locals { external_dns_k8s_namespace = "external-dns" external_dns_k8s_service_account = "external-dns" } resource "random_string" "identity_pool" { length = 6 upper = false special = false } resource "google_iam_workload_identity_pool" "identity_pool" { project = google_project.project.project_id workload_identity_pool_id = "identity-pool-${random_string.identity_pool.result}" depends_on = [google_project_service.service["iam"], ] } resource "google_service_account" "external_dns" { project = google_project.project.project_id account_id = "wi-${local.external_dns_k8s_namespace}-${local.external_dns_k8s_service_account}" display_name = "Workload identity account for GKE [${local.external_dns_k8s_namespace}/${local.external_dns_k8s_service_account}]" } data "google_iam_policy" "policy" { binding { role = "roles/iam.workloadIdentityUser" members = [ "serviceAccount:${google_project.project.project_id}.svc.id.goog[${local.external_dns_k8s_namespace}/${local.external_dns_k8s_service_account}]", ] } } resource "google_service_account_iam_policy" "policy_binding" { service_account_id = google_service_account.external_dns.name policy_data = data.google_iam_policy.policy.policy_data depends_on = [google_iam_workload_identity_pool.identity_pool, ] } resource "google_project_iam_member" "external_dns" { project = google_project.project.project_id member = "serviceAccount:${google_service_account.external_dns.email}" role = "roles/dns.reader" } resource "google_dns_managed_zone_iam_member" "member" { project = google_project.project.project_id managed_zone = google_dns_managed_zone.zone.name role = "roles/dns.admin" member = "serviceAccount:${google_service_account.external_dns.email}" }