2 changed files
gke_workload_identity | ||
identity.tf + | ||
variables.tf + | ||
Add comment 1 Plus # vim:ts=2:sts=2:sw=2:et
Add comment 2 Plus #
Add comment 3 Plus # Author: Hari Sekhon
Add comment 4 Plus # Date: 2023-05-02 20:44:06 +0100 (Tue, 02 May 2023)
Add comment 5 Plus #
Add comment 6 Plus # https://github.com/HariSekhon/Terraform
Add comment 7 Plus #
Add comment 8 Plus # License: see accompanying Hari Sekhon LICENSE file
Add comment 9 Plus #
Add comment 10 Plus # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
Add comment 11 Plus #
Add comment 12 Plus # https://www.linkedin.com/in/HariSekhon
Add comment 13 Plus
Add comment 14 Plus # ============================================================================ #
Add comment 15 Plus # G K E W o r k l o a d I d e n t i t y
Add comment 16 Plus # ============================================================================ #
Add comment 17 Plus
Add comment 18 Plus # Creates a GCP IAM service account of the same name as the Kubernetes service account
Add comment 19 Plus #
Add comment 20 Plus # then adds the Workload Identity format service account as a member of the GCP service account, permitting the Kubernetes service account to use it implicitly
Add comment 21 Plus #
Add comment 22 Plus # You can then assign any normal GCP IAM permissions to other services to let Kubernetes pods using this k8s_service_account to acces them
Add comment 23 Plus
Add comment 24 Plus locals {
Add comment 25 Plus workload_identity_service_account = "serviceAccount:${var.project}.svc.id.goog[${var.k8s_namespace}/${var.k8s_service_account}]"
Add comment 26 Plus }
Add comment 27 Plus
Add comment 28 Plus resource "google_service_account" "main" {
Add comment 29 Plus account_id = var.k8s_service_account
Add comment 30 Plus display_name = var.display_name
Add comment 31 Plus project = var.project
Add comment 32 Plus description = var.description
Add comment 33 Plus }
Add comment 34 Plus
Add comment 35 Plus resource "google_service_account_iam_member" "main" {
Add comment 36 Plus service_account_id = google_service_account.main.id
Add comment 37 Plus role = "roles/iam.workloadIdentityUser"
Add comment 38 Plus member = local.workload_identity_service_account
Add comment 39 Plus }
Add comment 40 Plus
Add comment 1 Plus # vim:ts=2:sts=2:sw=2:et
Add comment 2 Plus #
Add comment 3 Plus # Author: Hari Sekhon
Add comment 4 Plus # Date: 2023-05-02 20:44:02 +0100 (Tue, 02 May 2023)
Add comment 5 Plus #
Add comment 6 Plus # https://github.com/HariSekhon/Terraform
Add comment 7 Plus #
Add comment 8 Plus # License: see accompanying Hari Sekhon LICENSE file
Add comment 9 Plus #
Add comment 10 Plus # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
Add comment 11 Plus #
Add comment 12 Plus # https://www.linkedin.com/in/HariSekhon
Add comment 13 Plus #
Add comment 14 Plus
Add comment 15 Plus variable "project" {
Add comment 16 Plus type = string
Add comment 17 Plus }
Add comment 18 Plus
Add comment 19 Plus variable "k8s_namespace" {
Add comment 20 Plus type = string
Add comment 21 Plus }
Add comment 22 Plus
Add comment 23 Plus variable "k8s_service_account" {
Add comment 24 Plus type = string
Add comment 25 Plus }
Add comment 26 Plus
Add comment 27 Plus variable "description" {
Add comment 28 Plus type = string
Add comment 29 Plus default = ""
Add comment 30 Plus }
Add comment 31 Plus
Add comment 32 Plus variable "display_name" {
Add comment 33 Plus type = string
Add comment 34 Plus default = ""
Add comment 35 Plus }
Add comment 36 Plus