Merge pull request #1 from castai/feat/gke_provider_CORE-2251

feat: gke iam  castai module

.gitignore

@@ -0,0 +1 @@
+terraform.d

Makefile

@@ -0,0 +1,2 @@
+generate-doc:
+	terraform-docs markdown table --output-file README.md --output-mode inject .

README.md

@@ -0,0 +1,73 @@
+<a href="https://cast.ai">
+    <img src="https://cast.ai/wp-content/themes/cast/img/cast-logo-dark-blue.svg" align="right" height="100" />
+</a>
+
+Terraform module for creating GCP IAM resources required to connect GKE with CAST AI.
+==================
+
+
+Website: https://www.cast.ai
+
+Requirements
+------------
+
+- [Terraform](https://www.terraform.io/downloads.html) 0.13+
+
+Using the module
+------------
+
+
+```hcl
+module "castai_gke_iam" {
+  source = "castai/gke-iam/castai"
+  
+  project_id = var.project_id
+  gke_cluster_name = var.cluster_name
+
+}
+```
+
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_castai"></a> [castai](#requirement\_castai) | >= 0.16.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 2.49 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_castai"></a> [castai](#provider\_castai) | >= 0.16.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | >= 2.49 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_project_iam_binding.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource |
+| [google_project_iam_custom_role.castai_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
+| [google_service_account.castai_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_key.castai_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |
+| [castai_gke_user_policies.gke](https://registry.terraform.io/providers/castai/castai/latest/docs/data-sources/gke_user_policies) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_gke_cluster_name"></a> [gke\_cluster\_name](#input\_gke\_cluster\_name) | GKE cluster name for which create IAM roles | `string` | n/a | yes |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The project id from GCP | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_private_key"></a> [private\_key](#output\_private\_key) | n/a |
+<!-- END_TF_DOCS -->

main.tf

@@ -0,0 +1,42 @@
+## IAM user required for CAST.AI
+
+locals {
+  service_account_id    = "castai-gke-tf-${substr(sha1(var.gke_cluster_name),0,8)}"
+  service_account_email = "${local.service_account_id}@${var.project_id}.iam.gserviceaccount.com"
+  custom_role_id        = "castai.gkeAccess.${substr(sha1(var.gke_cluster_name),0,8)}.tf"
+}
+
+resource "google_service_account" "castai_service_account" {
+  account_id   = local.service_account_id
+  display_name = "Service account to manage ${var.gke_cluster_name} cluster via CAST"
+  project      = var.project_id
+}
+
+data "castai_gke_user_policies" "gke" {}
+
+resource "google_project_iam_custom_role" "castai_role" {
+  role_id     = local.custom_role_id
+  title       = "Role to manage GKE cluster via CAST AI"
+  description = "Role to manage GKE cluster via CAST AI"
+  permissions = toset(data.castai_gke_user_policies.gke.policy)
+  project     = var.project_id
+  stage       = "GA"
+}
+
+resource "google_project_iam_binding" "project" {
+  for_each = toset([
+    "roles/container.developer",
+    "roles/iam.serviceAccountUser",
+    "projects/${var.project_id}/roles/${local.custom_role_id}"
+  ])
+
+  project = var.project_id
+  role    = each.key
+  members = ["serviceAccount:${local.service_account_email}"]
+}
+
+resource "google_service_account_key" "castai_key" {
+  service_account_id = google_service_account.castai_service_account.name
+  public_key_type    = "TYPE_X509_PEM_FILE"
+}
+

output.tf

@@ -0,0 +1,11 @@
+output "private_key" {
+  value = base64decode(google_service_account_key.castai_key.private_key)
+  sensitive = true
+
+  depends_on = [
+    # Wait for binding and custom role creation
+    # so Service Account will have proper permissions level
+    google_project_iam_binding.project,
+    google_project_iam_custom_role.castai_role
+  ]
+}

variables.tf

@@ -0,0 +1,10 @@
+variable "project_id" {
+  type        = string
+  description = "The project id from GCP"
+}
+
+variable "gke_cluster_name" {
+  type = string
+  description = "GKE cluster name for which to create IAM roles"
+}
+

version.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 0.13"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 2.49"
+    }
+    castai = {
+      source  = "castai/castai"
+      version = ">= 0.16.0"
+    }
+  }
+}