While setting up our new GKE cluster, we also needed to deploy our estafette-gke-preemptible-killer again and it needed a little upgrade since the last time we’ve touched it. One of the requirements of the upgrade meant setting up a dedicated Service Account. The README page has some nice guidelines on which steps to follow on how to set it up using the GCloud command-line tool but we would like to codify everything in Terraform.
First we’ve created a custom role
resource "google_project_iam_custom_role" "estafette-preemptible-killer" {
role_id = "estafette_preemptible_killer"
title = "estafette_preemptible_killer"
description = "Delete compute instances"
permissions = ["compute.instances.delete"]
}
def test
end
Next we’ve setup the dedicated Service Account
resource "google_service_account" "estafette-preemptible-killer" {
account_id = "estafette-preemptible-killer"
display_name = "Terraform-managed Service Account for Estafette GKE Preemtible killer"
}
And finally we need to bind this custom role to the Service Account
resource "google_project_iam_binding" "project" {
project = var.project
role = "projects/${var.project}/roles/${google_project_iam_custom_role.estafette-preemptible-killer.role_id}"
members = [
"serviceAccount:${google_service_account.estafette-preemptible-killer.email}",
]
}
One tip for assigning the correct role you need to append projects/${var.project} to it otherwise it doesn’t work!
