-
Notifications
You must be signed in to change notification settings - Fork 1
/
capi-sa.tf
27 lines (23 loc) · 1020 Bytes
/
capi-sa.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#
# Service account that we can get the creds of and give them to
# enterprise/clusterctl for basic CAPI operations.
#
resource "google_service_account" "enterprise-capi" {
project = var.project_id
# manky short name because account_id has a max length of 30
account_id = "ent-capi-${local.name}"
display_name = "Used by enterprise for CAPI ops in ${local.name}. Managed by terraform."
}
resource "google_project_iam_member" "enterprise-capi-role" {
project = var.project_id
# Initially readonly until we figure out what we'd like this to be able to do.
role = "roles/container.clusterViewer"
member = "serviceAccount:${google_service_account.enterprise-capi.email}"
}
resource "google_service_account_key" "enterprise-capi" {
service_account_id = google_service_account.enterprise-capi.name
}
resource "local_file" "enterprise-capi-creds" {
content = google_service_account_key.enterprise-capi.private_key
filename = "${path.module}/sa-keys/enterprise-capi-${terraform.workspace}.json"
}