terraform-kubernetes-ddm-platform-deployment/kubernetes_service_account.tf at main · deseretdigital/terraform-kubernetes-ddm-platform-deployment · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
module "deployment_workload_identity" {
  count = local.enable_workload_identity ? 1 : 0

  source  = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  version = "~> 41.0"

  # Core configuration
  name         = local.service_account_name
  namespace    = data.kubernetes_namespace.deployment_namespace.id
  cluster_name = var.gke_cluster_name
  project_id   = var.project
  location     = var.gke_location
  roles        = var.roles

  # Optional configurations
  use_existing_gcp_sa             = var.use_existing_gcp_sa
  gcp_sa_name                     = var.use_existing_gcp_sa ? null : local.service_account_name
  annotate_k8s_sa                 = !var.use_existing_gcp_sa
  automount_service_account_token = var.automount_service_account_token
}

# Create a basic Kubernetes service account when workload identity is not enabled
resource "kubernetes_service_account" "basic" {
  count = local.enable_workload_identity ? 0 : 1

  metadata {
    name      = local.service_account_name
    namespace = data.kubernetes_namespace.deployment_namespace.id
    labels    = local.labels
  }

  automount_service_account_token = var.automount_service_account_token
}