Add GKE specific service account to fix monitoring

Duologic · Duologic · commit cbde727f0ec0 · 2019-09-18T14:02:51.000+02:00
diff --git a/gce-staging-1/main.tf b/gce-staging-1/main.tf
@@ -84,20 +84,21 @@ module "gce_worker_group" {
 }
 
 module "workers_1" {
-  source            = "../modules/gce_kubernetes"
-  project           = "${var.project}"
+  source = "../modules/gce_kubernetes"
+
   cluster_name      = "workers-1"
+  default_namespace = "${var.k8s_default_namespace}"
+  network           = "${data.terraform_remote_state.vpc.gce_network_main}"
   pool_name         = "default"
+  project           = "${var.project}"
   region            = "us-central1"
-  network           = "${data.terraform_remote_state.vpc.gce_network_main}"
   subnetwork        = "${data.terraform_remote_state.vpc.gce_subnetwork_gke_cluster}"
-  default_namespace = "${var.k8s_default_namespace}"
 
-  machine_type       = "c2-standard-4"
-  max_node_count     = 10
-  min_master_version = "1.14"
   node_locations     = ["us-central1-b", "us-central1-c"]
   node_pool_tags     = ["gce-workers"]
+  max_node_count     = 10
+  machine_type       = "c2-standard-4"
+  min_master_version = "1.14"
 }
 
 output "workers_service_account_emails" {
diff --git a/modules/gce_kubernetes/cluster.tf b/modules/gce_kubernetes/cluster.tf
@@ -44,15 +44,20 @@ resource "google_container_node_pool" "node_pool" {
   initial_node_count = 1
 
   node_config {
-    machine_type = "${var.machine_type}"
-    tags         = "${var.node_pool_tags}"
+    machine_type    = "${var.machine_type}"
+    tags            = "${var.node_pool_tags}"
+    service_account = "${google_service_account.cluster_service_account.email}"
 
     oauth_scopes = [
       "https://www.googleapis.com/auth/compute",
       "https://www.googleapis.com/auth/devstorage.read_only",
       "https://www.googleapis.com/auth/logging.write",
       "https://www.googleapis.com/auth/monitoring",
     ]
+
+    metadata = {
+      disable-legacy-endpoints = "true"
+    }
   }
 
   management {
diff --git a/modules/gce_kubernetes/service_accounts.tf b/modules/gce_kubernetes/service_accounts.tf
@@ -0,0 +1,29 @@
+resource "google_service_account" "cluster_service_account" {
+  project      = "${var.project}"
+  account_id   = "tf-gke-${var.cluster_name}"
+  display_name = "Terraform-managed service account for cluster ${var.cluster_name}"
+}
+
+resource "google_project_iam_member" "cluster_service_account-log_writer" {
+  project = "${var.project}"
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}
+
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  project = "${var.project}"
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}
+
+resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
+  project = "${var.project}"
+  role    = "roles/monitoring.viewer"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}
+
+resource "google_project_iam_member" "cluster_service_account-gcr" {
+  project = "${var.project}"
+  role    = "roles/storage.objectViewer"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}
