf b/humanitec-resource-defs/k8s-service-account/workload/variables.tf similarity index 100% rename from humanitec-resource-defs/gcp-service-account/workload/variables.tf rename to humanitec-resource-defs/k8s-service-account/workload/variables.tf diff --git a/humanitec-resource-defs/k8s/service-account/README.md b/humanitec-resource-defs/k8s/service-account/README.md deleted file mode 100644 index ab640e1..0000000 --- a/humanitec-resource-defs/k8s/service-account/README.md +++ /dev/null @@ -1,32 +0,0 @@ - -### Requirements - -| Name | Version | -|------|---------| -| terraform | >= 1.3.0 | -| humanitec | ~> 1.0 | - -### Providers - -| Name | Version | -|------|---------| -| humanitec | ~> 1.0 | - -### Resources - -| Name | Type | -|------|------| -| [humanitec_resource_definition.main](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource | - -### Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| prefix | n/a | `string` | `""` | no | - -### Outputs - -| Name | Description | -|------|-------------| -| id | n/a | - \ No newline at end of file diff --git a/humanitec-resource-defs/k8s/service-account/main.tf b/humanitec-resource-defs/k8s/service-account/main.tf deleted file mode 100644 index 1efe8f8..0000000 --- a/humanitec-resource-defs/k8s/service-account/main.tf +++ /dev/null @@ -1,34 +0,0 @@ -resource "humanitec_resource_definition" "main" { - id = "${var.prefix}k8s-service-account" - name = "${var.prefix}k8s-service-account" - type = "k8s-service-account" - - driver_type = "humanitec/template" - driver_inputs = { - values_string = jsonencode({ - templates = { - init = "" - manifests = < 0 - - default_name = "${var.prefix}${var.app_id}-${var.env_id}-${var.res_id}" - - name = coalesce(var.name, local.default_name) - sanitized_name = replace(local.name, ".", "-") - - # Name restrictions https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ - k8s_service_account_name = trimsuffix(substr(local.sanitized_name, 0, 64), "-") -} - -resource "google_service_account" "main" { - count = local.account_required ? 1 : 0 - - display_name = local.name - # Name restrictions https://cloud.google.com/iam/quotas, 30 chars - account_id = trimsuffix(substr(local.sanitized_name, 0, 30), "-") -} - -resource "google_project_iam_member" "role" { - for_each = var.roles - - project = var.project - role = each.key - member = "serviceAccount:${google_service_account.main[0].email}" -} - -resource "google_service_account_iam_member" "workload_identity_k8s_service_account" { - count = local.account_required ? 1 : 0 - - service_account_id = google_service_account.main[0].name - role = "roles/iam.workloadIdentityUser" - member = "serviceAccount:${var.project}.svc.id.goog[${var.namespace}/${local.k8s_service_account_name}]" -} diff --git a/modules/gcp-service-account/workload/outputs.tf b/modules/gcp-service-account/workload/outputs.tf deleted file mode 100644 index b7fd101..0000000 --- a/modules/gcp-service-account/workload/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "email" { - value = local.account_required ? google_service_account.main[0].email : "" -} - -output "k8s_service_account_name" { - value = local.k8s_service_account_name -} diff --git a/modules/gcp-service-account/workload/README.md b/modules/k8s-service-account/workload/README.md similarity index 79% rename from modules/gcp-service-account/workload/README.md rename to modules/k8s-service-account/workload/README.md index d3ce816..953ab92 100644 --- a/modules/gcp-service-account/workload/README.md +++ b/modules/k8s-service-account/workload/README.md @@ -19,10 +19,9 @@ | [google_project_iam_member.role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | | [google_pubsub_subscription_iam_member.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription_iam_member) | resource | | [google_pubsub_topic_iam_member.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic_iam_member) | resource | -| [google_service_account.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | | [google_service_account_iam_member.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource | -| [google_service_account_iam_member.workload_identity_k8s_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource | | [google_storage_bucket_iam_member.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource | +| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | ### Inputs @@ -32,7 +31,6 @@ | bindings | List of additional bindings to grant to the service account | `set(string)` | n/a | yes | | env\_id | n/a | `string` | n/a | yes | | namespace | k8s namespace | `string` | n/a | yes | -| prefix | Prefix for all resources | `string` | n/a | yes | | project | GCP project ID | `string` | n/a | yes | | res\_id | n/a | `string` | n/a | yes | | roles | List of project-level roles to grant to the service account | `set(string)` | n/a | yes | @@ -42,6 +40,6 @@ | Name | Description | |------|-------------| -| email | n/a | -| k8s\_service\_account\_name | n/a | +| manifests | The Kubernetes manifests that should be applied to the cluster to create the k8s service-account. | +| name | n/a | diff --git a/modules/gcp-service-account/workload/bindings.tf b/modules/k8s-service-account/workload/bindings.tf similarity index 67% rename from modules/gcp-service-account/workload/bindings.tf rename to modules/k8s-service-account/workload/bindings.tf index 67a6542..e8c59fd 100644 --- a/modules/gcp-service-account/workload/bindings.tf +++ b/modules/k8s-service-account/workload/bindings.tf @@ -1,5 +1,19 @@ +data "google_project" "project" { + project_id = var.project +} + locals { parsed_bindings = [for g in var.bindings : jsondecode(g)] + + principal = "principal://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${var.project}.svc.id.goog/subject/ns/${var.namespace}/sa/${local.k8s_service_account_name}" +} + +resource "google_project_iam_member" "role" { + for_each = var.roles + + project = var.project + role = each.key + member = local.principal } resource "google_pubsub_subscription_iam_member" "main" { @@ -10,7 +24,7 @@ resource "google_pubsub_subscription_iam_member" "main" { subscription = each.value["subscription"] role = each.value["role"] - member = "serviceAccount:${google_service_account.main[0].email}" + member = local.principal } resource "google_pubsub_topic_iam_member" "main" { @@ -21,7 +35,7 @@ resource "google_pubsub_topic_iam_member" "main" { topic = each.value["topic"] role = each.value["role"] - member = "serviceAccount:${google_service_account.main[0].email}" + member = local.principal } resource "google_service_account_iam_member" "main" { @@ -32,7 +46,7 @@ resource "google_service_account_iam_member" "main" { service_account_id = each.value["service_account_id"] role = each.value["role"] - member = "serviceAccount:${google_service_account.main[0].email}" + member = local.principal } resource "google_storage_bucket_iam_member" "main" { @@ -43,5 +57,5 @@ resource "google_storage_bucket_iam_member" "main" { bucket = each.value["bucket"] role = each.value["role"] - member = "serviceAccount:${google_service_account.main[0].email}" + member = local.principal } diff --git a/modules/k8s-service-account/workload/main.tf b/modules/k8s-service-account/workload/main.tf new file mode 100644 index 0000000..dbc7bdb --- /dev/null +++ b/modules/k8s-service-account/workload/main.tf @@ -0,0 +1,31 @@ +locals { + # Service Accounts are already scoped by env/app through the k8s-namespace + default_name = var.res_id + + name = coalesce(var.name, local.default_name) + sanitized_name = replace(local.name, ".", "-") + + # Name restrictions https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ + k8s_service_account_name = trimsuffix(substr(local.sanitized_name, 0, 64), "-") +} + +locals { + service_account_manifest = { + apiVersion : "v1", + kind : "ServiceAccount", + metadata : { + name : local.k8s_service_account_name, + annotations : { + res : var.res_id, + app : var.app_id, + env : var.env_id + } + } + } + manifests = [ + { + location = "namespace" + data = local.service_account_manifest + } + ] +} diff --git a/modules/k8s-service-account/workload/outputs.tf b/modules/k8s-service-account/workload/outputs.tf new file mode 100644 index 0000000..1d9afc9 --- /dev/null +++ b/modules/k8s-service-account/workload/outputs.tf @@ -0,0 +1,8 @@ +output "name" { + value = local.k8s_service_account_name +} + +output "manifests" { + description = "The Kubernetes manifests that should be applied to the cluster to create the k8s service-account." + value = local.manifests +} diff --git a/modules/gcp-service-account/workload/providers.tf b/modules/k8s-service-account/workload/providers.tf similarity index 100% rename from modules/gcp-service-account/workload/providers.tf rename to modules/k8s-service-account/workload/providers.tf diff --git a/modules/gcp-service-account/workload/terraform.tfvars.example b/modules/k8s-service-account/workload/terraform.tfvars.example similarity index 87% rename from modules/gcp-service-account/workload/terraform.tfvars.example rename to modules/k8s-service-account/workload/terraform.tfvars.example index 3563718..4bdaed7 100644 --- a/modules/gcp-service-account/workload/terraform.tfvars.example +++ b/modules/k8s-service-account/workload/terraform.tfvars.example @@ -11,9 +11,6 @@ name = "" # k8s namespace namespace = "" -# Prefix for all resources -prefix = "" - # GCP project ID project = "" diff --git a/modules/gcp-service-account/workload/variables.tf b/modules/k8s-service-account/workload/variables.tf similarity index 87% rename from modules/gcp-service-account/workload/variables.tf rename to modules/k8s-service-account/workload/variables.tf index 8fea8ee..830fdf8 100644 --- a/modules/gcp-service-account/workload/variables.tf +++ b/modules/k8s-service-account/workload/variables.tf @@ -1,8 +1,3 @@ -variable "prefix" { - type = string - description = "Prefix for all resources" -} - variable "name" { type = string description = "Resource name"