Skip to content

Commit

Permalink
feat: Hub submodule - add option to use existing service account to r…
Browse files Browse the repository at this point in the history
…egister clusters. (#678)

* use existing service account

* count. use index

* format and docs

* add encoded to docs
  • Loading branch information
cloud-pharaoh authored Sep 18, 2020
1 parent 0b5bd3d commit 9f84cec
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 3 deletions.
2 changes: 2 additions & 0 deletions modules/hub/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,9 @@ To deploy this config:
| gke\_hub\_sa\_name | Name for the GKE Hub SA stored as a secret `creds-gcp` in the `gke-connect` namespace. | string | `"gke-hub-sa"` | no |
| location | The location (zone or region) this cluster has been created in. | string | n/a | yes |
| project\_id | The project in which the resource belongs. | string | n/a | yes |
| sa\_private\_key | Private key for service account base64 encoded. Required only if `use_existing_sa` is set to `true`. | string | `"null"` | no |
| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no |
| use\_existing\_sa | Uses an existing service account to register membership. Requires sa_private_key | bool | `"false"` | no |
| use\_tf\_google\_credentials\_env\_var | Optional GOOGLE_CREDENTIALS environment variable to be activated. | bool | `"false"` | no |

## Outputs
Expand Down
9 changes: 6 additions & 3 deletions modules/hub/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,26 +15,29 @@
*/

locals {
gke_hub_sa_key = google_service_account_key.gke_hub_key.private_key
gke_hub_sa_key = var.use_existing_sa ? var.sa_private_key : google_service_account_key.gke_hub_key[0].private_key
}

data "google_client_config" "default" {
}

resource "google_service_account" "gke_hub_sa" {
count = var.use_existing_sa ? 0 : 1
account_id = var.gke_hub_sa_name
project = var.project_id
display_name = "Service Account for GKE Hub Registration"
}

resource "google_project_iam_member" "gke_hub_member" {
count = var.use_existing_sa ? 0 : 1
project = var.project_id
role = "roles/gkehub.connect"
member = "serviceAccount:${google_service_account.gke_hub_sa.email}"
member = "serviceAccount:${google_service_account.gke_hub_sa[0].email}"
}

resource "google_service_account_key" "gke_hub_key" {
service_account_id = google_service_account.gke_hub_sa.name
count = var.use_existing_sa ? 0 : 1
service_account_id = google_service_account.gke_hub_sa[0].name
}

module "gke_hub_registration" {
Expand Down
12 changes: 12 additions & 0 deletions modules/hub/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -69,3 +69,15 @@ variable "gke_hub_membership_name" {
type = string
default = "gke-hub-membership"
}

variable "use_existing_sa" {
description = "Uses an existing service account to register membership. Requires sa_private_key"
type = bool
default = false
}

variable "sa_private_key" {
description = "Private key for service account base64 encoded. Required only if `use_existing_sa` is set to `true`."
type = string
default = null
}

0 comments on commit 9f84cec

Please sign in to comment.