terraform-google-kubernetes-engine icon indicating copy to clipboard operation
terraform-google-kubernetes-engine copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

Workload Identity use existing gcp sa fails to plan if the existing account exists outside of terraform

Open eahrend opened this issue 3 years ago • 0 comments

TL;DR

A service account was created outside of the scope of terraform, and we want to use that as our workload identity service account. However, when we provide that gcp_sa_name to the module and try to run terraform plan it fails with the following errors:

The argument "service_account_id" is required, but no definition was found. local.gcp_sa_email is null

Expected behavior

To use an existing GCP service account outside the scope of the terraform module and allow it to apply/plan

Observed behavior

The argument "service_account_id" is required, but no definition was found. local.gcp_sa_email is null

Terraform Configuration

module "kubernetes-engine_workload-identity" {
  source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  version             = "22.0.0"
  project_id          = var.gcp_project_id
  name                = var.name
  use_existing_gcp_sa = var.use_existing_gcp_sa
  gcp_sa_name         = var.gcp_sa_name
  use_existing_k8s_sa = var.use_existing_k8s_sa
  k8s_sa_name         = var.k8s_sa_name
  namespace           = var.k8s_namespace
  cluster_name        = var.composer_environment_cluster_name
  location            = var.gcp_region
}


```HCL
# Non-Default Variables

variable "composer_environment_cluster_name" {
  type        = string
  description = "the cluster created by composer"
  default = "composer"
}


variable "gcp_region" {
  type        = string
  description = "GCP region where composer resides"
  default = "us-east1"
}

variable "cluster_endpoint" {
  type        = string
  description = "endpoint of the cluster"
    default = "https://1.2.3.4"
}

variable "cluster_ca_certificate" {
  type = string
  default = "######"
  description = "cluster ca certificate"
}

# Default Variables

variable "name" {
  type        = string
  description = "name of the account used"
  default     = "overridden"
}

variable "gcp_project_id" {
  type        = string
  description = "project ID where this binding will be created in"
  default     = "####"
}

variable "use_existing_gcp_sa" {
  type        = bool
  description = "whether or not to use the existing GCP SA"
  default     = true
}

variable "use_existing_k8s_sa" {
  type        = bool
  description = "whether or not to use the existing K8S SA"
  default     = true
}

variable "k8s_sa_name" {
  type        = string
  description = "the kubernetes service account name"
  default     = "default"
}

variable "k8s_namespace" {
  type        = string
  description = "the kubernetes service account namespace"
  default     = "default"
}

variable "gcp_sa_name" {
  type        = string
  description = "name of the GCP service account to use"
  default     = "####"
}




### Terraform Version

```sh
Terraform v1.2.1
on darwin_arm64

Additional information

No response

eahrend avatar Aug 01 '22 21:08 eahrend