terraform-google-kubernetes-engine icon indicating copy to clipboard operation
terraform-google-kubernetes-engine copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

Use preexisting service account from another GCP project

Open conchaox opened this issue 1 year ago • 0 comments

TL;DR

Use a preexisting SA from another GCP project different form the one where the module resources will be created.

Terraform Resources

No response

Detailed design

Is it possible to create the module resources using a preexisting GCP SA (K8s SA will have the same name)that belongs to a project different from the one where we are installing the module resources? I'm trying to do something like this:

`module "my-app-workload-identity" {
  source                          = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  use_existing_gcp_sa             = true
  gcp_sa_name                     = var.gcp_sa_name
  name                            = var.service_account != "" ? var.service_account : google_service_account.service_account[0].account_id
  namespace                       = kubernetes_namespace.namespace.metadata[0].name
  project_id                      = data.google_project.project.project_id
  automount_service_account_token = true
  roles = [
    "roles/cloudsql.client",
    "roles/iam.workloadIdentityUser",
    "roles/storage.admin",
  ]
}`

using `gcp_sa_name` I'm trying to pass the FQDN for an SA that belongs to a project different to  `project_id` this value should override whatever it it sin `var.name` according to the docs.

Additional information

No response

conchaox avatar Jan 29 '24 21:01 conchaox