Use new project-level robot bindings
This commit is contained in:
parent
5ff2286378
commit
46af8fa72e
|
@ -27,7 +27,7 @@ module "gke-cluster" {
|
|||
source = "../../../../modules/gke-cluster"
|
||||
for_each = local.clusters
|
||||
name = each.key
|
||||
project_id = each.value.project_id
|
||||
project_id = module.gke-project-0.project_id
|
||||
description = each.value.description
|
||||
location = each.value.location
|
||||
network = each.value.net.vpc
|
||||
|
@ -114,7 +114,4 @@ module "gke-cluster" {
|
|||
# }
|
||||
# }
|
||||
|
||||
depends_on = [
|
||||
google_project_iam_member.host_project_bindings
|
||||
]
|
||||
}
|
||||
|
|
|
@ -19,11 +19,6 @@ locals {
|
|||
|
||||
_gke_robot_sa = "serviceAccount:${module.gke-project-0.service_accounts.robots.container-engine}"
|
||||
_cloud_services_sa = "serviceAccount:${module.gke-project-0.service_accounts.cloud_services}"
|
||||
host_project_bindings = [
|
||||
{ role = "roles/container.hostServiceAgentUser", member = local._gke_robot_sa },
|
||||
{ role = "roles/compute.networkUser", member = local._gke_robot_sa },
|
||||
{ role = "roles/compute.networkUser", member = local._cloud_services_sa }
|
||||
]
|
||||
}
|
||||
|
||||
module "gke-project-0" {
|
||||
|
@ -50,9 +45,17 @@ module "gke-project-0" {
|
|||
shared_vpc_service_config = {
|
||||
attach = true
|
||||
host_project = var.vpc_host_project
|
||||
service_identity_iam = {
|
||||
"roles/compute.networkUser" = [
|
||||
"cloudservices", "container-engine"
|
||||
]
|
||||
"roles/container.hostServiceAgentUser" = [
|
||||
"container-engine"
|
||||
]
|
||||
}
|
||||
}
|
||||
# specify project-level org policies here if you need them
|
||||
|
||||
# specify project-level org policies here if you need them
|
||||
# policy_boolean = {
|
||||
# "constraints/compute.disableGuestAttributesAccess" = true
|
||||
# }
|
||||
|
@ -72,10 +75,3 @@ module "gke-dataset-resource-usage" {
|
|||
id = "resource_usage"
|
||||
friendly_name = "GKE resource usage."
|
||||
}
|
||||
|
||||
resource "google_project_iam_member" "host_project_bindings" {
|
||||
for_each = { for i, v in local.host_project_bindings : i => v }
|
||||
project = var.vpc_host_project
|
||||
role = each.value.role
|
||||
member = each.value.member
|
||||
}
|
||||
|
|
|
@ -68,7 +68,6 @@ variable "clusters" {
|
|||
memory_min = number
|
||||
memory_max = number
|
||||
})
|
||||
project_id = string
|
||||
description = string
|
||||
dns_domain = string
|
||||
labels = map(string)
|
||||
|
@ -138,8 +137,8 @@ variable "nodepool_defaults" {
|
|||
variable "nodepools" {
|
||||
description = ""
|
||||
type = map(map(object({
|
||||
node_count = number
|
||||
node_type = string
|
||||
node_count = number
|
||||
node_type = string
|
||||
initial_node_count = number
|
||||
overrides = object({
|
||||
image_type = string
|
||||
|
|
Loading…
Reference in New Issue