From 7eb89f7456acffb0f123b423ed7833e983a82563 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20W=C3=BCrbach?= Date: Tue, 13 Feb 2024 18:13:30 +0100 Subject: [PATCH] fix: create service-account only when needed --- humanitec-resource-defs/k8s/service-account/main.tf | 2 ++ modules/gcp-service-account/workload/bindings.tf | 2 +- modules/gcp-service-account/workload/main.tf | 9 +++++++-- modules/gcp-service-account/workload/outputs.tf | 2 +- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/humanitec-resource-defs/k8s/service-account/main.tf b/humanitec-resource-defs/k8s/service-account/main.tf index 450fe92..0c4e169 100644 --- a/humanitec-resource-defs/k8s/service-account/main.tf +++ b/humanitec-resource-defs/k8s/service-account/main.tf @@ -23,7 +23,9 @@ serviceaccount.yaml: metadata: name: $${resources.gcp-service-account.outputs.k8s_service_account_name} annotations: + {{- if "$${resources.gcp-service-account.outputs.email}" }} iam.gke.io/gcp-service-account: $${resources.gcp-service-account.outputs.email} + {{- end }} context: {{trimPrefix "modules." "$${context.res.id}"}} res: $${context.res.id} app: $${context.app.id} diff --git a/modules/gcp-service-account/workload/bindings.tf b/modules/gcp-service-account/workload/bindings.tf index 8ca5a89..4e96340 100644 --- a/modules/gcp-service-account/workload/bindings.tf +++ b/modules/gcp-service-account/workload/bindings.tf @@ -10,5 +10,5 @@ resource "google_storage_bucket_iam_member" "main" { bucket = each.value["bucket"] role = each.value["role"] - member = "serviceAccount:${google_service_account.main.email}" + member = "serviceAccount:${google_service_account.main[0].email}" } diff --git a/modules/gcp-service-account/workload/main.tf b/modules/gcp-service-account/workload/main.tf index 64600fb..92e2f46 100644 --- a/modules/gcp-service-account/workload/main.tf +++ b/modules/gcp-service-account/workload/main.tf @@ -1,8 +1,11 @@ locals { k8s_service_account_name = "${var.app_id}-${var.env_id}-${trimprefix(var.res_id, "modules.")}" + account_required = length(var.bindings) + length(var.roles) > 0 } resource "google_service_account" "main" { + count = local.account_required ? 1 : 0 + display_name = "${var.prefix}workload service account" account_id = "${var.prefix}workload" } @@ -12,11 +15,13 @@ resource "google_project_iam_member" "role" { project = var.project role = each.key - member = "serviceAccount:${google_service_account.main.email}" + member = "serviceAccount:${google_service_account.main[0].email}" } resource "google_service_account_iam_member" "workload_identity_k8s_service_account" { - service_account_id = google_service_account.main.name + count = local.account_required ? 1 : 0 + + service_account_id = google_service_account.main[0].name role = "roles/iam.workloadIdentityUser" member = "serviceAccount:${var.project}.svc.id.goog[${var.namespace}/${local.k8s_service_account_name}]" } diff --git a/modules/gcp-service-account/workload/outputs.tf b/modules/gcp-service-account/workload/outputs.tf index 25c46d0..b7fd101 100644 --- a/modules/gcp-service-account/workload/outputs.tf +++ b/modules/gcp-service-account/workload/outputs.tf @@ -1,5 +1,5 @@ output "email" { - value = google_service_account.main.email + value = local.account_required ? google_service_account.main[0].email : "" } output "k8s_service_account_name" {