feat: workload-identity: Allow passing Google Service Account display_name and description (#1834)

kosta · web-flow · commit b387621c5423 · 2024-01-16T14:11:30.000-08:00
diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md
@@ -103,6 +103,8 @@ already bear the `"iam.gke.io/gcp-service-account"` annotation.
 | annotate\_k8s\_sa | Annotate the kubernetes service account with 'iam.gke.io/gcp-service-account' annotation. Valid in cases when an existing SA is used. | `bool` | `true` | no |
 | automount\_service\_account\_token | Enable automatic mounting of the service account token | `bool` | `false` | no |
 | cluster\_name | Cluster name. Required if using existing KSA. | `string` | `""` | no |
+| gcp\_sa\_description | The Service Google service account desciption; if null, will be left out | `string` | `null` | no |
+| gcp\_sa\_display\_name | The Google service account display name; if null, a default string will be used | `string` | `null` | no |
 | gcp\_sa\_name | Name for the Google service account; overrides `var.name`. | `string` | `null` | no |
 | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
 | k8s\_sa\_name | Name for the Kubernetes service account; overrides `var.name`. `cluster_name` and `location` must be set when this input is specified. | `string` | `null` | no |
diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
@@ -43,7 +43,8 @@ resource "google_service_account" "cluster_service_account" {
   count = var.use_existing_gcp_sa ? 0 : 1
 
   account_id   = local.gcp_given_name
-  display_name = substr("GCP SA bound to K8S SA ${local.k8s_sa_project_id}[${local.k8s_given_name}]", 0, 100)
+  display_name = coalesce(var.gcp_sa_display_name, substr("GCP SA bound to K8S SA ${local.k8s_sa_project_id}[${local.k8s_given_name}]", 0, 100))
+  description  = var.gcp_sa_description
   project      = var.project_id
 }
 
diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf
@@ -113,3 +113,27 @@ variable "additional_projects" {
   type        = map(list(string))
   default     = {}
 }
+
+variable "gcp_sa_display_name" {
+  description = "The Google service account display name; if null, a default string will be used"
+  type        = string
+  nullable    = true
+  default     = null
+
+  validation {
+    condition     = var.gcp_sa_display_name == null ? true : length(var.gcp_sa_display_name) <= 100
+    error_message = "The Google service account display name must be at most 100 characters"
+  }
+}
+
+variable "gcp_sa_description" {
+  description = "The Service Google service account desciption; if null, will be left out"
+  type        = string
+  nullable    = true
+  default     = null
+
+  validation {
+    condition     = var.gcp_sa_description == null ? true : length(var.gcp_sa_description) <= 256
+    error_message = "The Google service account description must be at most 256 characters"
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,8 @@ resource "google_service_account" "cluster_service_account" {`
`43`	`43`	`count = var.use_existing_gcp_sa ? 0 : 1`
`44`	`44`
`45`	`45`	`account_id = local.gcp_given_name`
`46`		`- display_name = substr("GCP SA bound to K8S SA ${local.k8s_sa_project_id}[${local.k8s_given_name}]", 0, 100)`
	`46`	`+ display_name = coalesce(var.gcp_sa_display_name, substr("GCP SA bound to K8S SA ${local.k8s_sa_project_id}[${local.k8s_given_name}]", 0, 100))`
	`47`	`+ description = var.gcp_sa_description`
`47`	`48`	`project = var.project_id`
`48`	`49`	`}`
`49`	`50`