Stabilize first-run GCP BYOC provisioning#24
Stabilize first-run GCP BYOC provisioning#24Alexey Soldatchenko (soldatchenko) wants to merge 4 commits into
Conversation
There was a problem hiding this comment.
This avoids deriving the Workload Identity member from the project data source inside this submodule. During first run GKE creation, the real workload pool is produced by the cluster, and passing it explicitly prevents TF from evaluating a null/unknown project value before the cluster output is available. The resulting IAM member is still the same format: serviceAccount:<project>.svc.id.goog[namespace/service-account].
There was a problem hiding this comment.
This replaces manual construction of the GCS service agent email with the provider data source for the project’s actual Cloud Storage service agent. In normal projects this resolves to the same service-<project-number>@gs-project-accounts.iam.gserviceaccount.com identity, but it is more reliable for fresh BYOC projects because it asks GCP for the service agent instead of assuming it already exists and matching the naming convention.
There was a problem hiding this comment.
This keeps the existing-cluster path working. When deploy_gke_cluster = true, we use the workload pool returned by the cluster this module creates. When deploy_gke_cluster = false, there is no module.gke-cluster[0] to read from, but gke-iam still needs a workload pool to create the K8s service account IAM bindings. The fallback preserves the existing default GKE Workload Identity pool format: <project-id>.svc.id.goog.
1 participant
Adds first-run stability fixes for GCP BYOC deployments.
google_storage_project_service_accountinstead of constructing the GCS service-agent email manuallydatabase_encryption.statereadback to avoid Terraform drift when GKE reports a more specific encryption state than the provider accepts as inputBackward compatibility: