diff --git a/main.tf b/main.tf index 911ecb0..881cb9c 100644 --- a/main.tf +++ b/main.tf @@ -29,13 +29,12 @@ locals { } module "service_accounts" { - source = "./modules/service_accounts" - namespace = var.namespace - bucket_name = var.bucket_name - account_id = var.workload_account_id - service_account_name = var.service_account_name - enable_stackdriver = var.enable_stackdriver - depends_on = [module.project_factory_project_services] + source = "./modules/service_accounts" + namespace = var.namespace + bucket_name = var.bucket_name + stackdriver_sa_name = var.stackdriver_sa_name + enable_stackdriver = var.enable_stackdriver + depends_on = [module.project_factory_project_services] } module "kms" { @@ -87,7 +86,7 @@ module "app_gke" { network = local.network subnetwork = local.subnetwork service_account = module.service_accounts.service_account - create_workload_identity = var.enable_stackdriver + create_workload_identity = var.create_workload_identity depends_on = [module.project_factory_project_services] } @@ -261,10 +260,10 @@ module "wandb" { stackdriver = var.enable_stackdriver ? { install = true stackdriver = { - projectId = data.google_client_config.current.project - serviceAccountName = var.service_account_name + projectId = data.google_client_config.current.project + serviceAccountName = var.stackdriver_sa_name } - serviceAccount = { annotations = { "iam.gke.io/gcp-service-account" = module.service_accounts.monitoring_role } } + serviceAccount = { annotations = { "iam.gke.io/gcp-service-account" = module.service_accounts.stackdriver_email } } } : { install = false stackdriver = {} diff --git a/modules/service_accounts/main.tf b/modules/service_accounts/main.tf index f799bab..457af76 100644 --- a/modules/service_accounts/main.tf +++ b/modules/service_accounts/main.tf @@ -63,29 +63,29 @@ resource "google_project_iam_member" "secretmanager_admin" { } -resource "google_service_account" "workload-identity-user-sa" { +resource "google_service_account" "stackdriver" { count = var.enable_stackdriver == true ? 1 : 0 - account_id = var.account_id + account_id = var.stackdriver_sa_name display_name = "Service Account For Workload Identity" } -resource "google_project_iam_member" "monitoring-role" { +resource "google_project_iam_member" "monitoring" { count = var.enable_stackdriver == true ? 1 : 0 project = local.project_id role = "roles/monitoring.viewer" - member = "serviceAccount:${google_service_account.workload-identity-user-sa[count.index].email}" + member = "serviceAccount:${google_service_account.stackdriver[count.index].email}" } -resource "google_service_account_iam_member" "monitoring-role" { +resource "google_service_account_iam_member" "stackdriver_token_creator" { count = var.enable_stackdriver == true ? 1 : 0 - service_account_id = google_service_account.workload-identity-user-sa[count.index].id + service_account_id = google_service_account.stackdriver[count.index].id role = "roles/iam.serviceAccountTokenCreator" - member = "serviceAccount:${google_service_account.workload-identity-user-sa[count.index].email}" + member = "serviceAccount:${google_service_account.stackdriver[count.index].email}" } -resource "google_service_account_iam_member" "workload_identity-role" { +resource "google_service_account_iam_member" "stackdriver_binding" { count = var.enable_stackdriver == true ? 1 : 0 - service_account_id = google_service_account.workload-identity-user-sa[count.index].id + service_account_id = google_service_account.stackdriver[count.index].id role = "roles/iam.workloadIdentityUser" - member = "serviceAccount:${local.project_id}.svc.id.goog[${var.stackdriver_namespace}/${var.service_account_name}]" + member = "serviceAccount:${local.project_id}.svc.id.goog[default/${var.stackdriver_sa_name}]" } \ No newline at end of file diff --git a/modules/service_accounts/outputs.tf b/modules/service_accounts/outputs.tf index ba84de5..dfb57f2 100644 --- a/modules/service_accounts/outputs.tf +++ b/modules/service_accounts/outputs.tf @@ -4,6 +4,6 @@ output "service_account" { description = "The service account." } -output "monitoring_role" { - value = var.enable_stackdriver == true ? google_service_account.workload-identity-user-sa[0].email : null +output "stackdriver_email" { + value = var.enable_stackdriver == true ? google_service_account.stackdriver[0].email : null } \ No newline at end of file diff --git a/modules/service_accounts/variables.tf b/modules/service_accounts/variables.tf index c8c55cc..65b56d0 100644 --- a/modules/service_accounts/variables.tf +++ b/modules/service_accounts/variables.tf @@ -9,12 +9,8 @@ variable "bucket_name" { default = "" } -variable "account_id" { - description = "The ID of the Google Cloud Platform (GCP) account." - type = string -} -variable "service_account_name" { +variable "stackdriver_sa_name" { description = "The name of the service account." type = string } @@ -23,8 +19,3 @@ variable "enable_stackdriver" { description = "Flag to indicate whether to enable workload identity for the service account." type = bool } - -variable "stackdriver_namespace" { - type = string - default = "default" -} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 924fbc8..7d2deef 100644 --- a/variables.tf +++ b/variables.tf @@ -256,15 +256,16 @@ variable "parquet_wandb_env" { variable "enable_stackdriver" { type = bool - default = false + default = true } -variable "workload_account_id" { - type = string - default = "wandb-stackdriver" +variable "create_workload_identity" { + description = "Flag to indicate whether to create a workload identity for the service account." + type = bool + default = true } -variable "service_account_name" { +variable "stackdriver_sa_name" { type = string default = "wandb-stackdriver" -} \ No newline at end of file +}