Hi ,
I am trying to deploye K8 cluster on GCP using below terraform code and successfully able to do that.
But even if I have service_account = “sa-gke-xxxxxx@yyyyyyyyy.iam.gserviceaccount.com”[ have role of Kubernetes Engine Admin , Logs Writer & Monitoring Admin]
terraform is creating a sa by itself by randomly genrating the name which have below roles.
role: “” => “roles/logging.logWriter”
role: “” => “roles/monitoring.metricWriter”
role: “” => “roles/monitoring.viewer”
Can anyone please help me understand
=> why this auto generated terraform SA account is getting created?
=> What is purpose of this auto generated terraform sa account ?
=> What is way to stop terraform from doing that ?
=> if I want to merge this terraform generated sa account with self provided sa ,
what will be additional role need to given sa-gke-xxxxxx@yyyyyyyyy.iam.gserviceaccount.com
==>As per my understanding sa-gke-xxxxxx@yyyyyyyyy.iam.gserviceaccount.com will be an admnistrivative account for “souvik-node-pool” ,
but can anyone please clearfy what exact roles this sa account is needed and what activity it will perform.
===================================================
module “m-souvik-custom-gke” {
source = “terraform-google-modules/kubernetes-engine/google”
version = “3.0.0” # Version is needed as we are using terraform 11
project_id = “<>”
name = “n-souvik-gke”
region = “asia-south1”
zones = [“asia-south1-a”, “asia-south1-b”, “asia-south1-c”]
network = “default”
subnetwork = “default”
ip_range_pods = “”
ip_range_services = “”
http_load_balancing = false
horizontal_pod_autoscaling = true
kubernetes_dashboard = true
network_policy = false
remove_default_node_pool = true # remove default pool to be created
node_pools = [
{
name = “souvik-node-pool”
machine_type = “f1-micro”
min_count = 1
max_count = 3
disk_size_gb = 10
disk_type = “pd-standard”
image_type = “COS”
auto_repair = true
auto_upgrade = true
service_account = “sa-gke-xxxxxx@yyyyyyyyy.iam.gserviceaccount.com”
preemptible = false
initial_node_count = 1
},
]
node_pools_oauth_scopes = {
all =
souvik-node-pool = [
"https://www.googleapis.com/auth/cloud-platform",
]
}
node_pools_labels = {
all = {}
souvik-node-pool = {
souvik-node-pool = true
}
}
node_pools_metadata = {
all = {}
souvik-node-pool = {
node-pool-metadata-custom-value = "my-node-pool"
}
}
node_pools_taints = {
all =
souvik-node-pool = [
{
key = "souvik-node-pool"
value = true
effect = "PREFER_NO_SCHEDULE"
},
]
}
node_pools_tags = {
all =
souvik-node-pool = [
"souvik-node-pool",
]
}
}
================
module.m-souvik-custom-ke.google_service_account.cluster_service_account: Creating…
account_id: “” => “tf-gke-n-souvik-gke-tc8g”
display_name: “” => “Terraform-managed service account for cluster n-souvik-gke”
email: “” => “”
name: “” => “”
project: “” => “<>”
unique_id: “” => “”
module.m-souvik-custom-gke.google_service_account.cluster_service_account: Creation complete after 5s (ID: projects/<>/****.iam.gserviceaccount.com)