Merge pull request #11 from ops-guru/workload_identity

Add workload identity

application/main.tf

@@ -9,6 +9,8 @@ module "gke" {
   subnetwork = data.terraform_remote_state.infra-host-project.outputs.subnets_self_links[1]
   master_ipv4_cidr_block = "10.0.1.0/28"
   region = var.region
+  identity_namespace = "${data.terraform_remote_state.infra-service-project.outputs.project_id}.svc.id.goog"
+  node_metadata = "GKE_METADATA_SERVER"
   master_authorized_networks_config = [{
     cidr_blocks = [{
       cidr_block = data.terraform_remote_state.infra-host-project.outputs.subnets_ips[0]

modules/gke/variables.tf

@@ -249,7 +249,8 @@ variable "node_pools_oauth_scopes" {
   type        = map(any)
   default = {
     all = [
-      "https://www.googleapis.com/auth/cloud-platform"
+      "https://www.googleapis.com/auth/cloud-platform",
+      "https://www.googleapis.com/auth/service.management.readonly",
     ]
     microservices = []
   }

security/iam.tf

@@ -7,6 +7,9 @@ locals {
   gke_cluster = [
     "roles/storage.objectCreator",
     "roles/storage.objectViewer",
+    "roles/logging.logWriter",
+    "roles/monitoring.metricWriter",
+    "roles/monitoring.viewer",
   ]
 }