Add WI/Google Groups RBAC

terraform-google-modules · Jul 25, 2019 · 0f0d39d · 0f0d39d
1 parent 0ac165a
commit 0f0d39d
Show file tree

Hide file tree

Showing 17 changed files with 197 additions and 0 deletions.
diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf
@@ -71,6 +71,20 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "workload_identity_config" {
+    for_each = var.workload_identity_config
+    content {
+      identity_namespace = "${var.project_id}.svc.id.goog"
+    }
+  }
+
+  dynamic "authenticator_groups_config" {
+    for_each = var.authenticator_groups_config
+    content {
+        security_group = "${authenticator_groups_config.value.security_group}"
+      }
+  }
+
 {% endif %}
   dynamic "master_authorized_networks_config" {
     for_each = var.master_authorized_networks_config

diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf
@@ -67,6 +67,20 @@ resource "google_container_cluster" "zonal_primary" {
     }
   }
 
+  dynamic "workload_identity_config" {
+    for_each = var.workload_identity_config
+    content {
+      identity_namespace = "${var.project_id}.svc.id.goog"
+    }
+  }
+
+  dynamic "authenticator_groups_config" {
+    for_each = var.authenticator_groups_config
+    content {
+        security_group = "${authenticator_groups_config.value.security_group}"
+      }
+  }
+
 {% endif %}
   dynamic "master_authorized_networks_config" {
     for_each = var.master_authorized_networks_config

diff --git a/autogen/main.tf b/autogen/main.tf
@@ -261,6 +261,17 @@ locals {
     regional = element(concat(google_container_cluster.primary.*.vertical_pod_autoscaling.0.enabled, [""]), 0)
     zonal    = element(concat(google_container_cluster.zonal_primary.*.vertical_pod_autoscaling.0.enabled, [""]), 0)
   }
+
+  cluster_type_workload_identity_namespace = {
+    regional = element(concat(google_container_cluster.primary.*.workload_identity_config.0.identity_namespace, [""]), 0)
+    zonal    = element(concat(google_container_cluster.zonal_primary.*.workload_identity_config.0.identity_namespace, [""]), 0)
+  }
+
+  cluster_type_authenticator_security_group = {
+    regional = element(concat(google_container_cluster.primary.*.authenticator_groups_config.0.security_group, [""]), 0)
+    zonal    = element(concat(google_container_cluster.zonal_primary.*.authenticator_groups_config.0.security_group, [""]), 0)
+  }
+
   # /BETA features
   {% endif %}
 
@@ -301,6 +312,8 @@ locals {
   cluster_pod_security_policy_enabled       = local.cluster_type_output_pod_security_policy_enabled[local.cluster_type]
   cluster_intranode_visibility_enabled      = local.cluster_type_output_intranode_visbility_enabled[local.cluster_type]
   cluster_vertical_pod_autoscaling_enabled  = local.cluster_type_output_vertical_pod_autoscaling_enabled[local.cluster_type]
+  cluster_workload_identity_namespace       = local.cluster_type_workload_identity_namespace[local.cluster_type]
+  cluster_authenticator_security_group      = local.cluster_type_authenticator_security_group[local.cluster_type]
   # /BETA features
 {% endif %}
 }

diff --git a/autogen/outputs.tf b/autogen/outputs.tf
@@ -152,4 +152,15 @@ output "vertical_pod_autoscaling_enabled" {
   value       = local.cluster_vertical_pod_autoscaling_enabled
 }
 
+
+output "workload_identity_namespace" {
+  description = "Workload Identity Namespace"
+  value       = local.cluster_workload_identity_namespace
+}
+
+
+output "authenticator_security_group" {
+  description = "Whether veritical pod autoscaling is enabled"
+  value       = local.cluster_authenticator_security_group
+}
 {% endif %}
diff --git a/autogen/variables.tf b/autogen/variables.tf
@@ -365,4 +365,15 @@ variable "enable_intranode_visibility" {
   description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it"
   default     = false
 }
+
+variable "workload_identity_config" {
+  description = "Workload Identity allows Kubernetes service accounts to act as a user-managed Google IAM Service Account."
+  default = []
+}
+
+ variable "authenticator_groups_config" {
+  type = list(map(string))
+  description = "security_group - The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com"
+  default = []
+}
 {% endif %}
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
@@ -133,6 +133,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| authenticator\_groups\_config | security_group - The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | list(map(string)) | `<list>` | no |
 | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
 | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
 | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
@@ -187,12 +188,14 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
 | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |
+| workload\_identity\_config | Workload Identity allows Kubernetes service accounts to act as a user-managed Google IAM Service Account. | list | `<list>` | no |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list(string) | `<list>` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
+| authenticator\_security\_group | Whether veritical pod autoscaling is enabled |
 | ca\_certificate | Cluster ca certificate (base64 encoded) |
 | cloudrun\_enabled | Whether CloudRun enabled |
 | endpoint | Cluster endpoint |
@@ -216,6 +219,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | type | Cluster type (regional / zonal) |
 | vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled |
+| workload\_identity\_namespace | Workload Identity Namespace |
 | zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

diff --git a/modules/beta-private-cluster/cluster_regional.tf b/modules/beta-private-cluster/cluster_regional.tf
@@ -66,6 +66,20 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "workload_identity_config" {
+    for_each = var.workload_identity_config
+    content {
+      identity_namespace = "${var.project_id}.svc.id.goog"
+    }
+  }
+
+  dynamic "authenticator_groups_config" {
+    for_each = var.authenticator_groups_config
+    content {
+      security_group = "${authenticator_groups_config.value.security_group}"
+    }
+  }
+
   dynamic "master_authorized_networks_config" {
     for_each = var.master_authorized_networks_config
     content {

diff --git a/modules/beta-private-cluster/cluster_zonal.tf b/modules/beta-private-cluster/cluster_zonal.tf
@@ -62,6 +62,20 @@ resource "google_container_cluster" "zonal_primary" {
     }
   }
 
+  dynamic "workload_identity_config" {
+    for_each = var.workload_identity_config
+    content {
+      identity_namespace = "${var.project_id}.svc.id.goog"
+    }
+  }
+
+  dynamic "authenticator_groups_config" {
+    for_each = var.authenticator_groups_config
+    content {
+      security_group = "${authenticator_groups_config.value.security_group}"
+    }
+  }
+
   dynamic "master_authorized_networks_config" {
     for_each = var.master_authorized_networks_config
     content {

diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf
@@ -244,6 +244,17 @@ locals {
     regional = element(concat(google_container_cluster.primary.*.vertical_pod_autoscaling.0.enabled, [""]), 0)
     zonal    = element(concat(google_container_cluster.zonal_primary.*.vertical_pod_autoscaling.0.enabled, [""]), 0)
   }
+
+  cluster_type_workload_identity_namespace = {
+    regional = element(concat(google_container_cluster.primary.*.workload_identity_config.0.identity_namespace, [""]), 0)
+    zonal    = element(concat(google_container_cluster.zonal_primary.*.workload_identity_config.0.identity_namespace, [""]), 0)
+  }
+
+  cluster_type_authenticator_security_group = {
+    regional = element(concat(google_container_cluster.primary.*.authenticator_groups_config.0.security_group, [""]), 0)
+    zonal    = element(concat(google_container_cluster.zonal_primary.*.authenticator_groups_config.0.security_group, [""]), 0)
+  }
+
   # /BETA features
 
   cluster_type_output_node_pools_names = {
@@ -282,6 +293,8 @@ locals {
   cluster_pod_security_policy_enabled      = local.cluster_type_output_pod_security_policy_enabled[local.cluster_type]
   cluster_intranode_visibility_enabled     = local.cluster_type_output_intranode_visbility_enabled[local.cluster_type]
   cluster_vertical_pod_autoscaling_enabled = local.cluster_type_output_vertical_pod_autoscaling_enabled[local.cluster_type]
+  cluster_workload_identity_namespace      = local.cluster_type_workload_identity_namespace[local.cluster_type]
+  cluster_authenticator_security_group     = local.cluster_type_authenticator_security_group[local.cluster_type]
   # /BETA features
 }
 

diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf
@@ -151,3 +151,14 @@ output "vertical_pod_autoscaling_enabled" {
   value       = local.cluster_vertical_pod_autoscaling_enabled
 }
 
+
+output "workload_identity_namespace" {
+  description = "Workload Identity Namespace"
+  value       = local.cluster_workload_identity_namespace
+}
+
+
+output "authenticator_security_group" {
+  description = "Whether veritical pod autoscaling is enabled"
+  value       = local.cluster_authenticator_security_group
+}
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
@@ -362,3 +362,14 @@ variable "enable_vertical_pod_autoscaling" {
   description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it"
   default     = false
 }
+
+variable "workload_identity_config" {
+  description = "Workload Identity allows Kubernetes service accounts to act as a user-managed Google IAM Service Account."
+  default     = []
+}
+
+variable "authenticator_groups_config" {
+  type        = list(map(string))
+  description = "security_group - The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com"
+  default     = []
+}
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
@@ -128,6 +128,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| authenticator\_groups\_config | security_group - The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | list(map(string)) | `<list>` | no |
 | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
 | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
 | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
@@ -178,12 +179,14 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
 | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |
+| workload\_identity\_config | Workload Identity allows Kubernetes service accounts to act as a user-managed Google IAM Service Account. | list | `<list>` | no |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list(string) | `<list>` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
+| authenticator\_security\_group | Whether veritical pod autoscaling is enabled |
 | ca\_certificate | Cluster ca certificate (base64 encoded) |
 | cloudrun\_enabled | Whether CloudRun enabled |
 | endpoint | Cluster endpoint |
@@ -207,6 +210,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | type | Cluster type (regional / zonal) |
 | vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled |
+| workload\_identity\_namespace | Workload Identity Namespace |
 | zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

diff --git a/modules/beta-public-cluster/cluster_regional.tf b/modules/beta-public-cluster/cluster_regional.tf
@@ -66,6 +66,20 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "workload_identity_config" {
+    for_each = var.workload_identity_config
+    content {
+      identity_namespace = "${var.project_id}.svc.id.goog"
+    }
+  }
+
+  dynamic "authenticator_groups_config" {
+    for_each = var.authenticator_groups_config
+    content {
+      security_group = "${authenticator_groups_config.value.security_group}"
+    }
+  }
+
   dynamic "master_authorized_networks_config" {
     for_each = var.master_authorized_networks_config
     content {

diff --git a/modules/beta-public-cluster/cluster_zonal.tf b/modules/beta-public-cluster/cluster_zonal.tf
@@ -62,6 +62,20 @@ resource "google_container_cluster" "zonal_primary" {
     }
   }
 
+  dynamic "workload_identity_config" {
+    for_each = var.workload_identity_config
+    content {
+      identity_namespace = "${var.project_id}.svc.id.goog"
+    }
+  }
+
+  dynamic "authenticator_groups_config" {
+    for_each = var.authenticator_groups_config
+    content {
+      security_group = "${authenticator_groups_config.value.security_group}"
+    }
+  }
+
   dynamic "master_authorized_networks_config" {
     for_each = var.master_authorized_networks_config
     content {

diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf
@@ -246,6 +246,17 @@ locals {
     regional = element(concat(google_container_cluster.primary.*.vertical_pod_autoscaling.0.enabled, [""]), 0)
     zonal    = element(concat(google_container_cluster.zonal_primary.*.vertical_pod_autoscaling.0.enabled, [""]), 0)
   }
+
+  cluster_type_workload_identity_namespace = {
+    regional = element(concat(google_container_cluster.primary.*.workload_identity_config.0.identity_namespace, [""]), 0)
+    zonal    = element(concat(google_container_cluster.zonal_primary.*.workload_identity_config.0.identity_namespace, [""]), 0)
+  }
+
+  cluster_type_authenticator_security_group = {
+    regional = element(concat(google_container_cluster.primary.*.authenticator_groups_config.0.security_group, [""]), 0)
+    zonal    = element(concat(google_container_cluster.zonal_primary.*.authenticator_groups_config.0.security_group, [""]), 0)
+  }
+
   # /BETA features
 
   cluster_type_output_node_pools_names = {
@@ -284,6 +295,8 @@ locals {
   cluster_pod_security_policy_enabled      = local.cluster_type_output_pod_security_policy_enabled[local.cluster_type]
   cluster_intranode_visibility_enabled     = local.cluster_type_output_intranode_visbility_enabled[local.cluster_type]
   cluster_vertical_pod_autoscaling_enabled = local.cluster_type_output_vertical_pod_autoscaling_enabled[local.cluster_type]
+  cluster_workload_identity_namespace      = local.cluster_type_workload_identity_namespace[local.cluster_type]
+  cluster_authenticator_security_group     = local.cluster_type_authenticator_security_group[local.cluster_type]
   # /BETA features
 }
 

diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf
@@ -151,3 +151,14 @@ output "vertical_pod_autoscaling_enabled" {
   value       = local.cluster_vertical_pod_autoscaling_enabled
 }
 
+
+output "workload_identity_namespace" {
+  description = "Workload Identity Namespace"
+  value       = local.cluster_workload_identity_namespace
+}
+
+
+output "authenticator_security_group" {
+  description = "Whether veritical pod autoscaling is enabled"
+  value       = local.cluster_authenticator_security_group
+}
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
@@ -338,3 +338,14 @@ variable "enable_vertical_pod_autoscaling" {
   description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it"
   default     = false
 }
+
+variable "workload_identity_config" {
+  description = "Workload Identity allows Kubernetes service accounts to act as a user-managed Google IAM Service Account."
+  default     = []
+}
+
+variable "authenticator_groups_config" {
+  type        = list(map(string))
+  description = "security_group - The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com"
+  default     = []
+}