talexander/kubernetes_ip_demo
1
0
Fork 0
Code Issues Pull Requests Releases Activity
kubernetes_ip_demo/terraform/external_dns.tf
Tom Alexander 6932701c21
Demonstrate conservative RFC1918 IP address use on GKE. 
This is a terraform config demonstrating spinning up 14 clusters in only a /26 (64 addresses) to demonstrate the GKE clusters do not need to consume large amounts of RFC1918 IP addresses.
2025-03-15 15:33:02 -04:00

52 lines
1.8 KiB
HCL
Raw Blame History

locals {
external_dns_k8s_namespace = "external-dns"
external_dns_k8s_service_account = "external-dns"
}
resource "random_string" "identity_pool" {
length = 6
upper = false
special = false
}
resource "google_iam_workload_identity_pool" "identity_pool" {
project = google_project.project.project_id
workload_identity_pool_id = "identity-pool-${random_string.identity_pool.result}"
depends_on = [google_project_service.service["iam"], ]
}
resource "google_service_account" "external_dns" {
project = google_project.project.project_id
account_id = "wi-${local.external_dns_k8s_namespace}-${local.external_dns_k8s_service_account}"
display_name = "Workload identity account for GKE [${local.external_dns_k8s_namespace}/${local.external_dns_k8s_service_account}]"
}
data "google_iam_policy" "policy" {
binding {
role = "roles/iam.workloadIdentityUser"
members = [
"serviceAccount:${google_project.project.project_id}.svc.id.goog[${local.external_dns_k8s_namespace}/${local.external_dns_k8s_service_account}]",
]
}
}
resource "google_service_account_iam_policy" "policy_binding" {
service_account_id = google_service_account.external_dns.name
policy_data = data.google_iam_policy.policy.policy_data
depends_on = [google_iam_workload_identity_pool.identity_pool, ]
}
resource "google_project_iam_member" "external_dns" {
project = google_project.project.project_id
member = "serviceAccount:${google_service_account.external_dns.email}"
role = "roles/dns.reader"
}
resource "google_dns_managed_zone_iam_member" "member" {
project = google_project.project.project_id
managed_zone = google_dns_managed_zone.zone.name
role = "roles/dns.admin"
member = "serviceAccount:${google_service_account.external_dns.email}"
}
Reference in New Issue View Git Blame Copy Permalink