terraform-google-kubernetes-engine
terraform-google-kubernetes-engine copied to clipboard
terraform-google-modules
Specifying service account for nodes in private autopilot cluster doesn't work
TL;DR
I try to configure a non-default service account with artifact registry access on another project as the workload identity SA, but the beta-autopilot-private-cluster module seems to ignore it.
Expected behavior
The cluster should use my specified service account for the node pool service account.
Observed behavior
The node pool is created with the default service account.
Terraform Configuration
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 4.10.0"
}
}
}
# Service Account for the cluster's nodes
module "gke_service_account" {
source = "terraform-google-modules/service-accounts/google"
version = "~> 4.1.1"
project_id = local.project_id
description = "Service account for cluster ${local.gke_cluster_name} (managed by Terraform)"
prefix = "gke"
names = [
local.gke_cluster_name,
]
project_roles = [
"${local.project_id}=>roles/monitoring.viewer",
"${local.project_id}=>roles/monitoring.metricWriter",
"${local.project_id}=>roles/logging.logWriter",
"${local.project_id}=>roles/stackdriver.resourceMetadata.writer",
]
}
# Give node service account access to our global registry in order to pull images
module "gke_service_account_iam" {
source = "terraform-google-modules/iam/google//modules/member_iam"
service_account_address = module.gke_service_account.email
prefix = "serviceAccount"
project_id = "REDACTED"
project_roles = [
"roles/artifactregistry.reader"
]
}
# set up the gke cluster
module "gke_cluster_primary" {
source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster"
project_id = local.project_id
name = local.gke_cluster_name
region = var.region
zones = var.cluster_zones
release_channel = "REGULAR"
network = module.gcp-network.network_name
subnetwork = module.gcp-network.subnets_names[0]
horizontal_pod_autoscaling = true
enable_vertical_pod_autoscaling = true
enable_network_egress_export = true
enable_private_endpoint = false
enable_private_nodes = true
master_ipv4_cidr_block = "172.16.0.0/28"
# this section should configure the cluster to use the service account created, but it doesnt.
create_service_account = false
service_account = module.gke_service_account.email
grant_registry_access = true
registry_project_ids = ["REDACTED"]
master_authorized_networks = [
{
cidr_block = data.google_compute_subnetwork.subnetwork.ip_cidr_range
display_name = "VPC"
}
]
}
Terraform Version
Terraform v1.2.3
on linux_amd64
Additional information
No response
I checked the output vars from the module and service_account contains the service account email for my created service account.
In my opinion the "as if not overridden in node_pools" part of the documentation can give a hint on what happens. Maybe autopilot clusters do not utilize the specified service account for node_config.service_account.
Thanks for the report @X4mp . This maybe related to https://github.com/hashicorp/terraform-provider-google/issues/9505 which is preventing the SA from being used. We should probably call this out in the autopilot readme until that issue is fixed.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi there 👋🏻
Till this PR is merged (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/1512), maybe this one is relevant (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1271) since we faced the issue today 😇 .
