feat: add cross project fleet service agent (terraform-google-modules#1896)

Author: apeabody

autogen/main/cluster.tf.tmpl

@@ -584,6 +584,10 @@ resource "google_container_cluster" "primary" {
  }
  }
  {% endif %}
+ {% if beta_cluster %}
+
+ depends_on = [google_project_iam_member.service_agent]
+ {% endif %}
 }
 {% if autopilot_cluster != true %}
 /******************************************

autogen/main/sa.tf.tmpl

@@ -65,3 +65,19 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
  role = "roles/artifactregistry.reader"
  member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+{% if beta_cluster %}
+
+resource "google_project_service_identity" "fleet_project" {
+ count = var.fleet_project_grant_service_agent ? 1 : 0
+ provider = google-beta
+ project = var.fleet_project
+ service = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+ for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+ project = var.project_id
+ role = each.value
+ member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}
+{% endif %}

autogen/main/variables.tf.tmpl

@@ -863,3 +863,11 @@ variable "fleet_project" {
  type = string
  default = null
 }
+{% if beta_cluster %}
+
+variable "fleet_project_grant_service_agent" {
+ description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+ type = bool
+ default = false
+}
+{% endif %}

modules/beta-autopilot-private-cluster/README.md

@@ -99,6 +99,7 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
+| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
 | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |

modules/beta-autopilot-private-cluster/cluster.tf

@@ -268,4 +268,6 @@ resource "google_container_cluster" "primary" {
  topic = var.notification_config_topic
  }
  }
+
+ depends_on = [google_project_iam_member.service_agent]
 }

modules/beta-autopilot-private-cluster/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
  role = "roles/artifactregistry.reader"
  member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+ count = var.fleet_project_grant_service_agent ? 1 : 0
+ provider = google-beta
+ project = var.fleet_project
+ service = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+ for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+ project = var.project_id
+ role = each.value
+ member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}

modules/beta-autopilot-private-cluster/variables.tf

@@ -466,3 +466,9 @@ variable "fleet_project" {
  type = string
  default = null
 }
+
+variable "fleet_project_grant_service_agent" {
+ description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+ type = bool
+ default = false
+}

modules/beta-autopilot-public-cluster/README.md

@@ -90,6 +90,7 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
+| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
 | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |

modules/beta-autopilot-public-cluster/cluster.tf

@@ -249,4 +249,6 @@ resource "google_container_cluster" "primary" {
  topic = var.notification_config_topic
  }
  }
+
+ depends_on = [google_project_iam_member.service_agent]
 }

modules/beta-autopilot-public-cluster/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
  role = "roles/artifactregistry.reader"
  member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+ count = var.fleet_project_grant_service_agent ? 1 : 0
+ provider = google-beta
+ project = var.fleet_project
+ service = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+ for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+ project = var.project_id
+ role = each.value
+ member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}