Using service account impersonation for terraform invoking this module

[yashbhutwala]

I have a use-case where I'm using shared Terraform Cloud Agents, and my TF Cloud workspace is isolated by using service account impersonation, i.e.: the GSA that terraform agent runs terraform by default does not have GKE Admin IAM. Problem is since this module uses the kubectl-wrapper module like this, which uses this gcloud command here, it uses the agent terraform IAM instead of the impersonating ones, hence not being able to create GKE. Is there any potential workarounds/idea for such setup?

[bharathkkb]

Hi @yashbhutwala
IIUC your agent GSA has the necessary permissions to impersonate an SA that has GKE Admin IAM? If that is the case, we could add a var in the kubectl-wrapper module to optionally add a --impersonate-service-account=${var.impersonate_sa} flag and that can then be exposed here. Related: #867 we were planning to remove this, but this usecase seems useful.

If you want a quick workaround if you are not interested in stub_domains and upstream_nameservers is to set skip_provisioners true.

[yashbhutwala]

Yes @bharathkkb you're right! A --impersonate-service-account=${var.impersonate_sa} flag in kubectl-wrapper module is what I need.

Unfortunately, I cannot use skip_provisioner because we do use the stub_domain functionality currently.