Skip to content

Commit 4caf650

Browse files
jbuckjbuck
authored
fix(google_workload_identity): Remove data.google_service_account to allow bootstrapping (#330)
* fix(google_workload_identity): Remove data.google_service_account to allow bootsrappining * chore(docs): google_workload_identity/README.md
1 parent 216e950 commit 4caf650

File tree

4 files changed

+11
-22
lines changed

4 files changed

+11
-22
lines changed

google_gke_tenant/gke_service_account.tf

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ resource "google_service_account" "gke-account" {
55
}
66

77
module "workload-identity-for-tenant-sa" {
8-
source = "github.com/mozilla/terraform-modules//google_workload_identity?ref=v2.6.1"
8+
source = "../google_workload_identity"
99

1010
name = "gha-${var.application}"
1111
namespace = "${var.application}-${var.environment}"
@@ -16,7 +16,7 @@ module "workload-identity-for-tenant-sa" {
1616
}
1717

1818
module "workload-identity-for-generic-tenant-sa" {
19-
source = "github.com/mozilla/terraform-modules//google_workload_identity?ref=v2.6.1"
19+
source = "../google_workload_identity"
2020

2121
name = var.application
2222
namespace = "${var.application}-${var.environment}"
@@ -27,7 +27,7 @@ module "workload-identity-for-generic-tenant-sa" {
2727
}
2828

2929
module "workload-identity-for-tenant-external-secrets-sa" {
30-
source = "github.com/mozilla/terraform-modules//google_workload_identity?ref=v2.6.1"
30+
source = "../google_workload_identity"
3131

3232
name = "external-secrets"
3333
namespace = "${var.application}-${var.environment}"

google_workload_identity/README.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,6 @@ accounts to go with it
2424

2525
| Name | Description |
2626
|------|-------------|
27-
| <a name="output_gcp_service_account"></a> [gcp\_service\_account](#output\_gcp\_service\_account) | GCP service account. |
2827
| <a name="output_gcp_service_account_email"></a> [gcp\_service\_account\_email](#output\_gcp\_service\_account\_email) | Email address of GCP service account. |
2928
| <a name="output_gcp_service_account_fqn"></a> [gcp\_service\_account\_fqn](#output\_gcp\_service\_account\_fqn) | FQN of GCP service account. |
3029
| <a name="output_gcp_service_account_name"></a> [gcp\_service\_account\_name](#output\_gcp\_service\_account\_name) | Name of GCP service account. |

google_workload_identity/main.tf

Lines changed: 7 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,10 @@
66

77
locals {
88
gcp_given_name = var.gcp_sa_name != null ? var.gcp_sa_name : substr(var.name, 0, 30)
9-
gcp_sa_email = var.use_existing_gcp_sa ? data.google_service_account.cluster_service_account[0].email : google_service_account.cluster_service_account[0].email
10-
gcp_sa_fqn = "serviceAccount:${local.gcp_sa_email}"
9+
gcp_sa_email = var.use_existing_gcp_sa ? var.gcp_sa_name : google_service_account.cluster_service_account[0].email
10+
gcp_sa_id = var.use_existing_gcp_sa ? "projects/${local.gcp_sa_project}/serviceAccounts/${local.gcp_sa_email}" : google_service_account.cluster_service_account[0].id
11+
gcp_sa_member = "serviceAccount:${local.gcp_sa_email}"
12+
gcp_sa_project = one(regex("@(.+?)\\.", local.gcp_sa_email)) // Pull the project ID out of the service account
1113

1214
# This will cause Terraform to block returning outputs until the service account is created
1315
k8s_given_name = var.k8s_sa_name != null ? var.k8s_sa_name : var.name
@@ -17,13 +19,6 @@ locals {
1719
k8s_sa_gcp_derived_name = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]"
1820
}
1921

20-
data "google_service_account" "cluster_service_account" {
21-
count = var.use_existing_gcp_sa ? 1 : 0
22-
23-
account_id = local.gcp_given_name
24-
project = var.project_id
25-
}
26-
2722
resource "google_service_account" "cluster_service_account" {
2823
count = var.use_existing_gcp_sa ? 0 : 1
2924

@@ -46,7 +41,7 @@ resource "kubernetes_service_account" "main" {
4641
}
4742

4843
resource "google_service_account_iam_member" "main" {
49-
service_account_id = var.use_existing_gcp_sa ? data.google_service_account.cluster_service_account[0].name : google_service_account.cluster_service_account[0].name
44+
service_account_id = local.gcp_sa_id
5045
role = "roles/iam.workloadIdentityUser"
5146
member = local.k8s_sa_gcp_derived_name
5247
}
@@ -56,5 +51,5 @@ resource "google_project_iam_member" "workload_identity_sa_bindings" {
5651

5752
project = var.project_id
5853
role = each.value
59-
member = local.gcp_sa_fqn
60-
}
54+
member = local.gcp_sa_member
55+
}

google_workload_identity/outputs.tf

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -16,15 +16,10 @@ output "gcp_service_account_email" {
1616

1717
output "gcp_service_account_fqn" {
1818
description = "FQN of GCP service account."
19-
value = local.gcp_sa_fqn
19+
value = local.gcp_sa_member
2020
}
2121

2222
output "gcp_service_account_name" {
2323
description = "Name of GCP service account."
2424
value = local.k8s_sa_gcp_derived_name
2525
}
26-
27-
output "gcp_service_account" {
28-
description = "GCP service account."
29-
value = var.use_existing_gcp_sa ? data.google_service_account.cluster_service_account[0] : google_service_account.cluster_service_account[0]
30-
}

0 commit comments

Comments
 (0)