add the fields "serviceAccountName" and "serviceAccount" in the "kubernetes_cron_job" resource.

[aloosnetmatch]

Description

I want to use my own serviceaccount to run a Cronjob in Kubernetes. Now it looks like the cronjob uses the "default" account from the namespace it's located in.

add the fields "serviceAccountName" and "serviceAccount" in the "kubernetes_cron_job" resource.

Potential Terraform Configuration

resource "kubernetes_cron_job" "example" {
  metadata {
    name      = "${var.application}-up"
    namespace = var.aks_namespace
    labels = {
      app       = "${var.application}-up"
      az_env    = var.environment
    }
  }
  spec {
    concurrency_policy            = "Replace"
    failed_jobs_history_limit     = 5
    schedule                      = "08 08 * * *"
    starting_deadline_seconds     = 10
    successful_jobs_history_limit = 10
    **serviceAccountName: sa-example
    serviceAccount: sa-example**
    job_template {
    }

[sheneska]

Hi @aloosnetmatch, serviceAccount has been deprecated and is apart of serviceAccountName. Additionally, serviceAccountName is to be added in the Job Template as shown below.

resource "kubernetes_cron_job_v1" "demo" {
  metadata {
    name = "demo"
  }
  spec {
    concurrency_policy            = "Replace"
    failed_jobs_history_limit     = 5
    schedule                      = "1 0 * * *"
    timezone                      = "Etc/UTC"
    starting_deadline_seconds     = 10
    successful_jobs_history_limit = 10
    job_template {
      metadata {}
      spec {
        backoff_limit              = 2
        ttl_seconds_after_finished = 10
        template {
          metadata {}
          spec {
            service_account_name = "this" <<<< HERE
            container {
              name    = "hello"
              image   = "busybox"
              command = ["/bin/sh", "-c", "date; echo Hello from the Kubernetes cluster"]
            }
          }
        }
      }
    }
  }
}

Here is some documentation that should explain further and assist with implementing this: Job Template Spec and Cron_Job_v1 Resource.

[wad-hongsumin]

@sheneska hello. When can I use the service_account_name you mentioned?

[github-actions[bot]]

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!

[fabn]

It seems that service_account_name is accepted by kubernetes_cron_job_v1 but not applied in the actual manifest. Is this a bug? I'm trying to run terraform apply within the cluster itself, I configured a service account with the needed permissions and when I pass it to cronjob with a syntax like this it doesn't write the relevant field.

resource "kubernetes_cron_job_v1" "replica" {
  metadata {
    name      = "my-job"
    namespace = "default"
  }

  spec {
    schedule           = "0 */2 * * *" # Every 2 hours
    job_template {
      metadata {
        name      = "test"
        namespace = "default"
      }

      spec {
        template {
          metadata {
            name = "test"
          }
          spec {
            restart_policy = "Never"
            # Use well known service account that have permissions to write state into kubernetes
            service_account_name            = "xxx"
            container {
              name  = "terraform"
              image = "hashicorp/terraform:1.9"
              # args        = ["apply", "-auto-approve"]
              args        = ["plan"]
              working_dir = "/app"
              env {
                name  = "TF_INPUT"
                value = "0"
              }
            }
          }
        }
      }
    }
  }
}