From b87803d9a945f880240f0bd50666c351e6bd2e7c Mon Sep 17 00:00:00 2001
From: Narmadha Koti <narmadha.koti@buildingsiot.com>
Date: Mon, 25 Apr 2022 15:26:51 -0400
Subject: [PATCH] Added service account for gke cluster

---
 cloud/gcp/gks.tf       | 26 +++++++++++++++++++++++++-
 cloud/gcp/variables.tf | 10 +++++-----
 2 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/cloud/gcp/gks.tf b/cloud/gcp/gks.tf
index 251db5be7..c91ef66bb 100644
--- a/cloud/gcp/gks.tf
+++ b/cloud/gcp/gks.tf
@@ -1,3 +1,13 @@
+resource "google_service_account" "gke" {
+  account_id   = "gkeuser"
+  display_name = "GKE Service Account"
+  project = var.gcp_project_id
+}
+resource "google_project_iam_member" "gke_gcr_binding" {
+  project = var.gcp_project_id
+  role    = "roles/storage.objectViewer"
+  member  = "serviceAccount:${google_service_account.gke.email}"
+}
 #GKE CLUSTER
 resource "google_container_cluster" "udmi" {
     name     = var.gke_cluster_name
@@ -7,7 +17,9 @@ resource "google_container_cluster" "udmi" {
   # We can't create a cluster with no node pool defined, but we want to only use
   # separately managed node pools. So we create the smallest possible default
   # node pool and immediately delete it.
-  
+
+  remove_default_node_pool = true
+
   initial_node_count       = var.gke_initial_node_count
   
   network    = var.create_vpc ? google_compute_network.vpc[0].name : null
@@ -25,23 +37,34 @@ resource "google_container_node_pool" "node_pool" {
 
     # preemptible  = true
     machine_type = var.gke_machine_type
+
+    # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
+    service_account = google_service_account.gke.email
+    oauth_scopes    = [
+      "https://www.googleapis.com/auth/cloud-platform",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring"
+    ]
     metadata = {
       disable-legacy-endpoints = "true"
     }
   }
 }
 
+#This resource creates static IP
 resource "google_compute_global_address" "udmi_global_address"{
  name = "udmi-global-address"
  project = var.gcp_project_id
 }
 
+#This resource creates clouddns entry
 resource "google_dns_managed_zone" "udmi_dns_zone" {
   name     = var.gcp_project_name
   dns_name = var.dns_name
   project = var.gcp_project_id
 }
 
+#This resource creates A record in cloud dns
 resource "google_dns_record_set" "dns_record" {
   project = var.gcp_project_id
   managed_zone = var.gcp_project_name
@@ -51,6 +74,7 @@ resource "google_dns_record_set" "dns_record" {
   rrdatas = ["${google_compute_global_address.udmi_global_address.address}"]
 }
 
+#This resouce creates ssl certs
 resource "google_compute_managed_ssl_certificate" "udmi_ssl_certs" {
   name = "udmi-ssl"
   project = var.gcp_project_id
diff --git a/cloud/gcp/variables.tf b/cloud/gcp/variables.tf
index ff008f9f5..6fb06cf1b 100644
--- a/cloud/gcp/variables.tf
+++ b/cloud/gcp/variables.tf
@@ -69,7 +69,7 @@ variable "gke_cluster_name" {
 
 variable "gke_node_pool_name" {
   type = string
-  default = "udmi"
+  default = "udmi-pool"
   description = "The name of the node pool"
 }
 variable "gke_cluster_location" {
@@ -80,23 +80,23 @@ variable "gke_cluster_location" {
 variable "gke_machine_type" {
   type = string
   default = "e2-standard-2"
-  description = "Type of machine"
+  description = "The name of a Google Compute Engine machine type"
 }
 #cloud DNS variables
 variable "dns_name" {
   type = string
-  description = "DNS name"
+  description = "The DNS name of this managed zone, for instance"
 }
 #ssl variable
 variable "ssl_domains" {
   type = list(string)
-  description = "list of domain names"
+  description = "Domains for which a managed SSL certificate will be valid"
 }
 ##vpc variables##
 variable "gcp_vpc_name" {
     type = string
     default = "udmi"
-    description = "vpc name"
+    description = "Name of the VPC will be created"
 }
 variable "ip_cidr_range" {
   type = string