This document summarizes the Google Cloud Platform provider optimization and enhancements made to the Terraform Kubernetes deployment module, including the major version upgrade to v7.
- Previous:
~> 6.0(any version 6.x) - Updated:
~> 7.0(version 7.x - major upgrade) - Current Lock:
7.9.0
- Previous:
~> 33.0 - Updated:
~> 41.0 - Reason: Required for Google provider v7 compatibility
- Latest Major Release: Version 7.x is the current major release
- Improved Stability: Better resource handling and state management
- Enhanced Features: New capabilities and optimizations
- Better Error Messages: Clearer validation and error reporting
- Performance: General performance improvements across resources
- Future-Proof: Staying current with latest provider development
For This Module: NO BREAKING CHANGES
Since this module doesn't use direct Google provider resources (only the workload-identity submodule), the v7 upgrade is completely transparent. All breaking changes in v7 affect direct resource usage, which this module doesn't have.
General v7 Breaking Changes (not affecting this module):
- Some resource attribute name changes
- Updated default values for certain resources
- Deprecated resource removal
- API behavior changes
For module users: The upgrade to v7 requires no code changes. Simply update your provider version constraint.
- Added:
required_version = ">= 1.3" - Reason: Better support for optional attributes in object types
- Enables cleaner variable definitions with
optional()modifier
Purpose: Allow reuse of existing GCP service accounts instead of always creating new ones.
Variables Added:
variable "use_existing_gcp_sa" {
description = "Use an existing GCP service account"
type = bool
default = false
}
variable "existing_gcp_sa_email" {
description = "Email of existing GCP service account"
type = string
default = null
}Use Case:
- Shared service accounts across multiple workloads
- Pre-configured permissions in centralized IAM
- Reduced service account sprawl
- Compliance with organizational policies
Example:
module "deployment" {
source = "..."
project = "my-project"
gke_cluster_name = "my-cluster"
use_existing_gcp_sa = true
existing_gcp_sa_email = "shared-sa@project.iam.gserviceaccount.com"
}Purpose: Enhanced security by controlling whether service account tokens are automatically mounted.
Variable Added:
variable "automount_service_account_token" {
description = "Whether to automount the service account token in pods"
type = bool
default = true
}Security Benefits:
- Prevents unnecessary token exposure
- Follows principle of least privilege
- Recommended when using workload identity (tokens not needed in containers)
- Reduces attack surface
Example:
module "deployment" {
source = "..."
project = "my-project"
gke_cluster_name = "my-cluster"
automount_service_account_token = false # Enhanced security
}Purpose: Proper configuration for regional and zonal GKE clusters.
Variable Added:
variable "gke_location" {
description = "The location (region or zone) of the GKE cluster"
type = string
default = null
}Benefits:
- Required for some GCP APIs and features
- Better alignment with actual cluster configuration
- Enables region-specific optimizations
- Proper workload identity configuration
Example:
# Regional cluster
module "deployment" {
source = "..."
project = "my-project"
gke_cluster_name = "my-regional-cluster"
gke_location = "us-central1"
}
# Zonal cluster
module "deployment" {
source = "..."
project = "my-project"
gke_cluster_name = "my-zonal-cluster"
gke_location = "us-central1-a"
}Variable Added:
variable "gcp_service_account_description" {
description = "Description for the GCP service account"
type = string
default = null
}Benefits:
- Better documentation of service accounts in GCP Console
- Easier auditing and compliance
- Clearer purpose identification
Before:
module "deployment_workload_identity" {
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
name = var.service_account_name
namespace = data.kubernetes_namespace.deployment_namespace.id
cluster_name = var.gke_cluster_name
project_id = var.project
roles = var.roles
}After:
module "deployment_workload_identity" {
count = local.enable_workload_identity ? 1 : 0
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
version = "~> 33.0"
# Core configuration
name = local.service_account_name
namespace = data.kubernetes_namespace.deployment_namespace.id
cluster_name = var.gke_cluster_name
project_id = var.project
location = var.gke_location
roles = var.roles
# Optional configurations
use_existing_gcp_sa = var.use_existing_gcp_sa
gcp_sa_name = var.use_existing_gcp_sa ? null : local.service_account_name
annotate_k8s_sa = !var.use_existing_gcp_sa
automount_service_account_token = var.automount_service_account_token
}Key Improvements:
- Conditional Creation: Only creates when needed
- Version Constraint: Ensures compatibility
- Location Support: Properly configured for regional/zonal clusters
- Existing SA Support: Can use pre-existing service accounts
- Token Control: Security-enhanced token mounting
All new variables have sensible defaults that maintain v3.x behavior:
use_existing_gcp_sa = false(create new SA)automount_service_account_token = true(mount token)gke_location = null(optional)gcp_service_account_description = null(optional)existing_gcp_sa_email = null(optional)
Users can upgrade without changes, but can opt-in to new features:
# Minimal upgrade - no changes needed
module "deployment" {
source = "..."
version = "~> 3.0" # Just update version
# Existing configuration works as-is
project = "my-project"
gke_cluster_name = "my-cluster"
}
# Enhanced upgrade - use new features
module "deployment" {
source = "..."
version = "~> 3.0"
project = "my-project"
gke_cluster_name = "my-cluster"
gke_location = "us-central1"
automount_service_account_token = false
}locals {
enable_workload_identity = var.project != null && var.gke_cluster_name != null
}This ensures:
- Workload identity only enabled when both project and cluster are specified
- Falls back to basic K8s service account when GCP not configured
- Clean separation of GCP vs non-GCP deployments
# GCP workload identity (conditional)
module "deployment_workload_identity" {
count = local.enable_workload_identity ? 1 : 0
# ...
}
# Basic Kubernetes service account (fallback)
resource "kubernetes_service_account" "basic" {
count = local.enable_workload_identity ? 0 : 1
# ...
}- Basic upgrade: Update version only, verify existing behavior
- New SA creation: Default behavior (should work as before)
- Existing SA: Test
use_existing_gcp_sa = true - No token mount: Test
automount_service_account_token = false - Regional cluster: Specify
gke_location - Non-GCP: Omit project/cluster, verify K8s SA creation
# 1. Update module version
terraform init -upgrade
# 2. Review planned changes
terraform plan
# 3. Verify no unexpected changes to existing resources
# Look for: resource replacements, permission changes
# 4. Apply in non-production first
terraform apply
# 5. Verify workload identity bindings
gcloud iam service-accounts get-iam-policy <SA_EMAIL>
# 6. Test application can access GCP resources
kubectl exec <pod> -- gcloud auth listRecommended Configuration:
module "deployment" {
source = "..."
# Use workload identity (no long-lived keys)
project = "my-project"
gke_cluster_name = "my-cluster"
# Don't automount token (enhanced security)
automount_service_account_token = false
# Minimal permissions (specify only needed roles)
roles = [
"roles/secretmanager.secretAccessor"
]
}- No service account keys: Workload identity eliminates JSON keys
- Reduced attack surface: Token mounting disabled when not needed
- Principle of least privilege: Explicit role specification
- Audit trail: GCP Cloud Audit Logs track all access
- Automatic rotation: Tokens automatically rotated by GKE
- No runtime performance impact
- Slight improvement in
terraform plantime (conditional resources) - Better state file size (fewer resources when not using GCP)
- With existing SA: Faster (skip SA creation)
- With new SA: Same as before
- Without GCP: Faster (only K8s resources)
- main.tf: Provider version constraints
- variables.tf: New GCP-related variables
- kubernetes_service_account.tf: Enhanced workload identity config
- README.md: New usage examples
- MIGRATION.md: Upgrade guide with GCP enhancements
- CHANGES.md: Detailed change log
- Compatibility matrix (Terraform, provider versions)
- GCP-specific features and examples
- Security best practices
- Migration guide for existing users
- Testing and validation procedures
- Custom IAM conditions: Add support for conditional IAM bindings
- Multiple service accounts: Support per-container service accounts
- VPC-SC support: Add VPC Service Controls configuration
- Binary authorization: Integration with Binary Authorization
- GKE metadata: Expose more cluster metadata options
- Workload Identity Federation: Support for external identity providers
- Monitor issues for feature requests
- Track Google provider releases for new capabilities
- Stay aligned with GKE best practices
- Consider GKE Autopilot-specific optimizations
The Google provider optimization enhances the module's GCP integration while maintaining:
- Backwards compatibility: Existing configurations work unchanged
- Flexibility: New features are opt-in
- Security: Enhanced security posture options
- Best practices: Aligned with Google Cloud best practices
- Performance: Minimal overhead, potential improvements
Users can upgrade seamlessly and gradually adopt new features as needed.