fixed

wandb · Jun 10, 2024 · 774e6ab · 774e6ab
1 parent 4d73311
commit 774e6ab
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 83 deletions.
diff --git a/main.tf b/main.tf
@@ -29,16 +29,14 @@ locals {
 }
 
 module "service_accounts" {
- source = "./modules/service_accounts"
- namespace = var.namespace
- bucket_name = var.bucket_name
- kms_gcs_sa_id = var.kms_gcs_sa_id
- kms_gcs_sa_name = var.kms_gcs_sa_name
- workload_identity = var.create_workload_identity
- account_id = var.workload_account_id
- service_account_name = var.service_account_name
- enable_stackdriver = var.enable_stackdriver
- depends_on = [module.project_factory_project_services]
+ source = "./modules/service_accounts"
+ namespace = var.namespace
+ bucket_name = var.bucket_name
+ kms_gcs_sa_name = var.kms_gcs_sa_name
+ create_workload_identity = var.create_workload_identity
+ stackdriver_sa_name = var.stackdriver_sa_name
+ enable_stackdriver = var.enable_stackdriver
+ depends_on = [module.project_factory_project_services]
 }
 
 module "kms" {
@@ -83,15 +81,15 @@ locals {
 }
 
 module "app_gke" {
- source = "./modules/app_gke"
- namespace = var.namespace
- machine_type = coalesce(try(local.deployment_size[var.size].node_instance, null), var.gke_machine_type)
- node_count = coalesce(try(local.deployment_size[var.size].node_count, null), var.gke_node_count)
- network = local.network
- subnetwork = local.subnetwork
- service_account = module.service_accounts.service_account
+ source  = "./modules/app_gke"
+ namespace  = var.namespace
+ machine_type  = coalesce(try(local.deployment_size[var.size].node_instance, null), var.gke_machine_type)
+ node_count  = coalesce(try(local.deployment_size[var.size].node_count, null), var.gke_node_count)
+ network  = local.network
+ subnetwork  = local.subnetwork
+ service_account  = module.service_accounts.service_account
  create_workload_identity = var.create_workload_identity
- depends_on = [module.project_factory_project_services]
+ depends_on  = [module.project_factory_project_services]
 }
 
 module "app_lb" {
@@ -267,9 +265,10 @@ module "wandb" {
  stackdriver = var.enable_stackdriver ? {
  install = true
  stackdriver = {
- projectId = data.google_client_config.current.project
+ projectId = data.google_client_config.current.project
+ serviceAccountName = var.stackdriver_sa_name
  }
- serviceAccount = { annotations = { "iam.gke.io/gcp-service-account" = module.service_accounts.monitoring_role } }
+ serviceAccount = { annotations = { "iam.gke.io/gcp-service-account" = module.service_accounts.stackdriver_email } }
  } : {
  install = false
  stackdriver = {}

diff --git a/modules/app_gke/main.tf b/modules/app_gke/main.tf
@@ -7,9 +7,9 @@ locals {
 resource "google_container_cluster" "default" {
  name = "${var.namespace}-cluster"
 
- network = var.network.self_link
- subnetwork = var.subnetwork.self_link
- networking_mode = "VPC_NATIVE"
+ network  = var.network.self_link
+ subnetwork  = var.subnetwork.self_link
+ networking_mode  = "VPC_NATIVE"
  enable_intranode_visibility = true
 
  # Conditionally enable workload identity
@@ -31,7 +31,7 @@ resource "google_container_cluster" "default" {
  workload_pool = "${local.project_id}.svc.id.goog"
  }
  }
- 
+
  ip_allocation_policy {
  cluster_ipv4_cidr_block = "/14"
  services_ipv4_cidr_block = "/19"

diff --git a/modules/service_accounts/main.tf b/modules/service_accounts/main.tf
@@ -65,63 +65,64 @@ resource "google_project_iam_member" "secretmanager_admin" {
 
 ####### service account for kms and gcs cross project access
 resource "google_service_account" "kms_gcs_sa" {
- count = var.workload_identity == true ? 1 : 0
- account_id = var.kms_gcs_sa_id
+ count = var.create_workload_identity == true ? 1 : 0
+ account_id = var.kms_gcs_sa_name
  display_name = "Service Account For Workload Identity"
 }
 
 resource "google_project_iam_member" "storage" {
- count = var.workload_identity == true ? 1 : 0
+ count = var.create_workload_identity == true ? 1 : 0
  project = local.project_id
  role = "roles/storage.admin"
  member = "serviceAccount:${google_service_account.kms_gcs_sa[count.index].email}"
 }
 
 resource "google_project_iam_member" "kms" {
- count = var.workload_identity == true ? 1 : 0
+ count = var.create_workload_identity == true ? 1 : 0
  project = local.project_id
  role = "roles/cloudkms.admin"
  member = "serviceAccount:${google_service_account.kms_gcs_sa[count.index].email}"
 }
 
 resource "google_service_account_iam_member" "token_creator_binding" {
- count = var.workload_identity == true ? 1 : 0
+ count = var.create_workload_identity == true ? 1 : 0
  service_account_id = google_service_account.kms_gcs_sa[count.index].id
  role = "roles/iam.serviceAccountTokenCreator"
  member = "serviceAccount:${google_service_account.kms_gcs_sa[count.index].email}"
 }
 
 resource "google_service_account_iam_member" "workload_binding" {
- count = var.workload_identity == true ? 1 : 0
+ count = var.create_workload_identity == true ? 1 : 0
  service_account_id = google_service_account.kms_gcs_sa[count.index].id
  role = "roles/iam.workloadIdentityUser"
  member = "serviceAccount:${local.project_id}.svc.id.goog[default/${var.kms_gcs_sa_name}]"
+}
 
 
 ### service account for stackdriver
-resource "google_service_account" "workload-identity-user-sa" {
+resource "google_service_account" "stackdriver" {
  count = var.enable_stackdriver == true ? 1 : 0
- account_id = "stackdriver"
+ account_id = var.stackdriver_sa_name
  display_name = "Service Account For Workload Identity"
 }
 
-resource "google_project_iam_member" "monitoring-role" {
+resource "google_project_iam_member" "monitoring" {
  count = var.enable_stackdriver == true ? 1 : 0
  project = local.project_id
  role = "roles/monitoring.viewer"
- member = "serviceAccount:${google_service_account.workload-identity-user-sa[count.index].email}"
+ member = "serviceAccount:${google_service_account.stackdriver[count.index].email}"
 }
 
-resource "google_service_account_iam_member" "monitoring-role" {
+resource "google_service_account_iam_member" "stackdriver_token_creator" {
  count = var.enable_stackdriver == true ? 1 : 0
- service_account_id = google_service_account.workload-identity-user-sa[count.index].id
+ service_account_id = google_service_account.stackdriver[count.index].id
  role = "roles/iam.serviceAccountTokenCreator"
- member = "serviceAccount:${google_service_account.workload-identity-user-sa[count.index].email}"
+ member = "serviceAccount:${google_service_account.stackdriver[count.index].email}"
 }
 
-resource "google_service_account_iam_member" "workload_identity-role" {
+resource "google_service_account_iam_member" "stackdriver_binding" {
  count = var.enable_stackdriver == true ? 1 : 0
- service_account_id = google_service_account.workload-identity-user-sa[count.index].id
+ service_account_id = google_service_account.stackdriver[count.index].id
  role = "roles/iam.workloadIdentityUser"
- member = "serviceAccount:${local.project_id}.svc.id.goog[default/${var.service_account_name}]"
+ member = "serviceAccount:${local.project_id}.svc.id.goog[default/${var.stackdriver_sa_name}]"
 }
diff --git a/modules/service_accounts/outputs.tf b/modules/service_accounts/outputs.tf
@@ -6,10 +6,9 @@ output "service_account" {
 
 
 output "sa_account_email" {
- value = var.workload_identity == true ? google_service_account.kms_gcs_sa[0].email : null
+ value = var.create_workload_identity == true ? google_service_account.kms_gcs_sa[0].email : null
 }
 
-output "monitoring_role" {
- value = var.enable_stackdriver == true ? google_service_account.workload-identity-user-sa[0].email : null
-
+output "stackdriver_email" {
+ value = var.enable_stackdriver == true ? google_service_account.stackdriver[0].email : null
 }
diff --git a/modules/service_accounts/variables.tf b/modules/service_accounts/variables.tf
@@ -13,30 +13,22 @@ variable "bucket_name" {
 variable "create_workload_identity" {
  description = "Flag to indicate whether to create a workload identity for the service account."
  type = bool
- default  = false
+ default = false
 }
 
-variable "kms_gcs_sa_id" {
+variable "kms_gcs_sa_name" {
  type = string
  default = "wandb-serviceaccount"
 }
 
-variable "kms_gcs_sa_name" {
- type = string
- default = "wandb-serviceaccount"
+variable "stackdriver_sa_name" {
+ description = "The name of the service account."
+ type = string
+ default = "wandb-stackdriver"
 }
 
 variable "enable_stackdriver" {
- type = bool
+ description = "Flag to indicate whether to enable workload identity for the service account."
+ type = bool
  default = false
-}
-
-variable "workload_account_id" {
- type = string
- default = "stackdriver"
-}
-
-variable "service_account_name" {
- type = string
- default = "stackdriver"
 }
diff --git a/variables.tf b/variables.tf
@@ -236,22 +236,6 @@ variable "size" {
  default = null
 }
 
-variable "create_workload_identity" {
- description = "Flag to indicate whether to create a workload identity for the service account."
- type = bool
- default = true
-}
-
-variable "kms_gcs_sa_id" {
- type = string
- default = "wandb-serviceaccount"
-}
-
-variable "kms_gcs_sa_name" {
- type = string
- default = "wandb-serviceaccount"
-}
-
 variable "weave_wandb_env" {
  type = map(string)
  description = "Extra environment variables for W&B"
@@ -270,17 +254,23 @@ variable "parquet_wandb_env" {
  default = {}
 }
 
-variable "enable_stackdriver" {
- type = bool
- default = false
+variable "create_workload_identity" {
+ description = "Flag to indicate whether to create a workload identity for the service account."
+ type = bool
+ default = true
 }
 
-variable "workload_account_id" {
+variable "kms_gcs_sa_name" {
  type = string
- default = "stackdriver"
+ default = "wandb-serviceaccount"
+}
+
+variable "enable_stackdriver" {
+ type = bool
+ default = true
 }
 
-variable "service_account_name" {
+variable "stackdriver_sa_name" {
  type = string
- default = "stackdriver"
+ default = "wandb-stackdriver"
 }