From 5723fb976d4d3ba9d02ff348468145ac2f89c76c Mon Sep 17 00:00:00 2001
From: SudharsaneSivamany <sudharsanes694@gmail.com>
Date: Mon, 27 Feb 2023 07:08:53 +0000
Subject: [PATCH 1/3] feat: Workload Identity module, to bind roles in various
 projects for the service account created

---
 modules/workload-identity/README.md    | 4 ++--
 modules/workload-identity/main.tf      | 4 ++--
 modules/workload-identity/variables.tf | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md
index 76c68883d..c52cd8de5 100644
--- a/modules/workload-identity/README.md
+++ b/modules/workload-identity/README.md
@@ -24,7 +24,7 @@ module "my-app-workload-identity" {
   name       = "my-application-name"
   namespace  = "default"
   project_id = "my-gcp-project-name"
-  roles      = ["roles/storage.admin", "roles/compute.admin"]
+  roles      = ["my-gcp-project-name-1=>roles/storage.admin", "my-gcp-project-name-2=>roles/compute.admin"]
 }
 ```
 
@@ -109,7 +109,7 @@ already bear the `"iam.gke.io/gcp-service-account"` annotation.
 | name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | `string` | n/a | yes |
 | namespace | Namespace for the Kubernetes service account | `string` | `"default"` | no |
 | project\_id | GCP project ID | `string` | n/a | yes |
-| roles | A list of roles to be added to the created service account | `list(string)` | `[]` | no |
+| roles | A list of roles to be added to the created service account for specific projects | `list(string)` | `[]` | no |
 | use\_existing\_context | An optional flag to use local kubectl config context. | `bool` | `false` | no |
 | use\_existing\_gcp\_sa | Use an existing Google service account instead of creating one | `bool` | `false` | no |
 | use\_existing\_k8s\_sa | Use an existing kubernetes service account instead of creating one | `bool` | `false` | no |
diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
index f029692be..5dda5ca62 100644
--- a/modules/workload-identity/main.tf
+++ b/modules/workload-identity/main.tf
@@ -85,7 +85,7 @@ resource "google_service_account_iam_member" "main" {
 resource "google_project_iam_member" "workload_identity_sa_bindings" {
   for_each = toset(var.roles)
 
-  project = var.project_id
-  role    = each.value
+  project = element(split("=>", each.value), 0)
+  role    = element(split("=>", each.value), 1)
   member  = local.gcp_sa_fqn
 }
diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf
index 1e1c9b931..0024e2974 100644
--- a/modules/workload-identity/variables.tf
+++ b/modules/workload-identity/variables.tf
@@ -85,7 +85,7 @@ variable "automount_service_account_token" {
 }
 
 variable "roles" {
-  description = "A list of roles to be added to the created service account"
+  description = "A list of roles to be added to the created service account for specific projects"
   type        = list(string)
   default     = []
 }

From a3be7d49fb6c1abcf8883dbbfea4ed0808bb350e Mon Sep 17 00:00:00 2001
From: SudharsaneSivamany <sudharsanes694@gmail.com>
Date: Sat, 25 Mar 2023 01:11:13 +0000
Subject: [PATCH 2/3] feat: Workload Identity module, to bind roles in various
 projects for the service account created

---
 modules/workload-identity/README.md    | 15 +++++++++------
 modules/workload-identity/main.tf      |  8 ++++++++
 modules/workload-identity/variables.tf |  8 +++++++-
 3 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md
index 58d584f12..f6ceed228 100644
--- a/modules/workload-identity/README.md
+++ b/modules/workload-identity/README.md
@@ -20,11 +20,13 @@ Note: This module currently supports Kubernetes <= 1.23.
 
 ```hcl
 module "my-app-workload-identity" {
-  source     = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
-  name       = "my-application-name"
-  namespace  = "default"
-  project_id = "my-gcp-project-name"
-  roles      = ["my-gcp-project-name-1=>roles/storage.admin", "my-gcp-project-name-2=>roles/compute.admin"]
+  source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+  name                = "my-application-name"
+  namespace           = "default"
+  project_id          = "my-gcp-project-name"
+  roles               = ["roles/storage.admin", "roles/compute.admin"]
+  additional_projects = {"my-gcp-project-name1" : ["roles/storage.admin", "roles/compute.admin"],
+                         "my-gcp-project-name2" : ["roles/storage.admin", "roles/compute.admin"]}
 }
 ```
 
@@ -99,6 +101,7 @@ already bear the `"iam.gke.io/gcp-service-account"` annotation.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| additional\_projects | A list of roles to be added to the created service account for additional projects | `map(list(string))` | `{}` | no |
 | annotate\_k8s\_sa | Annotate the kubernetes service account with 'iam.gke.io/gcp-service-account' annotation. Valid in cases when an existing SA is used. | `bool` | `true` | no |
 | automount\_service\_account\_token | Enable automatic mounting of the service account token | `bool` | `false` | no |
 | cluster\_name | Cluster name. Required if using existing KSA. | `string` | `""` | no |
@@ -111,7 +114,7 @@ already bear the `"iam.gke.io/gcp-service-account"` annotation.
 | name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | `string` | n/a | yes |
 | namespace | Namespace for the Kubernetes service account | `string` | `"default"` | no |
 | project\_id | GCP project ID | `string` | n/a | yes |
-| roles | A list of roles to be added to the created service account for specific projects | `list(string)` | `[]` | no |
+| roles | A list of roles to be added to the created service account | `list(string)` | `[]` | no |
 | use\_existing\_context | An optional flag to use local kubectl config context. | `bool` | `false` | no |
 | use\_existing\_gcp\_sa | Use an existing Google service account instead of creating one | `bool` | `false` | no |
 | use\_existing\_k8s\_sa | Use an existing kubernetes service account instead of creating one | `bool` | `false` | no |
diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
index 5dda5ca62..fc68a5f60 100644
--- a/modules/workload-identity/main.tf
+++ b/modules/workload-identity/main.tf
@@ -85,6 +85,14 @@ resource "google_service_account_iam_member" "main" {
 resource "google_project_iam_member" "workload_identity_sa_bindings" {
   for_each = toset(var.roles)
 
+  project = var.project_id
+  role    = each.value
+  member  = local.gcp_sa_fqn
+}
+
+resource "google_project_iam_member" "workload_identity_sa_bindings_additional_projects" {
+  for_each = toset(distinct(flatten([for project, roles in var.additional_projects : [for role in roles : join("=>", [project, role])]])))
+
   project = element(split("=>", each.value), 0)
   role    = element(split("=>", each.value), 1)
   member  = local.gcp_sa_fqn
diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf
index 0024e2974..2d5fc6f6f 100644
--- a/modules/workload-identity/variables.tf
+++ b/modules/workload-identity/variables.tf
@@ -85,7 +85,7 @@ variable "automount_service_account_token" {
 }
 
 variable "roles" {
-  description = "A list of roles to be added to the created service account for specific projects"
+  description = "A list of roles to be added to the created service account"
   type        = list(string)
   default     = []
 }
@@ -107,3 +107,9 @@ variable "module_depends_on" {
   type        = list(any)
   default     = []
 }
+
+variable "additional_projects" {
+  description = "A list of roles to be added to the created service account for additional projects"
+  type        = map(list(string))
+  default     = {}
+}

From 196dcfb04c7ee1deb17b32c94ca3985982390fae Mon Sep 17 00:00:00 2001
From: SudharsaneSivamany <sudharsanes694@gmail.com>
Date: Tue, 4 Apr 2023 18:29:36 +0000
Subject: [PATCH 3/3] feat: Workload Identity module, to bind roles in various
 projects for the service account created

---
 modules/workload-identity/main.tf | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
index fc68a5f60..af5706389 100644
--- a/modules/workload-identity/main.tf
+++ b/modules/workload-identity/main.tf
@@ -28,6 +28,8 @@ locals {
 
   k8s_sa_project_id       = var.k8s_sa_project_id != null ? var.k8s_sa_project_id : var.project_id
   k8s_sa_gcp_derived_name = "serviceAccount:${local.k8s_sa_project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]"
+
+  sa_binding_additional_project = distinct(flatten([for project, roles in var.additional_projects : [for role in roles : { project_id = project, role_name = role }]]))
 }
 
 data "google_service_account" "cluster_service_account" {
@@ -91,9 +93,9 @@ resource "google_project_iam_member" "workload_identity_sa_bindings" {
 }
 
 resource "google_project_iam_member" "workload_identity_sa_bindings_additional_projects" {
-  for_each = toset(distinct(flatten([for project, roles in var.additional_projects : [for role in roles : join("=>", [project, role])]])))
+  for_each = { for entry in local.sa_binding_additional_project : "${entry.project_id}.${entry.role_name}" => entry }
 
-  project = element(split("=>", each.value), 0)
-  role    = element(split("=>", each.value), 1)
+  project = each.value.project_id
+  role    = each.value.role_name
   member  = local.gcp_sa_fqn
 }