feat!: Create least privilege default service account (#1757)

Author: abhikaddy

autogen/main/sa.tf.tmpl

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.nodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

docs/upgrading_to_v29.0.md

@@ -0,0 +1,8 @@
+# Upgrading to v29.0
+The v29.0 release of *kubernetes-engine* is a backwards incompatible
+release.
+
+### Default cluster service account permissions modified
+
+When `create_service_account` is `true`, the service account will now be created with `Kubernetes Engine Node Service Account` role instead of `Logs Writer`, `Monitoring Metric Writer`, `Monitoring Viewer` and `Stackdriver Resource Metadata Writer` roles.
+This is the Google recommended least privileged role to be used for the service account attached to the GKE Nodes.

modules/beta-autopilot-private-cluster/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.nodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

modules/beta-autopilot-public-cluster/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.nodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

modules/beta-private-cluster-update-variant/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.nodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

modules/beta-private-cluster/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.nodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

modules/beta-public-cluster-update-variant/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.nodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

modules/beta-public-cluster/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.nodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

modules/private-cluster-update-variant/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.nodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

modules/private-cluster/sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.nodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }
 

sa.tf

@@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" {
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }
 
-resource "google_project_iam_member" "cluster_service_account-log_writer" {
+resource "google_project_iam_member" "cluster_service_account-nodeService_account" {
   count   = var.create_service_account ? 1 : 0
   project = google_service_account.cluster_service_account[0].project
-  role    = "roles/logging.logWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-metric_writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-log_writer[0].project
-  role    = "roles/monitoring.metricWriter"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
-  role    = "roles/monitoring.viewer"
-  member  = google_service_account.cluster_service_account[0].member
-}
-
-resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
-  count   = var.create_service_account ? 1 : 0
-  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  role    = "roles/container.nodeServiceAccount"
   member  = google_service_account.cluster_service_account[0].member
 }