feat: add ability to impersonate for kubectl-wrapper module (#91)

sig-bhutwala · web-flow · commit 0d4e6f3e69e5 · 2021-05-08T15:59:37.000-05:00
* add ability to impersonate for kubectl-wrapper module

* use make generate_docs

* make it backwards compatible

* fix conditional and ci

* flip the ternary

* terraform fmt

* try with a true flag

* shift additional 2 in case of service impersonation
diff --git a/modules/kubectl-wrapper/README.md b/modules/kubectl-wrapper/README.md
@@ -31,6 +31,7 @@ module "kubectl" {
 | create\_cmd\_triggers | List of any additional triggers for the create command execution. | map | `<map>` | no |
 | enabled | Flag to optionally disable usage of this module. | bool | `"true"` | no |
 | gcloud\_sdk\_version | The gcloud sdk version to download. | string | `"281.0.0"` | no |
+| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | string | `""` | no |
 | internal\_ip | Use internal ip for the cluster endpoint. | bool | `"false"` | no |
 | kubectl\_create\_command | The kubectl command to create resources. | string | n/a | yes |
 | kubectl\_destroy\_command | The kubectl command to destroy resources. | string | n/a | yes |
diff --git a/modules/kubectl-wrapper/main.tf b/modules/kubectl-wrapper/main.tf
@@ -29,8 +29,8 @@ module "gcloud_kubectl" {
   service_account_key_file = var.service_account_key_file
 
   create_cmd_entrypoint  = "${path.module}/scripts/kubectl_wrapper.sh"
-  create_cmd_body        = "${local.base_cmd} ${var.kubectl_create_command}"
+  create_cmd_body        = var.impersonate_service_account == "" ? "${local.base_cmd} ${var.kubectl_create_command}" : "${local.base_cmd} true ${var.impersonate_service_account} ${var.kubectl_create_command}"
   create_cmd_triggers    = var.create_cmd_triggers
   destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  destroy_cmd_body       = "${local.base_cmd} ${var.kubectl_destroy_command}"
+  destroy_cmd_body       = var.impersonate_service_account == "" ? "${local.base_cmd} ${var.kubectl_destroy_command}" : "${local.base_cmd} true ${var.impersonate_service_account} ${var.kubectl_destroy_command}"
 }
diff --git a/modules/kubectl-wrapper/scripts/kubectl_wrapper.sh b/modules/kubectl-wrapper/scripts/kubectl_wrapper.sh
@@ -26,6 +26,8 @@ LOCATION=$2
 PROJECT_ID=$3
 INTERNAL=$4
 USE_EXISTING_CONTEXT=$5
+ENABLE_IMPERSONATE_SERVICE_ACCOUNT=$6
+IMPERSONATE_SERVICE_ACCOUNT=$7
 
 shift 5
 
@@ -50,6 +52,10 @@ else
     LOCATION_TYPE=$(grep -o "-" <<< "${LOCATION}" | wc -l)
 
     CMD="gcloud container clusters get-credentials ${CLUSTER_NAME} --project ${PROJECT_ID}"
+    if [[ "${ENABLE_IMPERSONATE_SERVICE_ACCOUNT}" == true ]]; then
+      CMD+=" --impersonate-service-account ${IMPERSONATE_SERVICE_ACCOUNT}"
+      shift 2
+    fi
 
     if [[ $LOCATION_TYPE -eq 2 ]] ;then
         CMD+=" --zone ${LOCATION}"
diff --git a/modules/kubectl-wrapper/variables.tf b/modules/kubectl-wrapper/variables.tf
@@ -98,3 +98,9 @@ variable "service_account_key_file" {
   description = "Path to service account key file to auth as for running `gcloud container clusters get-credentials`."
   default     = ""
 }
+
+variable "impersonate_service_account" {
+  type        = string
+  description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
+  default     = ""
+}
