diff --git a/main.tf b/main.tf index 0bb24cc6..ac8a1038 100644 --- a/main.tf +++ b/main.tf @@ -29,16 +29,14 @@ locals { } module "service_accounts" { - source = "./modules/service_accounts" - namespace = var.namespace - bucket_name = var.bucket_name - kms_gcs_sa_id = var.kms_gcs_sa_id - kms_gcs_sa_name = var.kms_gcs_sa_name - workload_identity = var.create_workload_identity - account_id = var.workload_account_id - service_account_name = var.service_account_name - enable_stackdriver = var.enable_stackdriver - depends_on = [module.project_factory_project_services] + source = "./modules/service_accounts" + namespace = var.namespace + bucket_name = var.bucket_name + kms_gcs_sa_name = var.kms_gcs_sa_name + create_workload_identity = var.create_workload_identity + stackdriver_sa_name = var.stackdriver_sa_name + enable_stackdriver = var.enable_stackdriver + depends_on = [module.project_factory_project_services] } module "kms" { @@ -83,15 +81,15 @@ locals { } module "app_gke" { - source = "./modules/app_gke" - namespace = var.namespace - machine_type = coalesce(try(local.deployment_size[var.size].node_instance, null), var.gke_machine_type) - node_count = coalesce(try(local.deployment_size[var.size].node_count, null), var.gke_node_count) - network = local.network - subnetwork = local.subnetwork - service_account = module.service_accounts.service_account + source = "./modules/app_gke" + namespace = var.namespace + machine_type = coalesce(try(local.deployment_size[var.size].node_instance, null), var.gke_machine_type) + node_count = coalesce(try(local.deployment_size[var.size].node_count, null), var.gke_node_count) + network = local.network + subnetwork = local.subnetwork + service_account = module.service_accounts.service_account create_workload_identity = var.create_workload_identity - depends_on = [module.project_factory_project_services] + depends_on = [module.project_factory_project_services] } module "app_lb" { @@ -267,9 +265,10 @@ module "wandb" { stackdriver = var.enable_stackdriver ? { install = true stackdriver = { - projectId = data.google_client_config.current.project + projectId = data.google_client_config.current.project + serviceAccountName = var.stackdriver_sa_name } - serviceAccount = { annotations = { "iam.gke.io/gcp-service-account" = module.service_accounts.monitoring_role } } + serviceAccount = { annotations = { "iam.gke.io/gcp-service-account" = module.service_accounts.stackdriver_email } } } : { install = false stackdriver = {} diff --git a/modules/app_gke/main.tf b/modules/app_gke/main.tf index ce56b59e..1968b09c 100644 --- a/modules/app_gke/main.tf +++ b/modules/app_gke/main.tf @@ -7,9 +7,9 @@ locals { resource "google_container_cluster" "default" { name = "${var.namespace}-cluster" - network = var.network.self_link - subnetwork = var.subnetwork.self_link - networking_mode = "VPC_NATIVE" + network = var.network.self_link + subnetwork = var.subnetwork.self_link + networking_mode = "VPC_NATIVE" enable_intranode_visibility = true # Conditionally enable workload identity @@ -31,7 +31,7 @@ resource "google_container_cluster" "default" { workload_pool = "${local.project_id}.svc.id.goog" } } - + ip_allocation_policy { cluster_ipv4_cidr_block = "/14" services_ipv4_cidr_block = "/19" diff --git a/modules/service_accounts/main.tf b/modules/service_accounts/main.tf index 94451182..9437dee4 100644 --- a/modules/service_accounts/main.tf +++ b/modules/service_accounts/main.tf @@ -65,63 +65,64 @@ resource "google_project_iam_member" "secretmanager_admin" { ####### service account for kms and gcs cross project access resource "google_service_account" "kms_gcs_sa" { - count = var.workload_identity == true ? 1 : 0 - account_id = var.kms_gcs_sa_id + count = var.create_workload_identity == true ? 1 : 0 + account_id = var.kms_gcs_sa_name display_name = "Service Account For Workload Identity" } resource "google_project_iam_member" "storage" { - count = var.workload_identity == true ? 1 : 0 + count = var.create_workload_identity == true ? 1 : 0 project = local.project_id role = "roles/storage.admin" member = "serviceAccount:${google_service_account.kms_gcs_sa[count.index].email}" } resource "google_project_iam_member" "kms" { - count = var.workload_identity == true ? 1 : 0 + count = var.create_workload_identity == true ? 1 : 0 project = local.project_id role = "roles/cloudkms.admin" member = "serviceAccount:${google_service_account.kms_gcs_sa[count.index].email}" } resource "google_service_account_iam_member" "token_creator_binding" { - count = var.workload_identity == true ? 1 : 0 + count = var.create_workload_identity == true ? 1 : 0 service_account_id = google_service_account.kms_gcs_sa[count.index].id role = "roles/iam.serviceAccountTokenCreator" member = "serviceAccount:${google_service_account.kms_gcs_sa[count.index].email}" } resource "google_service_account_iam_member" "workload_binding" { - count = var.workload_identity == true ? 1 : 0 + count = var.create_workload_identity == true ? 1 : 0 service_account_id = google_service_account.kms_gcs_sa[count.index].id role = "roles/iam.workloadIdentityUser" member = "serviceAccount:${local.project_id}.svc.id.goog[default/${var.kms_gcs_sa_name}]" +} ### service account for stackdriver -resource "google_service_account" "workload-identity-user-sa" { +resource "google_service_account" "stackdriver" { count = var.enable_stackdriver == true ? 1 : 0 - account_id = "stackdriver" + account_id = var.stackdriver_sa_name display_name = "Service Account For Workload Identity" } -resource "google_project_iam_member" "monitoring-role" { +resource "google_project_iam_member" "monitoring" { count = var.enable_stackdriver == true ? 1 : 0 project = local.project_id role = "roles/monitoring.viewer" - member = "serviceAccount:${google_service_account.workload-identity-user-sa[count.index].email}" + member = "serviceAccount:${google_service_account.stackdriver[count.index].email}" } -resource "google_service_account_iam_member" "monitoring-role" { +resource "google_service_account_iam_member" "stackdriver_token_creator" { count = var.enable_stackdriver == true ? 1 : 0 - service_account_id = google_service_account.workload-identity-user-sa[count.index].id + service_account_id = google_service_account.stackdriver[count.index].id role = "roles/iam.serviceAccountTokenCreator" - member = "serviceAccount:${google_service_account.workload-identity-user-sa[count.index].email}" + member = "serviceAccount:${google_service_account.stackdriver[count.index].email}" } -resource "google_service_account_iam_member" "workload_identity-role" { +resource "google_service_account_iam_member" "stackdriver_binding" { count = var.enable_stackdriver == true ? 1 : 0 - service_account_id = google_service_account.workload-identity-user-sa[count.index].id + service_account_id = google_service_account.stackdriver[count.index].id role = "roles/iam.workloadIdentityUser" - member = "serviceAccount:${local.project_id}.svc.id.goog[default/${var.service_account_name}]" + member = "serviceAccount:${local.project_id}.svc.id.goog[default/${var.stackdriver_sa_name}]" } \ No newline at end of file diff --git a/modules/service_accounts/outputs.tf b/modules/service_accounts/outputs.tf index e9b067a5..e836baae 100644 --- a/modules/service_accounts/outputs.tf +++ b/modules/service_accounts/outputs.tf @@ -6,10 +6,9 @@ output "service_account" { output "sa_account_email" { - value = var.workload_identity == true ? google_service_account.kms_gcs_sa[0].email : null + value = var.create_workload_identity == true ? google_service_account.kms_gcs_sa[0].email : null } -output "monitoring_role" { - value = var.enable_stackdriver == true ? google_service_account.workload-identity-user-sa[0].email : null - +output "stackdriver_email" { + value = var.enable_stackdriver == true ? google_service_account.stackdriver[0].email : null } \ No newline at end of file diff --git a/modules/service_accounts/variables.tf b/modules/service_accounts/variables.tf index 5c7ff8b5..8f6ed553 100644 --- a/modules/service_accounts/variables.tf +++ b/modules/service_accounts/variables.tf @@ -13,30 +13,22 @@ variable "bucket_name" { variable "create_workload_identity" { description = "Flag to indicate whether to create a workload identity for the service account." type = bool - default = false + default = false } -variable "kms_gcs_sa_id" { +variable "kms_gcs_sa_name" { type = string default = "wandb-serviceaccount" } -variable "kms_gcs_sa_name" { - type = string - default = "wandb-serviceaccount" +variable "stackdriver_sa_name" { + description = "The name of the service account." + type = string + default = "wandb-stackdriver" } variable "enable_stackdriver" { - type = bool + description = "Flag to indicate whether to enable workload identity for the service account." + type = bool default = false -} - -variable "workload_account_id" { - type = string - default = "stackdriver" -} - -variable "service_account_name" { - type = string - default = "stackdriver" } \ No newline at end of file diff --git a/variables.tf b/variables.tf index a4d7370e..a33b7037 100644 --- a/variables.tf +++ b/variables.tf @@ -236,22 +236,6 @@ variable "size" { default = null } -variable "create_workload_identity" { - description = "Flag to indicate whether to create a workload identity for the service account." - type = bool - default = true -} - -variable "kms_gcs_sa_id" { - type = string - default = "wandb-serviceaccount" -} - -variable "kms_gcs_sa_name" { - type = string - default = "wandb-serviceaccount" -} - variable "weave_wandb_env" { type = map(string) description = "Extra environment variables for W&B" @@ -270,17 +254,23 @@ variable "parquet_wandb_env" { default = {} } -variable "enable_stackdriver" { - type = bool - default = false +variable "create_workload_identity" { + description = "Flag to indicate whether to create a workload identity for the service account." + type = bool + default = true } -variable "workload_account_id" { +variable "kms_gcs_sa_name" { type = string - default = "stackdriver" + default = "wandb-serviceaccount" +} + +variable "enable_stackdriver" { + type = bool + default = true } -variable "service_account_name" { +variable "stackdriver_sa_name" { type = string - default = "stackdriver" + default = "wandb-stackdriver" } \ No newline at end of file