feat: Hub submodule - add option to use existing service account to register clusters. (terraform-google-modules#678)

* use existing service account * count. use index * format and docs * add encoded to docs

Author: cloud-pharaoh

modules/hub/README.md

@@ -41,7 +41,9 @@ To deploy this config:
 | gke\_hub\_sa\_name | Name for the GKE Hub SA stored as a secret `creds-gcp` in the `gke-connect` namespace. | string | `"gke-hub-sa"` | no |
 | location | The location (zone or region) this cluster has been created in. | string | n/a | yes |
 | project\_id | The project in which the resource belongs. | string | n/a | yes |
+| sa\_private\_key | Private key for service account base64 encoded. Required only if `use_existing_sa` is set to `true`. | string | `"null"` | no |
 | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no |
+| use\_existing\_sa | Uses an existing service account to register membership. Requires sa_private_key | bool | `"false"` | no |
 | use\_tf\_google\_credentials\_env\_var | Optional GOOGLE_CREDENTIALS environment variable to be activated. | bool | `"false"` | no |
 
 ## Outputs

modules/hub/main.tf

@@ -15,26 +15,29 @@
  */
 
 locals {
- gke_hub_sa_key = google_service_account_key.gke_hub_key.private_key
+ gke_hub_sa_key = var.use_existing_sa ? var.sa_private_key : google_service_account_key.gke_hub_key[0].private_key
 }
 
 data "google_client_config" "default" {
 }
 
 resource "google_service_account" "gke_hub_sa" {
+ count = var.use_existing_sa ? 0 : 1
  account_id = var.gke_hub_sa_name
  project = var.project_id
  display_name = "Service Account for GKE Hub Registration"
 }
 
 resource "google_project_iam_member" "gke_hub_member" {
+ count = var.use_existing_sa ? 0 : 1
  project = var.project_id
  role = "roles/gkehub.connect"
- member = "serviceAccount:${google_service_account.gke_hub_sa.email}"
+ member = "serviceAccount:${google_service_account.gke_hub_sa[0].email}"
 }
 
 resource "google_service_account_key" "gke_hub_key" {
- service_account_id = google_service_account.gke_hub_sa.name
+ count = var.use_existing_sa ? 0 : 1
+ service_account_id = google_service_account.gke_hub_sa[0].name
 }
 
 module "gke_hub_registration" {

modules/hub/variables.tf

@@ -69,3 +69,15 @@ variable "gke_hub_membership_name" {
  type = string
  default = "gke-hub-membership"
 }
+
+variable "use_existing_sa" {
+ description = "Uses an existing service account to register membership. Requires sa_private_key"
+ type = bool
+ default = false
+}
+
+variable "sa_private_key" {
+ description = "Private key for service account base64 encoded. Required only if `use_existing_sa` is set to `true`."
+ type = string
+ default = null
+}