Merge branch 'workload_identity'
commit
63799618da
@ -0,0 +1,49 @@
|
||||
# Requires a google_iam_workload_identity_pool to exist, but it is not
|
||||
# referenced in this module.
|
||||
|
||||
|
||||
variable "project" {
|
||||
description = "Project ID."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "k8s_namespace" {
|
||||
description = "Name of the kubernetes namespace containing the service account."
|
||||
type = string
|
||||
default = "default"
|
||||
}
|
||||
|
||||
variable "k8s_service_account" {
|
||||
description = "Service account name from kubernetes."
|
||||
type = string
|
||||
}
|
||||
|
||||
output "service_account" {
|
||||
description = "The google_service_account that has been bound to the kubernetes service account."
|
||||
value = google_service_account.service_account
|
||||
}
|
||||
|
||||
output "cloudsql_username" {
|
||||
description = "If this service account is to be used with IAM database authentication, this would be the username for the user. Note that the google_sql_user is not created by this module."
|
||||
value = trimsuffix(google_service_account.service_account.email, ".gserviceaccount.com")
|
||||
}
|
||||
|
||||
resource "google_service_account" "service_account" {
|
||||
account_id = "wi-${var.k8s_namespace}-${var.k8s_service_account}"
|
||||
display_name = "Workload identity account for GKE [${var.k8s_namespace}/${var.k8s_service_account}]"
|
||||
}
|
||||
|
||||
data "google_iam_policy" "policy" {
|
||||
binding {
|
||||
role = "roles/iam.workloadIdentityUser"
|
||||
|
||||
members = [
|
||||
"serviceAccount:${var.project}.svc.id.goog[${var.k8s_namespace}/${var.k8s_service_account}]",
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_service_account_iam_policy" "policy_binding" {
|
||||
service_account_id = google_service_account.service_account.name
|
||||
policy_data = data.google_iam_policy.policy.policy_data
|
||||
}
|
Loading…
Reference in New Issue