Added servicemesh feature to GKE hub and included fleet robot service…

… account in projectmodule
GoogleCloudPlatform · Jul 15, 2022 · 824353a · 824353a
1 parent a8677ed
commit 824353a
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 7 deletions.
diff --git a/modules/gke-hub/README.md b/modules/gke-hub/README.md
@@ -9,6 +9,7 @@ To use this module you must ensure the following APIs are enabled in the target
 "anthosconfigmanagement.googleapis.com"
 "multiclusteringress.googleapis.com"
 "multiclusterservicediscovery.googleapis.com"
+"mesh.googleapis.com"
 ```
 
 ## Full GKE Hub example
@@ -26,6 +27,7 @@ module "project" {
     "anthosconfigmanagement.googleapis.com",
     "multiclusteringress.googleapis.com",
     "multiclusterservicediscovery.googleapis.com",
+    "mesh.googleapis.com"
   ]
 }
 
@@ -89,18 +91,18 @@ module "hub" {
   }
 }
 
-# tftest modules=4 resources=13
+# tftest modules=4 resources=14
 ```
 <!-- BEGIN TFDOC -->
 
 ## Variables
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L75) | GKE hub project ID. | <code>string</code> | ✓ |  |
-| [features](variables.tf#L17) | GKE hub features to enable. | <code title="object&#40;&#123;&#10;  configmanagement    &#61; bool&#10;  mc_ingress          &#61; bool&#10;  mc_servicediscovery &#61; bool&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  configmanagement    &#61; true&#10;  mc_ingress          &#61; false&#10;  mc_servicediscovery &#61; false&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [member_clusters](variables.tf#L32) | List for member cluster self links. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [member_features](variables.tf#L39) | Member features for each cluster | <code title="object&#40;&#123;&#10;  configmanagement &#61; object&#40;&#123;&#10;    binauthz &#61; bool&#10;    config_sync &#61; object&#40;&#123;&#10;      gcp_service_account_email &#61; string&#10;      https_proxy               &#61; string&#10;      policy_dir                &#61; string&#10;      secret_type               &#61; string&#10;      source_format             &#61; string&#10;      sync_branch               &#61; string&#10;      sync_repo                 &#61; string&#10;      sync_rev                  &#61; string&#10;    &#125;&#41;&#10;    hierarchy_controller &#61; object&#40;&#123;&#10;      enable_hierarchical_resource_quota &#61; bool&#10;      enable_pod_tree_labels             &#61; bool&#10;    &#125;&#41;&#10;    policy_controller &#61; object&#40;&#123;&#10;      exemptable_namespaces      &#61; list&#40;string&#41;&#10;      log_denies_enabled         &#61; bool&#10;      referential_rules_enabled  &#61; bool&#10;      template_library_installed &#61; bool&#10;    &#125;&#41;&#10;    version &#61; string&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  configmanagement &#61; null&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [project_id](variables.tf#L77) | GKE hub project ID. | <code>string</code> | ✓ |  |
+| [features](variables.tf#L17) | GKE hub features to enable. | <code title="object&#40;&#123;&#10;  configmanagement    &#61; bool&#10;  mc_ingress          &#61; bool&#10;  mc_servicediscovery &#61; bool&#10;  servicemesh         &#61; bool&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  configmanagement    &#61; true&#10;  mc_ingress          &#61; false&#10;  mc_servicediscovery &#61; false&#10;  servicemesh         &#61; false&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [member_clusters](variables.tf#L34) | List for member cluster self links. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [member_features](variables.tf#L41) | Member features for each cluster | <code title="object&#40;&#123;&#10;  configmanagement &#61; object&#40;&#123;&#10;    binauthz &#61; bool&#10;    config_sync &#61; object&#40;&#123;&#10;      gcp_service_account_email &#61; string&#10;      https_proxy               &#61; string&#10;      policy_dir                &#61; string&#10;      secret_type               &#61; string&#10;      source_format             &#61; string&#10;      sync_branch               &#61; string&#10;      sync_repo                 &#61; string&#10;      sync_rev                  &#61; string&#10;    &#125;&#41;&#10;    hierarchy_controller &#61; object&#40;&#123;&#10;      enable_hierarchical_resource_quota &#61; bool&#10;      enable_pod_tree_labels             &#61; bool&#10;    &#125;&#41;&#10;    policy_controller &#61; object&#40;&#123;&#10;      exemptable_namespaces      &#61; list&#40;string&#41;&#10;      log_denies_enabled         &#61; bool&#10;      referential_rules_enabled  &#61; bool&#10;      template_library_installed &#61; bool&#10;    &#125;&#41;&#10;    version &#61; string&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  configmanagement &#61; null&#10;&#125;">&#123;&#8230;&#125;</code> |
 
 ## Outputs
 

diff --git a/modules/gke-hub/main.tf b/modules/gke-hub/main.tf
@@ -55,9 +55,17 @@ resource "google_gke_hub_feature" "mcs" {
   location = "global"
 }
 
+resource "google_gke_hub_feature" "servicemesh" {
+  provider = google-beta
+  for_each = var.features.servicemesh ? { 1 = 1 } : {}
+  project  = var.project_id
+  name     = "servicemesh"
+  location = "global"
+}
+
 resource "google_gke_hub_feature_membership" "feature_member" {
   provider   = google-beta
-  for_each   = var.member_clusters
+  for_each   = var.features.configmanagement ? var.member_clusters : {}
   project    = var.project_id
   location   = "global"
   feature    = google_gke_hub_feature.configmanagement["1"].name

diff --git a/modules/gke-hub/variables.tf b/modules/gke-hub/variables.tf
@@ -20,11 +20,13 @@ variable "features" {
     configmanagement    = bool
     mc_ingress          = bool
     mc_servicediscovery = bool
+    servicemesh         = bool
   })
   default = {
     configmanagement    = true
     mc_ingress          = false
     mc_servicediscovery = false
+    servicemesh         = false
   }
   nullable = false
 }

diff --git a/modules/project/service-accounts.tf b/modules/project/service-accounts.tf
@@ -37,6 +37,7 @@ locals {
     containerregistry = "service-%s@containerregistry"
     dataflow          = "service-%s@dataflow-service-producer-prod"
     dataproc          = "service-%s@dataproc-accounts"
+    fleet             = "service-%s@gcp-sa-gkehub"
     gae-flex          = "service-%s@gae-api-prod"
     # TODO: deprecate gcf
     gcf                      = "service-%s@gcf-admin-robot"

diff --git a/tests/modules/gke_hub/fixture/main.tf b/tests/modules/gke_hub/fixture/main.tf
@@ -22,6 +22,7 @@ module "hub" {
     configmanagement    = true
     mc_ingress          = true
     mc_servicediscovery = true
+    servicemesh         = true
   }
   member_features = {
     configmanagement = {

diff --git a/tests/modules/gke_hub/test_plan.py b/tests/modules/gke_hub/test_plan.py
@@ -23,12 +23,13 @@ def resources(plan_runner):
 
 def test_resource_count(resources):
   "Test number of resources created."
-  assert len(resources) == 8
+  assert len(resources) == 9
   assert sorted(r['address'] for r in resources) == [
       'module.hub.google_gke_hub_feature.configmanagement["1"]',
       'module.hub.google_gke_hub_feature.mci["mycluster1"]',
       'module.hub.google_gke_hub_feature.mci["mycluster2"]',
       'module.hub.google_gke_hub_feature.mcs["1"]',
+      'module.hub.google_gke_hub_feature.servicemesh["1"]',
       'module.hub.google_gke_hub_feature_membership.feature_member["mycluster1"]',
       'module.hub.google_gke_hub_feature_membership.feature_member["mycluster2"]',
       'module.hub.google_gke_hub_membership.membership["mycluster1"]',