feat: Support service account impersonation for wait-for-cluster script (#729)

* Rebase impersonation support PR for scripts

Signed-off-by: Dev <[email protected]>

* Set var type to string

Signed-off-by: Dev <[email protected]>

* Rerun make docker_generate_docs

Signed-off-by: Dev <[email protected]>

Author: Dev25

README.md

@@ -136,6 +136,7 @@ Then perform the following commands on the root folder:
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
 | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
 | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
+| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
 | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
 | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no |

autogen/main/cluster.tf.tmpl

@@ -536,13 +536,12 @@ module "gcloud_wait_for_cluster" {
   source  = "terraform-google-modules/gcloud/google"
   version = "~> 2.0.2"
   enabled = ! var.skip_provisioners
-
-  upgrade       = var.gcloud_upgrade
+  upgrade = var.gcloud_upgrade
 
   create_cmd_entrypoint  = "${path.module}/scripts/wait-for-cluster.sh"
-  create_cmd_body        = "${var.project_id} ${var.name}"
+  create_cmd_body        = "${var.project_id} ${var.name} ${var.impersonate_service_account}"
   destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh"
-  destroy_cmd_body       = "${var.project_id} ${var.name}"
+  destroy_cmd_body       = "${var.project_id} ${var.name} ${var.impersonate_service_account}"
 
   module_depends_on = concat(
     [google_container_cluster.primary.master_version],

autogen/main/scripts/wait-for-cluster.sh

@@ -22,11 +22,12 @@ fi
 
 PROJECT=$1
 CLUSTER_NAME=$2
+IMPERSONATE_SERVICE_ACCOUNT=$3
 
 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..."
 
 while
-  current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)")
+  current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT")
   [[ "${current_status}" != "RUNNING" ]]
 do printf ".";sleep 5; done
 

autogen/main/variables.tf.tmpl

@@ -555,3 +555,9 @@ variable "disable_default_snat" {
   default     = false
 }
 {% endif %}
+
+variable "impersonate_service_account" {
+  type        = string
+  description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
+  default     = ""
+}

cluster.tf

@@ -320,13 +320,12 @@ module "gcloud_wait_for_cluster" {
   source  = "terraform-google-modules/gcloud/google"
   version = "~> 2.0.2"
   enabled = ! var.skip_provisioners
-
   upgrade = var.gcloud_upgrade
 
   create_cmd_entrypoint  = "${path.module}/scripts/wait-for-cluster.sh"
-  create_cmd_body        = "${var.project_id} ${var.name}"
+  create_cmd_body        = "${var.project_id} ${var.name} ${var.impersonate_service_account}"
   destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh"
-  destroy_cmd_body       = "${var.project_id} ${var.name}"
+  destroy_cmd_body       = "${var.project_id} ${var.name} ${var.impersonate_service_account}"
 
   module_depends_on = concat(
     [google_container_cluster.primary.master_version],

modules/beta-private-cluster-update-variant/README.md

@@ -180,6 +180,7 @@ Then perform the following commands on the root folder:
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
 | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
 | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
+| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
 | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
 | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no |

modules/beta-private-cluster-update-variant/cluster.tf

@@ -494,13 +494,12 @@ module "gcloud_wait_for_cluster" {
   source  = "terraform-google-modules/gcloud/google"
   version = "~> 2.0.2"
   enabled = ! var.skip_provisioners
-
   upgrade = var.gcloud_upgrade
 
   create_cmd_entrypoint  = "${path.module}/scripts/wait-for-cluster.sh"
-  create_cmd_body        = "${var.project_id} ${var.name}"
+  create_cmd_body        = "${var.project_id} ${var.name} ${var.impersonate_service_account}"
   destroy_cmd_entrypoint = "${path.module}/scripts/wait-for-cluster.sh"
-  destroy_cmd_body       = "${var.project_id} ${var.name}"
+  destroy_cmd_body       = "${var.project_id} ${var.name} ${var.impersonate_service_account}"
 
   module_depends_on = concat(
     [google_container_cluster.primary.master_version],

modules/beta-private-cluster-update-variant/scripts/wait-for-cluster.sh

@@ -22,11 +22,12 @@ fi
 
 PROJECT=$1
 CLUSTER_NAME=$2
+IMPERSONATE_SERVICE_ACCOUNT=$3
 
 echo "Waiting for cluster $CLUSTER_NAME in project $PROJECT to reconcile..."
 
 while
-  current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)")
+  current_status=$(gcloud container clusters list --project="$PROJECT" --filter=name:"$CLUSTER_NAME" --format="value(status)" --impersonate-service-account="$IMPERSONATE_SERVICE_ACCOUNT")
   [[ "${current_status}" != "RUNNING" ]]
 do printf ".";sleep 5; done
 

modules/beta-private-cluster-update-variant/variables.tf

@@ -539,3 +539,9 @@ variable "disable_default_snat" {
   description = "Whether to disable the default SNAT to support the private use of public IP addresses"
   default     = false
 }
+
+variable "impersonate_service_account" {
+  type        = string
+  description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
+  default     = ""
+}

modules/beta-private-cluster/README.md

@@ -158,6 +158,7 @@ Then perform the following commands on the root folder:
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
 | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
 | identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
+| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
 | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
 | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no |