fix: Add ability to impersonate service accounts in kubectl for all submodules (terraform-google-modules#903)

Author: yashbhutwala

autogen/main/dns.tf.tmpl

@@ -20,14 +20,14 @@
  Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.0.2"
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
-
+ source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version  = "~> 2.1.0"
+ enabled  = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+ cluster_name  = google_container_cluster.primary.name
+ cluster_location  = google_container_cluster.primary.location
+ project_id  = var.project_id
+ upgrade  = var.gcloud_upgrade
+ impersonate_service_account = var.impersonate_service_account
 
  kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
  kubectl_destroy_command = ""

dns.tf

@@ -20,14 +20,14 @@
  Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.0.2"
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
-
+ source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version  = "~> 2.1.0"
+ enabled  = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+ cluster_name  = google_container_cluster.primary.name
+ cluster_location  = google_container_cluster.primary.location
+ project_id  = var.project_id
+ upgrade  = var.gcloud_upgrade
+ impersonate_service_account = var.impersonate_service_account
 
  kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
  kubectl_destroy_command = ""

modules/asm/README.md

@@ -64,6 +64,7 @@ To deploy this config:
 | enable\_gcp\_iam\_roles | Sets `--enable_gcp_iam_roles` option if true. | `bool` | `false` | no |
 | enable\_registration | Sets `--enable_registration` option if true. | `bool` | `false` | no |
 | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no |
+| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
 | key\_file | The GCP Service Account credentials file path used to deploy ASM. | `string` | `""` | no |
 | location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes |
 | managed\_control\_plane | ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional. | `bool` | `false` | no |

modules/asm/main.tf

@@ -32,16 +32,17 @@ locals {
 
 module "asm_install" {
  source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.0.2"
+ version = "~> 2.1.0"
  module_depends_on = [var.cluster_endpoint]
 
- gcloud_sdk_version = var.gcloud_sdk_version
- upgrade = true
- additional_components = ["kubectl", "kpt", "beta", "kustomize"]
- cluster_name = var.cluster_name
- cluster_location = var.location
- project_id = var.project_id
- service_account_key_file = var.service_account_key_file
+ gcloud_sdk_version = var.gcloud_sdk_version
+ upgrade = true
+ additional_components = ["kubectl", "kpt", "beta", "kustomize"]
+ cluster_name = var.cluster_name
+ cluster_location = var.location
+ project_id = var.project_id
+ service_account_key_file = var.service_account_key_file
+ impersonate_service_account = var.impersonate_service_account
 
  kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_apis} ${var.enable_gcp_iam_roles} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${local.service_account_string} ${local.key_file_string} ${local.asm_git_tag_string}"
  kubectl_destroy_command = "kubectl delete ns istio-system"

modules/asm/variables.tf

@@ -87,6 +87,12 @@ variable "managed_control_plane" {
  default = false
 }
 
+variable "impersonate_service_account" {
+ type = string
+ description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
+ default = ""
+}
+
 variable "options" {
  description = "Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features."
  type = list

modules/beta-private-cluster-update-variant/dns.tf

@@ -20,14 +20,14 @@
  Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.0.2"
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
-
+ source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version  = "~> 2.1.0"
+ enabled  = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+ cluster_name  = google_container_cluster.primary.name
+ cluster_location  = google_container_cluster.primary.location
+ project_id  = var.project_id
+ upgrade  = var.gcloud_upgrade
+ impersonate_service_account = var.impersonate_service_account
 
  kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
  kubectl_destroy_command = ""

modules/beta-private-cluster/dns.tf

@@ -20,14 +20,14 @@
  Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.0.2"
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
-
+ source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version  = "~> 2.1.0"
+ enabled  = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+ cluster_name  = google_container_cluster.primary.name
+ cluster_location  = google_container_cluster.primary.location
+ project_id  = var.project_id
+ upgrade  = var.gcloud_upgrade
+ impersonate_service_account = var.impersonate_service_account
 
  kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
  kubectl_destroy_command = ""

modules/beta-public-cluster-update-variant/dns.tf

@@ -20,14 +20,14 @@
  Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.0.2"
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
-
+ source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version  = "~> 2.1.0"
+ enabled  = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+ cluster_name  = google_container_cluster.primary.name
+ cluster_location  = google_container_cluster.primary.location
+ project_id  = var.project_id
+ upgrade  = var.gcloud_upgrade
+ impersonate_service_account = var.impersonate_service_account
 
  kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
  kubectl_destroy_command = ""

modules/beta-public-cluster/dns.tf

@@ -20,14 +20,14 @@
  Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.0.2"
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
-
+ source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version  = "~> 2.1.0"
+ enabled  = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+ cluster_name  = google_container_cluster.primary.name
+ cluster_location  = google_container_cluster.primary.location
+ project_id  = var.project_id
+ upgrade  = var.gcloud_upgrade
+ impersonate_service_account = var.impersonate_service_account
 
  kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
  kubectl_destroy_command = ""

modules/hub/main.tf

@@ -72,7 +72,7 @@ resource "google_service_account_key" "gke_hub_key" {
 
 module "gke_hub_registration" {
  source = "terraform-google-modules/gcloud/google"
- version = "~> 2.0.2"
+ version = "~> 2.1.0"
 
  platform = "linux"
  gcloud_sdk_version = var.gcloud_sdk_version