GKE Autopilot - create cluster with custom service account

Hello,
I’m trying to create an Autopilot GKE cluster using Terraform, and I’m specifying a custom Service Account to use for the cluster. See the code snippet bellow.

However, when I run terraform apply TF still creates the cluster using the default Compute Engine Service Account.

Can someone share a TF code sample that creates the cluster based on a specified SA ?

I read the bellow solved issue but there are no followups on a successfull TF sample code
GKE autopilot is always created with default service account · Issue #8918 · hashicorp/terraform-provider-google · GitHub so I’m not sure how it should look like in the end.

Thank you,
Cristina

resource "google_container_cluster" "cluster" {
  #  depends_on  = [module.project-cfg]
  provider    = google-beta
  project     = var.project_id
  name        = var.name
  location    = var.location
  description = var.description

  enable_autopilot        = true
  enable_kubernetes_alpha = false
  enable_legacy_abac      = false
  logging_service         = "logging.googleapis.com/kubernetes"
  monitoring_service      = "monitoring.googleapis.com/kubernetes"
  network                 = "projects/${var.on_prem_host_project_name}/global/networks/on-prem-connectivity"
  subnetwork              = "projects/${var.on_prem_host_project_name}/regions/${var.gke_region}/subnetworks/${var.gke_subnetwork}"

  addons_config {
    horizontal_pod_autoscaling {
      disabled = false
    }
    http_load_balancing {
      disabled = false
    }
  }
  vertical_pod_autoscaling {
    enabled = true
  }
  ip_allocation_policy {
    cluster_secondary_range_name  = "gke-pods"
    services_secondary_range_name = "gke-services"
  }
  master_auth {
    client_certificate_config {
      issue_client_certificate = false
    }
  }
  master_authorized_networks_config {
    cidr_blocks {
      cidr_block   = local.my_ip
      display_name = "current address"
    }
  }

  private_cluster_config {
    enable_private_nodes    = true
    enable_private_endpoint = false
    master_ipv4_cidr_block  = "xxx"
  }

  release_channel {
    channel = "REGULAR"
  }

  default_snat_status {
    disabled = false
  }

  cost_management_config {
    enabled = true
  }

  node_config {
    service_account = var.gke_service_account

    labels = {
      env         = var.env_label
    }
  }
}

Hi @cristina.tabacaru - I see the same error for me. I am using hashicorp/google-beta v. 4.70.0 provider… I took a look at the issues you mentioned. I found another issue here: GKE autopilot is always created with default service account II · Issue #9505 · hashicorp/terraform-provider-google · GitHub

I will let you know if I get a workaround.

Hey, so apparently the node_config.service_account does not work for GKE autopilot clusters. For me, what worked is the following:

resource "google_service_account" "autopilot" {
  account_id   = "autopilot"
  project      = var.project
  display_name = "Autopilot Service Account"
}
resource "google_container_cluster" "autopilot" {
  name = "autopilot-cluster"
  enable_autopilot = true
  [...]
  cluster_autoscaling {
    auto_provisioning_defaults {
      service_account = resource.google_service_account.autopilot.email
      oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
    }
  }
}

In other words I used the cluster_autoscaling.auto_provisioning_defaults.service_account field and declared the custom SA there.

Make sure that you first destroy your GKE cluster and then try to run Terraform again to create it again. You do not want to modify an existing cluster as you’ll get this error: Cannot update a default service account  |  Google Cloud

This is the PR that mentions that field: Allow passing node service_account when autopilot enabled by JeremyOT · Pull Request #6733 · GoogleCloudPlatform/magic-modules · GitHub