fix: Add ability to impersonate service accounts in kubectl for all submodules (#903)

yashbhutwala · web-flow · commit fc43485af5cc · 2021-05-20T16:49:44.000-07:00
diff --git a/autogen/main/dns.tf.tmpl b/autogen/main/dns.tf.tmpl
@@ -20,14 +20,14 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version          = "~> 2.0.2"
-  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  cluster_name     = google_container_cluster.primary.name
-  cluster_location = google_container_cluster.primary.location
-  project_id       = var.project_id
-  upgrade          = var.gcloud_upgrade
-
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name                = google_container_cluster.primary.name
+  cluster_location            = google_container_cluster.primary.location
+  project_id                  = var.project_id
+  upgrade                     = var.gcloud_upgrade
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   kubectl_destroy_command = ""
diff --git a/dns.tf b/dns.tf
@@ -20,14 +20,14 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version          = "~> 2.0.2"
-  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  cluster_name     = google_container_cluster.primary.name
-  cluster_location = google_container_cluster.primary.location
-  project_id       = var.project_id
-  upgrade          = var.gcloud_upgrade
-
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name                = google_container_cluster.primary.name
+  cluster_location            = google_container_cluster.primary.location
+  project_id                  = var.project_id
+  upgrade                     = var.gcloud_upgrade
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   kubectl_destroy_command = ""
diff --git a/modules/asm/README.md b/modules/asm/README.md
@@ -64,6 +64,7 @@ To deploy this config:
 | enable\_gcp\_iam\_roles | Sets `--enable_gcp_iam_roles` option if true. | `bool` | `false` | no |
 | enable\_registration | Sets `--enable_registration` option if true. | `bool` | `false` | no |
 | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no |
+| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
 | key\_file | The GCP Service Account credentials file path used to deploy ASM. | `string` | `""` | no |
 | location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes |
 | managed\_control\_plane | ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional. | `bool` | `false` | no |
diff --git a/modules/asm/main.tf b/modules/asm/main.tf
@@ -32,16 +32,17 @@ locals {
 
 module "asm_install" {
   source            = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version           = "~> 2.0.2"
+  version           = "~> 2.1.0"
   module_depends_on = [var.cluster_endpoint]
 
-  gcloud_sdk_version       = var.gcloud_sdk_version
-  upgrade                  = true
-  additional_components    = ["kubectl", "kpt", "beta", "kustomize"]
-  cluster_name             = var.cluster_name
-  cluster_location         = var.location
-  project_id               = var.project_id
-  service_account_key_file = var.service_account_key_file
+  gcloud_sdk_version          = var.gcloud_sdk_version
+  upgrade                     = true
+  additional_components       = ["kubectl", "kpt", "beta", "kustomize"]
+  cluster_name                = var.cluster_name
+  cluster_location            = var.location
+  project_id                  = var.project_id
+  service_account_key_file    = var.service_account_key_file
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_apis} ${var.enable_gcp_iam_roles} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${local.service_account_string} ${local.key_file_string} ${local.asm_git_tag_string}"
   kubectl_destroy_command = "kubectl delete ns istio-system"
diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf
@@ -87,6 +87,12 @@ variable "managed_control_plane" {
   default     = false
 }
 
+variable "impersonate_service_account" {
+  type        = string
+  description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
+  default     = ""
+}
+
 variable "options" {
   description = "Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features."
   type        = list
diff --git a/modules/beta-private-cluster-update-variant/dns.tf b/modules/beta-private-cluster-update-variant/dns.tf
@@ -20,14 +20,14 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version          = "~> 2.0.2"
-  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  cluster_name     = google_container_cluster.primary.name
-  cluster_location = google_container_cluster.primary.location
-  project_id       = var.project_id
-  upgrade          = var.gcloud_upgrade
-
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name                = google_container_cluster.primary.name
+  cluster_location            = google_container_cluster.primary.location
+  project_id                  = var.project_id
+  upgrade                     = var.gcloud_upgrade
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   kubectl_destroy_command = ""
diff --git a/modules/beta-private-cluster/dns.tf b/modules/beta-private-cluster/dns.tf
@@ -20,14 +20,14 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version          = "~> 2.0.2"
-  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  cluster_name     = google_container_cluster.primary.name
-  cluster_location = google_container_cluster.primary.location
-  project_id       = var.project_id
-  upgrade          = var.gcloud_upgrade
-
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name                = google_container_cluster.primary.name
+  cluster_location            = google_container_cluster.primary.location
+  project_id                  = var.project_id
+  upgrade                     = var.gcloud_upgrade
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   kubectl_destroy_command = ""
diff --git a/modules/beta-public-cluster-update-variant/dns.tf b/modules/beta-public-cluster-update-variant/dns.tf
@@ -20,14 +20,14 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version          = "~> 2.0.2"
-  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  cluster_name     = google_container_cluster.primary.name
-  cluster_location = google_container_cluster.primary.location
-  project_id       = var.project_id
-  upgrade          = var.gcloud_upgrade
-
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name                = google_container_cluster.primary.name
+  cluster_location            = google_container_cluster.primary.location
+  project_id                  = var.project_id
+  upgrade                     = var.gcloud_upgrade
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   kubectl_destroy_command = ""
diff --git a/modules/beta-public-cluster/dns.tf b/modules/beta-public-cluster/dns.tf
@@ -20,14 +20,14 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version          = "~> 2.0.2"
-  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  cluster_name     = google_container_cluster.primary.name
-  cluster_location = google_container_cluster.primary.location
-  project_id       = var.project_id
-  upgrade          = var.gcloud_upgrade
-
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name                = google_container_cluster.primary.name
+  cluster_location            = google_container_cluster.primary.location
+  project_id                  = var.project_id
+  upgrade                     = var.gcloud_upgrade
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
   kubectl_destroy_command = ""
diff --git a/modules/hub/main.tf b/modules/hub/main.tf
@@ -72,7 +72,7 @@ resource "google_service_account_key" "gke_hub_key" {
 
 module "gke_hub_registration" {
   source  = "terraform-google-modules/gcloud/google"
-  version = "~> 2.0.2"
+  version = "~> 2.1.0"
 
   platform                          = "linux"
   gcloud_sdk_version                = var.gcloud_sdk_version
diff --git a/modules/k8s-operator-crd-support/main.tf b/modules/k8s-operator-crd-support/main.tf
@@ -34,7 +34,7 @@ locals {
 
 module "k8sop_manifest" {
   source  = "terraform-google-modules/gcloud/google"
-  version = "~> 2.0.2"
+  version = "~> 2.1.0"
   enabled = local.should_download_manifest
 
   create_cmd_entrypoint  = "gsutil"
@@ -45,14 +45,15 @@ module "k8sop_manifest" {
 
 
 module "k8s_operator" {
-  source                   = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version                  = "~> 2.0.2"
-  module_depends_on        = [module.k8sop_manifest.wait, var.cluster_endpoint]
-  cluster_name             = var.cluster_name
-  cluster_location         = var.location
-  project_id               = var.project_id
-  service_account_key_file = var.service_account_key_file
-  use_existing_context     = var.use_existing_context
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  module_depends_on           = [module.k8sop_manifest.wait, var.cluster_endpoint]
+  cluster_name                = var.cluster_name
+  cluster_location            = var.location
+  project_id                  = var.project_id
+  service_account_key_file    = var.service_account_key_file
+  use_existing_context        = var.use_existing_context
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "kubectl apply -f ${local.manifest_path}"
   kubectl_destroy_command = "kubectl delete -f ${local.manifest_path}"
@@ -67,15 +68,16 @@ resource "tls_private_key" "k8sop_creds" {
 
 module "k8sop_creds_secret" {
   source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version = "~> 2.0.2"
+  version = "~> 2.1.0"
 
-  enabled                  = var.create_ssh_key == true || var.ssh_auth_key != null ? "true" : "false"
-  module_depends_on        = [module.k8s_operator.wait]
-  cluster_name             = var.cluster_name
-  cluster_location         = var.location
-  project_id               = var.project_id
-  service_account_key_file = var.service_account_key_file
-  use_existing_context     = var.use_existing_context
+  enabled                     = var.create_ssh_key == true || var.ssh_auth_key != null ? "true" : "false"
+  module_depends_on           = [module.k8s_operator.wait]
+  cluster_name                = var.cluster_name
+  cluster_location            = var.location
+  project_id                  = var.project_id
+  service_account_key_file    = var.service_account_key_file
+  use_existing_context        = var.use_existing_context
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = local.private_key != null ? "kubectl create secret generic ${var.operator_credential_name} -n=${var.operator_credential_namespace} --from-literal=${local.k8sop_creds_secret_key}='${local.private_key}'" : ""
   kubectl_destroy_command = "kubectl delete secret ${var.operator_credential_name} -n=${var.operator_credential_namespace}"
@@ -102,15 +104,16 @@ data "template_file" "k8sop_config" {
 }
 
 module "k8sop_config" {
-  source                   = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version                  = "~> 2.0.2"
-  module_depends_on        = [module.k8s_operator.wait, module.k8sop_creds_secret.wait]
-  cluster_name             = var.cluster_name
-  cluster_location         = var.location
-  project_id               = var.project_id
-  create_cmd_triggers      = { configmanagement = data.template_file.k8sop_config.rendered }
-  service_account_key_file = var.service_account_key_file
-  use_existing_context     = var.use_existing_context
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  module_depends_on           = [module.k8s_operator.wait, module.k8sop_creds_secret.wait]
+  cluster_name                = var.cluster_name
+  cluster_location            = var.location
+  project_id                  = var.project_id
+  create_cmd_triggers         = { configmanagement = data.template_file.k8sop_config.rendered }
+  service_account_key_file    = var.service_account_key_file
+  use_existing_context        = var.use_existing_context
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "kubectl apply -f - <<EOF\n${data.template_file.k8sop_config.rendered}EOF"
   kubectl_destroy_command = "kubectl delete -f - <<EOF\n${data.template_file.k8sop_config.rendered}EOF"
@@ -133,7 +136,7 @@ data "template_file" "rootsync_config" {
 
 module "wait_for_configsync_api" {
   source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version = "~> 2.0.2"
+  version = "~> 2.1.0"
   enabled = var.enable_multi_repo
 
   module_depends_on = [module.k8sop_config.wait]
@@ -153,32 +156,34 @@ module "wait_for_configsync_api" {
 
 module "rootsync_config" {
   source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version = "~> 2.0.2"
+  version = "~> 2.1.0"
   enabled = var.enable_multi_repo
 
-  module_depends_on        = [module.wait_for_configsync_api.wait]
-  cluster_name             = var.cluster_name
-  project_id               = var.project_id
-  cluster_location         = var.location
-  create_cmd_triggers      = { rootsync = data.template_file.rootsync_config.rendered }
-  service_account_key_file = var.service_account_key_file
-  use_existing_context     = var.use_existing_context
+  module_depends_on           = [module.wait_for_configsync_api.wait]
+  cluster_name                = var.cluster_name
+  project_id                  = var.project_id
+  cluster_location            = var.location
+  create_cmd_triggers         = { rootsync = data.template_file.rootsync_config.rendered }
+  service_account_key_file    = var.service_account_key_file
+  use_existing_context        = var.use_existing_context
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "kubectl apply -f - <<EOF\n${data.template_file.rootsync_config.rendered}EOF"
   kubectl_destroy_command = "kubectl delete -f - <<EOF\n${data.template_file.rootsync_config.rendered}EOF"
 }
 
 module "wait_for_gatekeeper" {
-  source                   = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version                  = "~> 2.0.2"
-  enabled                  = var.enable_policy_controller ? true : false
-  module_depends_on        = [module.k8sop_config.wait]
-  cluster_name             = var.cluster_name
-  cluster_location         = var.location
-  project_id               = var.project_id
-  create_cmd_triggers      = { script_sha1 = sha1(file("${path.module}/scripts/wait_for_gatekeeper.sh")) }
-  service_account_key_file = var.service_account_key_file
-  use_existing_context     = var.use_existing_context
+  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version                     = "~> 2.1.0"
+  enabled                     = var.enable_policy_controller ? true : false
+  module_depends_on           = [module.k8sop_config.wait]
+  cluster_name                = var.cluster_name
+  cluster_location            = var.location
+  project_id                  = var.project_id
+  create_cmd_triggers         = { script_sha1 = sha1(file("${path.module}/scripts/wait_for_gatekeeper.sh")) }
+  service_account_key_file    = var.service_account_key_file
+  use_existing_context        = var.use_existing_context
+  impersonate_service_account = var.impersonate_service_account
 
   kubectl_create_command  = "${path.module}/scripts/wait_for_gatekeeper.sh ${var.project_id} ${var.cluster_name} ${var.location} ${local.append_arg_use_existing_context}"
   kubectl_destroy_command = ""
diff --git a/modules/k8s-operator-crd-support/variables.tf b/modules/k8s-operator-crd-support/variables.tf
@@ -162,3 +162,9 @@ variable "use_existing_context" {
   type        = bool
   default     = false
 }
+
+variable "impersonate_service_account" {
+  type        = string
+  description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
+  default     = ""
+}
diff --git a/modules/private-cluster-update-variant/dns.tf b/modules/private-cluster-update-variant/dns.tf
diff --git a/modules/private-cluster/dns.tf b/modules/private-cluster/dns.tf
diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md
diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf
