feat(google/velero): use workload identity module

Signed-off-by: Kevin Lefevre <[email protected]>
particuleio · Dec 21, 2024 · ccc0d57 · ccc0d57
1 parent 6525024
commit ccc0d57
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 36 deletions.
diff --git a/modules/google/README.md b/modules/google/README.md
@@ -60,6 +60,7 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
 | <a name="module_iam_assumable_sa_thanos-receive-sg"></a> [iam\_assumable\_sa\_thanos-receive-sg](#module\_iam\_assumable\_sa\_thanos-receive-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
 | <a name="module_iam_assumable_sa_thanos-sg"></a> [iam\_assumable\_sa\_thanos-sg](#module\_iam\_assumable\_sa\_thanos-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
 | <a name="module_iam_assumable_sa_thanos-storegateway"></a> [iam\_assumable\_sa\_thanos-storegateway](#module\_iam\_assumable\_sa\_thanos-storegateway) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
+| <a name="module_iam_assumable_sa_velero"></a> [iam\_assumable\_sa\_velero](#module\_iam\_assumable\_sa\_velero) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
 | <a name="module_kube-prometheus-stack_grafana-iam-member"></a> [kube-prometheus-stack\_grafana-iam-member](#module\_kube-prometheus-stack\_grafana-iam-member) | terraform-google-modules/iam/google//modules/member_iam | ~> 8.0 |
 | <a name="module_kube-prometheus-stack_kube-prometheus-stack_bucket"></a> [kube-prometheus-stack\_kube-prometheus-stack\_bucket](#module\_kube-prometheus-stack\_kube-prometheus-stack\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 9.0 |
 | <a name="module_kube-prometheus-stack_thanos_kms_bucket"></a> [kube-prometheus-stack\_thanos\_kms\_bucket](#module\_kube-prometheus-stack\_thanos\_kms\_bucket) | terraform-google-modules/kms/google | ~> 3.0 |
@@ -84,8 +85,6 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
 | [google_dns_managed_zone_iam_member.external_dns_cloud_dns_iam_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone_iam_member) | resource |
 | [google_project_iam_custom_role.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
 | [google_project_iam_member.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
-| [google_service_account.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
-| [google_service_account_iam_policy.admin-account-iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_policy) | resource |
 | [google_storage_bucket_iam_member.kube_prometheus_stack_thanos_bucket_objectAdmin_iam_permission](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [google_storage_bucket_iam_member.kube_prometheus_stack_thanos_bucket_objectViewer_iam_permission](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [google_storage_bucket_iam_member.loki-stack_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
@@ -104,6 +103,8 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
 | [google_storage_bucket_iam_member.thanos_receive_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [google_storage_bucket_iam_member.thanos_sg_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [google_storage_bucket_iam_member.thanos_sg_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
+| [google_storage_bucket_iam_member.velero_gcs_iam_objectUser_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
+| [google_storage_bucket_iam_member.velero_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [helm_release.admiralty](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.cert-manager-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
@@ -250,7 +251,6 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
 | [tls_self_signed_cert.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
 | [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
 | [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
-| [google_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy) | data source |
 | [google_project.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 | [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
 | [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |

diff --git a/modules/google/velero.tf b/modules/google/velero.tf
@@ -7,10 +7,9 @@ locals {
       repository              = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].repository
       chart_version           = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].version
       namespace               = "velero"
-      service_account_name    = "velero"
+      service_account_name    = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].name
       enabled                 = false
-      create_iam_account      = true
-      iam_account_name        = "gke-${substr(var.cluster-name, 0, 18)}-velero"
+      create_iam_resources    = true
       create_bucket           = true
       bucket                  = "${var.cluster-name}-velero"
       bucket_location         = "eu"
@@ -39,7 +38,7 @@ configuration:
       bucket: ${local.velero["bucket"]}
       default: true
       config:
-        serviceAccount: ${local.velero["create_iam_account"] ? google_service_account.velero[0].email : "@@SETTHIS@@"}
+        serviceAccount: ${local.velero.create_iam_resources && local.velero.enabled ? module.iam_assumable_sa_velero[0].gcp_service_account_email : "@@SETTHIS@@"}
   volumeSnapshotLocation:
     - name: gcp
       provider: velero.io/gcp
@@ -49,7 +48,7 @@ serviceAccount:
     name: ${local.velero["service_account_name"]}
     create: true
     annotations:
-       ${local.velero["enabled"] && local.velero["create_iam_account"] ? "iam.gke.io/gcp-service-account: ${google_service_account.velero[0].email}" : ""}
+       ${local.velero["enabled"] && local.velero["create_iam_resources"] ? "iam.gke.io/gcp-service-account: ${module.iam_assumable_sa_velero[0].gcp_service_account_email}" : ""}
 priorityClassName: ${local.priority-class-ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
 credentials:
   useSecret: false
@@ -66,7 +65,7 @@ VALUES
 
 resource "google_project_iam_custom_role" "velero" {
   count       = (local.velero["enabled"] && local.velero["create_iam_account"]) ? 1 : 0
-  role_id     = replace(local.velero["iam_account_name"], "-", "_")
+  role_id     = replace(local.velero["service_account_name"], "-", "_")
   title       = "${var.cluster-name} - velero"
   description = "IAM role used by velero on ${var.cluster-name} to perform backup operations"
   permissions = [
@@ -89,35 +88,24 @@ resource "google_project_iam_custom_role" "velero" {
   ]
 }
 
-resource "google_service_account" "velero" {
-  count        = (local.velero["enabled"] && local.velero["create_iam_account"]) ? 1 : 0
-  account_id   = local.velero["iam_account_name"]
-  display_name = "Velero on GKE ${var.cluster-name}"
-  description  = "Service account for Velero on GKE cluster ${var.cluster-name}"
-}
-
 resource "google_project_iam_member" "velero" {
   count   = (local.velero["enabled"] && local.velero["create_iam_account"]) ? 1 : 0
   project = data.google_project.current.project_id
   role    = google_project_iam_custom_role.velero[0].id
-  member  = google_service_account.velero[0].member
+  member  = "serviceAccount:${module.iam_assumable_sa_velero[0].gcp_service_account_email}"
 }
 
-data "google_iam_policy" "velero" {
-  binding {
-    role = "roles/iam.workloadIdentityUser"
-
-    members = [
-      "serviceAccount:${data.google_project.current.project_id}.svc.id.goog[${local.velero["namespace"]}/${local.velero["service_account_name"]}]",
-    ]
-  }
+module "iam_assumable_sa_velero" {
+  count               = local.velero["enabled"] && local.velero.create_iam_resources ? 1 : 0
+  source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+  version             = "~> 35.0"
+  namespace           = local.velero["namespace"]
+  project_id          = var.project_id
+  name                = local.velero.service_account_name
+  use_existing_k8s_sa = true
+  annotate_k8s_sa     = false
 }
 
-resource "google_service_account_iam_policy" "admin-account-iam" {
-  count              = (local.velero["enabled"] && local.velero["create_iam_account"]) ? 1 : 0
-  service_account_id = google_service_account.velero[0].name
-  policy_data        = data.google_iam_policy.velero.policy_data
-}
 
 module "velero_bucket" {
   count  = (local.velero["enabled"] && local.velero["create_bucket"]) ? 1 : 0
@@ -130,14 +118,26 @@ module "velero_bucket" {
   location   = local.velero["bucket_location"]
 
   force_destroy = local.velero["bucket_force_destroy"]
+}
 
-  iam_members = [
-    {
-      role   = "roles/storage.objectUser"
-      member = "serviceAccount:${local.velero["iam_account_name"]}@${data.google_project.current.project_id}.iam.gserviceaccount.com" # This should be google_service_account.velero[0].member, but it's included in a loop so we have to determine it before apply
-    }
+resource "google_storage_bucket_iam_member" "velero_gcs_iam_objectUser_permissions" {
+  count  = local.velero["enabled"] ? 1 : 0
+  bucket = local.velero["bucket"]
+  role   = "roles/storage.objectUser"
+  member = "serviceAccount:${module.iam_assumable_sa_velero[0].gcp_service_account_email}"
+  depends_on = [
+    module.velero_bucket
+  ]
+}
+
+resource "google_storage_bucket_iam_member" "velero_gcs_iam_objectViewer_permissions" {
+  count  = local.velero["enabled"] ? 1 : 0
+  bucket = local.velero["bucket"]
+  role   = "roles/storage.objectViewer"
+  member = "serviceAccount:${module.iam_assumable_sa_velero[0].gcp_service_account_email}"
+  depends_on = [
+    module.velero_bucket
   ]
-  depends_on = [google_service_account.velero]
 }
 
 resource "kubernetes_namespace" "velero" {