52 lines
1.8 KiB
HCL
52 lines
1.8 KiB
HCL
locals {
|
|
external_dns_k8s_namespace = "external-dns"
|
|
external_dns_k8s_service_account = "external-dns"
|
|
}
|
|
|
|
resource "random_string" "identity_pool" {
|
|
length = 6
|
|
upper = false
|
|
special = false
|
|
}
|
|
|
|
resource "google_iam_workload_identity_pool" "identity_pool" {
|
|
project = google_project.project.project_id
|
|
workload_identity_pool_id = "identity-pool-${random_string.identity_pool.result}"
|
|
depends_on = [google_project_service.service["iam"], ]
|
|
}
|
|
|
|
resource "google_service_account" "external_dns" {
|
|
project = google_project.project.project_id
|
|
account_id = "wi-${local.external_dns_k8s_namespace}-${local.external_dns_k8s_service_account}"
|
|
display_name = "Workload identity account for GKE [${local.external_dns_k8s_namespace}/${local.external_dns_k8s_service_account}]"
|
|
}
|
|
|
|
data "google_iam_policy" "policy" {
|
|
binding {
|
|
role = "roles/iam.workloadIdentityUser"
|
|
|
|
members = [
|
|
"serviceAccount:${google_project.project.project_id}.svc.id.goog[${local.external_dns_k8s_namespace}/${local.external_dns_k8s_service_account}]",
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "google_service_account_iam_policy" "policy_binding" {
|
|
service_account_id = google_service_account.external_dns.name
|
|
policy_data = data.google_iam_policy.policy.policy_data
|
|
depends_on = [google_iam_workload_identity_pool.identity_pool, ]
|
|
}
|
|
|
|
resource "google_project_iam_member" "external_dns" {
|
|
project = google_project.project.project_id
|
|
member = "serviceAccount:${google_service_account.external_dns.email}"
|
|
role = "roles/dns.reader"
|
|
}
|
|
|
|
resource "google_dns_managed_zone_iam_member" "external_dns" {
|
|
project = google_project.project.project_id
|
|
managed_zone = google_dns_managed_zone.zone.name
|
|
role = "roles/dns.admin"
|
|
member = "serviceAccount:${google_service_account.external_dns.email}"
|
|
}
|