From e17e2f24a7b23b8655e47133a2279e27a03c0e61 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sun, 18 Jul 2021 17:03:14 -0400
Subject: [PATCH] Create the google service account.

---
 terraform/basic_gke/main.tf                      |  5 +++--
 .../workload_identity_account.tf                 | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/terraform/basic_gke/main.tf b/terraform/basic_gke/main.tf
index 7af54f9..91b1a2e 100644
--- a/terraform/basic_gke/main.tf
+++ b/terraform/basic_gke/main.tf
@@ -108,8 +108,9 @@ module "cloudsql" {
 # Create a workload identity service account for IAM authentication to
 # cloudsql
 module "cloudsql_test_sa" {
-  source  = "../modules/workload_identity_account"
-  project = var.project
+  source              = "../modules/workload_identity_account"
+  project             = var.project
+  k8s_service_account = "test-sa"
 }
 
 #################### Redis ################################
diff --git a/terraform/modules/workload_identity_account/workload_identity_account.tf b/terraform/modules/workload_identity_account/workload_identity_account.tf
index c6c10e6..c79e3ce 100644
--- a/terraform/modules/workload_identity_account/workload_identity_account.tf
+++ b/terraform/modules/workload_identity_account/workload_identity_account.tf
@@ -6,3 +6,19 @@ variable "project" {
   description = "Project ID."
   type        = string
 }
+
+variable "k8s_namespace" {
+  description = "Name of the kubernetes namespace containing the service account."
+  type        = string
+  default     = "default"
+}
+
+variable "k8s_service_account" {
+  description = "Service account name from kubernetes."
+  type        = string
+}
+
+resource "google_service_account" "service_account" {
+  account_id   = "wi-${var.k8s_namespace}-${var.k8s_service_account}"
+  display_name = "Workload identity account for GKE [${var.k8s_namespace}/${var.k8s_service_account}]"
+}