Use new project-level robot bindings
This commit is contained in:
parent
5ff2286378
commit
46af8fa72e
|
@ -27,7 +27,7 @@ module "gke-cluster" {
|
||||||
source = "../../../../modules/gke-cluster"
|
source = "../../../../modules/gke-cluster"
|
||||||
for_each = local.clusters
|
for_each = local.clusters
|
||||||
name = each.key
|
name = each.key
|
||||||
project_id = each.value.project_id
|
project_id = module.gke-project-0.project_id
|
||||||
description = each.value.description
|
description = each.value.description
|
||||||
location = each.value.location
|
location = each.value.location
|
||||||
network = each.value.net.vpc
|
network = each.value.net.vpc
|
||||||
|
@ -114,7 +114,4 @@ module "gke-cluster" {
|
||||||
# }
|
# }
|
||||||
# }
|
# }
|
||||||
|
|
||||||
depends_on = [
|
|
||||||
google_project_iam_member.host_project_bindings
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,11 +19,6 @@ locals {
|
||||||
|
|
||||||
_gke_robot_sa = "serviceAccount:${module.gke-project-0.service_accounts.robots.container-engine}"
|
_gke_robot_sa = "serviceAccount:${module.gke-project-0.service_accounts.robots.container-engine}"
|
||||||
_cloud_services_sa = "serviceAccount:${module.gke-project-0.service_accounts.cloud_services}"
|
_cloud_services_sa = "serviceAccount:${module.gke-project-0.service_accounts.cloud_services}"
|
||||||
host_project_bindings = [
|
|
||||||
{ role = "roles/container.hostServiceAgentUser", member = local._gke_robot_sa },
|
|
||||||
{ role = "roles/compute.networkUser", member = local._gke_robot_sa },
|
|
||||||
{ role = "roles/compute.networkUser", member = local._cloud_services_sa }
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module "gke-project-0" {
|
module "gke-project-0" {
|
||||||
|
@ -50,9 +45,17 @@ module "gke-project-0" {
|
||||||
shared_vpc_service_config = {
|
shared_vpc_service_config = {
|
||||||
attach = true
|
attach = true
|
||||||
host_project = var.vpc_host_project
|
host_project = var.vpc_host_project
|
||||||
|
service_identity_iam = {
|
||||||
|
"roles/compute.networkUser" = [
|
||||||
|
"cloudservices", "container-engine"
|
||||||
|
]
|
||||||
|
"roles/container.hostServiceAgentUser" = [
|
||||||
|
"container-engine"
|
||||||
|
]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
# specify project-level org policies here if you need them
|
|
||||||
|
|
||||||
|
# specify project-level org policies here if you need them
|
||||||
# policy_boolean = {
|
# policy_boolean = {
|
||||||
# "constraints/compute.disableGuestAttributesAccess" = true
|
# "constraints/compute.disableGuestAttributesAccess" = true
|
||||||
# }
|
# }
|
||||||
|
@ -72,10 +75,3 @@ module "gke-dataset-resource-usage" {
|
||||||
id = "resource_usage"
|
id = "resource_usage"
|
||||||
friendly_name = "GKE resource usage."
|
friendly_name = "GKE resource usage."
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_project_iam_member" "host_project_bindings" {
|
|
||||||
for_each = { for i, v in local.host_project_bindings : i => v }
|
|
||||||
project = var.vpc_host_project
|
|
||||||
role = each.value.role
|
|
||||||
member = each.value.member
|
|
||||||
}
|
|
||||||
|
|
|
@ -68,7 +68,6 @@ variable "clusters" {
|
||||||
memory_min = number
|
memory_min = number
|
||||||
memory_max = number
|
memory_max = number
|
||||||
})
|
})
|
||||||
project_id = string
|
|
||||||
description = string
|
description = string
|
||||||
dns_domain = string
|
dns_domain = string
|
||||||
labels = map(string)
|
labels = map(string)
|
||||||
|
|
Loading…
Reference in New Issue