feat: Add sample for custom node service account

[shannonxtreme]

Description

Fixed #754

Add docs samples for creating a custom IAM service account that has the least-privilege role for GKE nodes.

• Add a standalone sample for creating a service account and assigning the role
• Add a sample for Autopilot to create the account, grant the role, and create a cluster
• Fix Standard regional node pool sample to correctly grant the role. The previous version created a service account with no roles and used it in the node pool (which would lead to errors).

Checklist

Readiness

• Yes, merge this PR after it is approved

Style

• My sample follows the rules described for Terraform in the Effective Samples style guide
• My sample follows the other requirements and best practices in the Contributing
  guide

Testing

• I have performed tests described in the Contributing guide:

  • Tests pass: terraform apply
  • Lint pass: terraform fmt check

Intended location

• Yes, this sample will be (or already is) included on cloud.google.com
  Location(s):

  • https://cloud.google.com/kubernetes-engine/docs/how-to/creating-an-autopilot-cluster
  • https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-regional-cluster

  As well as in docs that show how to create a least-privilege IAM service account for GKE.

API enablement

• If the sample needs an API enabled to pass testing, I have added the service to the Test setup file

Review

• If this sample adds a new directory, I have added codeowners to the CODEOWNERS file

[snippet-bot]

Here is the summary of changes.

You are about to add 4 region tags.

• gke/autopilot/custom_service_account/main.tf:24, tag gke_custom_node_service_account
• gke/autopilot/custom_service_account/main.tf:40, tag gke_autopilot_custom_service_account
• gke/standard/regional/node_pool/main.tf:17, tag gke_standard_regional_node_pool_custom_sa
• gke/standard/regional/node_pool/main.tf:33, tag gke_standard_regional_cluster

---

This comment is generated by snippet-bot.
If you find problems with this result, please file an issue at:
https://github.com/googleapis/repo-automation-bots/issues.
To update this comment, add snippet-bot:force-run label or use the checkbox below:

• Refresh this comment

[apeabody]

/gcbrun

[apeabody]

Thanks @shannonxtreme!

[glasnt]

There are some issues with your PR, comments below.

Also: if you're going to rebase, reword your commit to start with feat: to solve the coventional commit error

[apeabody]

/gcbrun

[apeabody]

/gcbrun

[apeabody]

/gcbrun

[shannonxtreme]

Oh I should probably rebase and squash

[apeabody]

/gcbrun

[apeabody]

Thanks @shannonxtreme! All the tests are now passing!

During final review I believe there is an opportunity to consolidate/deduplicate by adding the required region tags to gke/autopilot/custom_service_account/main.tf and dropping the gke/node_service_account/main.tf file?

[shannonxtreme]

@apeabody the reason I made it a separate file is because creating the least privilege service account is a standalone task that's applicable both Standard and Autopilot clusters (and to standard node pools). It'd feel less correct to include this region in the autopilot cluster create file in, for example, the gke hardening guide. Wdyt?

[apeabody]

@apeabody the reason I made it a separate file is because creating the least privilege service account is a standalone task that's applicable both Standard and Autopilot clusters (and to standard node pools). It'd feel less correct to include this region in the autopilot cluster create file in, for example, the gke hardening guide. Wdyt?

Thanks @shannonxtreme! I know we've done it in the past, but lets check with @glasnt on any best practice?

[glasnt]

@apeabody the reason I made it a separate file is because creating the least privilege service account is a standalone task that's applicable both Standard and Autopilot clusters (and to standard node pools). It'd feel less correct to include this region in the autopilot cluster create file in, for example, the gke hardening guide. Wdyt?

Thanks @shannonxtreme! I know we've done it in the past, but lets check with @glasnt on any best practice?

The way region tags work is that you can have one file with multiple different sections marked within a region tag for inclusion in the documentation.

So in this case, you can wrap the service account creation section separately from the cluster declaration, so you can have this code embedded in separate steps of your documentation.

If you have the service account in both the standard and autopilot cluster files, you can wrap it in region tags (like Andrew's suggest changes), and embed each part for each cluster type in context.

Since that code is already defined, there's no reason to repeat the code in an isolated sample, when you can just re-use the region tag from another sample. Now I can see where if you wanted to show how to show the creation in a page not specific to a cluster type you may want a separate example, but given the code is identical I think it's more correct to reuse the code from one of the cluster types, if it can apply to both.

Note that region tags must be unique per repo, so some of Andrew's suggested comments will only be valid if the duplicate file is deleted, but reusing code through region tags is best practice 👍

[shannonxtreme]

Makes sense @glasnt, I'll make those changes soon.

Out of scope, but curious: would a standalone service account sample have made more sense in the iam directory with placeholders for the service account ID and role name?

[glasnt]

Out of scope, but curious: would a standalone service account sample have made more sense in the iam directory with placeholders for the service account ID and role name?

Yup! You're welcome to reuse create_service_agent that already exists (currently used in docs), but it looks like it's a bit context-specific. You could also link to this docs page showing this code. We could also create a simpler example explicitly for re-use like this.

[shannonxtreme]

Removed the standalone directory and added a region tag to the sample in autopilot/

[apeabody]

/gcbrun