-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
41 lines (36 loc) · 1.44 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">=5.12.0"
}
}
}
data "google_project" "current" {
}
resource "google_service_account" "k8s_sa" {
account_id = "${var.cluster_name}-sa"
project = data.google_project.current.project_id
display_name = var.node_service_account_name
description = "Service account for ${var.cluster_name} GKE cluster."
}
# These bindings are necessary for the Kubernetes cluster to be able to pull
# images from Google Container Registry, and for writing logs.
resource "google_project_iam_member" "k8s_sa_storage" {
# Refer: https://cloud.google.com/iam/docs/understanding-roles#cloud-storage-roles
role = "roles/storage.objectViewer"
member = "serviceAccount:${google_service_account.k8s_sa.email}"
project = data.google_project.current.project_id
}
resource "google_project_iam_member" "k8s_sa_logging" {
# Refer: https://cloud.google.com/iam/docs/understanding-roles#logging-roles
role = "roles/logging.logWriter"
member = "serviceAccount:${google_service_account.k8s_sa.email}"
project = data.google_project.current.project_id
}
resource "google_project_iam_member" "k8s_sa_monitoring" {
# Refer: https://cloud.google.com/iam/docs/understanding-roles#monitoring-roles
role = "roles/monitoring.metricWriter"
member = "serviceAccount:${google_service_account.k8s_sa.email}"
project = data.google_project.current.project_id
}