deploy-gke: grant WIF access to gke clusters (#68)

Closes #67 --------- Co-authored-by: JeromeJu <jeromeju@google.com>
google-github-actions · May 2, 2024 · 984157b · 984157b
1 parent 1253792
commit 984157b
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 6 deletions.
diff --git a/main.tf b/main.tf
@@ -40,6 +40,7 @@ resource "google_project_service" "services" {
     "compute.googleapis.com",
     "connectgateway.googleapis.com",
     "container.googleapis.com",
+    "containersecurity.googleapis.com",
     "gkehub.googleapis.com",
     "iam.googleapis.com",
     "iamcredentials.googleapis.com",

diff --git a/project_deploy-gke.tf b/project_deploy-gke.tf
@@ -31,8 +31,8 @@ module "deploy-gke" {
   repo_variables = {
     "IMAGE"          = "nginx:latest"
     "APP_NAME"       = "deploy-gke-app"
-    "CLUSTER_REGION" = google_container_cluster.deploy_gke.location
-    "CLUSTER_NAME"   = google_container_cluster.deploy_gke.name
+    "CLUSTER_REGION" = google_container_cluster.deploy-gke.location
+    "CLUSTER_NAME"   = google_container_cluster.deploy-gke.name
     "NAMESPACE"      = "deploy-gke-ns"
     "EXPOSE"         = "80"
   }
@@ -71,14 +71,15 @@ resource "google_compute_subnetwork" "deploy-gke" {
   }
 }
 
-resource "google_container_cluster" "deploy_gke" {
+resource "google_container_cluster" "deploy-gke" {
   name     = "deploy-gke-cluster"
   location = google_compute_subnetwork.deploy-gke.region
   network  = google_compute_network.network.id
 
   enable_autopilot         = true
   enable_l4_ilb_subsetting = true
   deletion_protection      = false
+  initial_node_count       = 1
 
   subnetwork = google_compute_subnetwork.deploy-gke.id
 
@@ -102,8 +103,8 @@ resource "google_container_cluster" "deploy_gke" {
   ]
 }
 
-# Grant the custom service account permissions to manage gke resources.
-resource "google_project_iam_member" "deploy-gke-roles" {
+# Grant the WIF permissions to manage gke resources.
+resource "google_project_iam_member" "deploy-gke-direct-permissions" {
   for_each = toset([
     "roles/container.developer",
 
@@ -113,5 +114,5 @@ resource "google_project_iam_member" "deploy-gke-roles" {
 
   project = data.google_project.project.project_id
   role    = each.value
-  member  = "serviceAccount:${module.deploy-gke.service_account_email}"
+  member  = "principalSet://iam.googleapis.com/${module.deploy-gke.workload_identity_pool_name}/*"
 }
diff --git a/project_get-gke-credentials.tf b/project_get-gke-credentials.tf
@@ -85,6 +85,7 @@ resource "google_container_cluster" "get-gke-credentials-public" {
   enable_autopilot         = true
   enable_l4_ilb_subsetting = true
   deletion_protection      = false
+  initial_node_count       = 1
 
   network    = google_compute_network.network.id
   subnetwork = google_compute_subnetwork.get-gke-credentials-public.id
@@ -139,6 +140,7 @@ resource "google_container_cluster" "get-gke-credentials-private" {
   enable_autopilot         = true
   enable_l4_ilb_subsetting = true
   deletion_protection      = false
+  initial_node_count       = 1
 
   network    = google_compute_network.network.id
   subnetwork = google_compute_subnetwork.get-gke-credentials-private.id