diff --git a/examples/workload_identity/main.tf b/examples/workload_identity/main.tf index d6f6c4bb93..20653fc699 100644 --- a/examples/workload_identity/main.tf +++ b/examples/workload_identity/main.tf @@ -67,13 +67,10 @@ module "workload_identity" { } # example with existing KSA -resource "kubernetes_service_account" "test" { +resource "kubernetes_service_account_v1" "test" { metadata { name = "foo-ksa" } - secret { - name = "bar" - } } module "workload_identity_existing_ksa" { @@ -86,7 +83,7 @@ module "workload_identity_existing_ksa" { location = module.gke.location namespace = "default" use_existing_k8s_sa = true - k8s_sa_name = kubernetes_service_account.test.metadata[0].name + k8s_sa_name = kubernetes_service_account_v1.test.metadata[0].name } # example with existing GSA diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md index 43dcbc8786..7c35f28444 100644 --- a/modules/workload-identity/README.md +++ b/modules/workload-identity/README.md @@ -73,7 +73,7 @@ module "my-app-workload-identity" { An existing Kubernetes service account can optionally be used. ```hcl -resource "kubernetes_service_account" "preexisting" { +resource "kubernetes_service_account_v1" "preexisting" { metadata { name = "preexisting-sa" namespace = "prod" @@ -85,8 +85,8 @@ module "my-app-workload-identity" { use_existing_k8s_sa = true cluster_name = "my-k8s-cluster-name" location = "my-k8s-cluster-location" - name = kubernetes_service_account.preexisting.metadata[0].name - namespace = kubernetes_service_account.preexisting.metadata[0].namespace + name = kubernetes_service_account_v1.preexisting.metadata[0].name + namespace = kubernetes_service_account_v1.preexisting.metadata[0].namespace project_id = var.project_id } ``` @@ -134,9 +134,9 @@ This approach is required when managing multiple clusters. Omitting this step ca ```shell Error: Get "http://localhost/api/v1/namespaces/default/serviceaccounts/your-service-account": dial tcp [::1]:80: connect: connection refused │ -│ with module.your_workload_identity.kubernetes_service_account.main[0], -│ on .terraform/modules/your_workload_identity/modules/workload-identity/main.tf line 50, in resource "kubernetes_service_account" "main": -│ 50: resource "kubernetes_service_account" "main" { +│ with module.your_workload_identity.kubernetes_service_account_v1.main[0], +│ on .terraform/modules/your_workload_identity/modules/workload-identity/main.tf line 57, in resource "kubernetes_service_account_v1" "main": +│ 57: resource "kubernetes_service_account_v1" "main" { ``` diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index 30640dbb60..90f9bcc79f 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -23,8 +23,8 @@ locals { # This will cause Terraform to block returning outputs until the service account is created k8s_given_name = var.k8s_sa_name != null ? var.k8s_sa_name : var.name - output_k8s_name = var.use_existing_k8s_sa ? local.k8s_given_name : kubernetes_service_account.main[0].metadata[0].name - output_k8s_namespace = var.use_existing_k8s_sa ? var.namespace : kubernetes_service_account.main[0].metadata[0].namespace + output_k8s_name = var.use_existing_k8s_sa ? local.k8s_given_name : kubernetes_service_account_v1.main[0].metadata[0].name + output_k8s_namespace = var.use_existing_k8s_sa ? var.namespace : kubernetes_service_account_v1.main[0].metadata[0].namespace k8s_sa_project_id = var.k8s_sa_project_id != null ? var.k8s_sa_project_id : var.project_id k8s_sa_gcp_derived_name = "serviceAccount:${local.k8s_sa_project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]" @@ -49,7 +49,12 @@ resource "google_service_account" "cluster_service_account" { create_ignore_already_exists = var.gcp_sa_create_ignore_already_exists } -resource "kubernetes_service_account" "main" { +moved { + from = kubernetes_service_account.main + to = kubernetes_service_account_v1.main +} + +resource "kubernetes_service_account_v1" "main" { count = var.use_existing_k8s_sa ? 0 : 1 automount_service_account_token = var.automount_service_account_token