feat: Workload identity for GKE

Author: gtoonstra

modules/clickhouse_backup/iam.tf

@@ -20,7 +20,3 @@ resource "google_project_iam_member" "clickhouse" {
   member  = "serviceAccount:${google_service_account.clickhouse.email}"
 }
 
-resource "google_service_account_key" "clickhouse" {
-  count              = var.clickhouse_get_backup_sa_from_secrets_yaml ? 0 : 1
-  service_account_id = resource.google_service_account.clickhouse.id
-}

modules/clickhouse_backup/outputs.tf

@@ -3,5 +3,5 @@ output "clickhouse_gcs_bucket" {
 }
 
 output "clickhouse_backup_sa" {
-  value = var.clickhouse_get_backup_sa_from_secrets_yaml ? var.clickhouse_backup_sa_key : one(resource.google_service_account_key.clickhouse[*].private_key)
+  value = resource.google_service_account.clickhouse.account_id
 }

modules/gke/main.tf

@@ -20,6 +20,7 @@ resource "google_container_cluster" "default" {
   project            = var.project_id
   network            = var.vpc_id
   subnetwork         = var.subnetwork
+  location           = var.azs[0]
   min_master_version = data.google_container_engine_versions.cluster.latest_master_version
 
   networking_mode = "VPC_NATIVE"
@@ -120,6 +121,10 @@ resource "google_container_cluster" "default" {
     autoscaling_profile = "OPTIMIZE_UTILIZATION"
   }
 
+  workload_identity_config {
+    workload_pool = "${var.project_id}.svc.id.goog"
+  }
+
   deletion_protection = var.k8s_deletion_protection
 }