diff --git a/terraform/README.md b/terraform/README.md index 33cf9ad..88ce08b 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -148,10 +148,6 @@ terraform apply -var-file=envs/gke/dev-.tfvars \ After applying with `enable_pubsub=true`, you'll get these outputs: ```bash -# Get service account emails for Helm values -terraform output sentinel_service_account_email -terraform output adapter_service_account_email - # Get topic/subscription names terraform output topic_name terraform output subscription_name @@ -168,20 +164,6 @@ Get the complete Helm values snippet (includes broker config and Workload Identi terraform output helm_values_snippet ``` -Or manually add the Workload Identity annotations: - -```yaml -sentinel: - serviceAccount: - annotations: - iam.gke.io/gcp-service-account: - -hyperfleet-adapter: - serviceAccount: - annotations: - iam.gke.io/gcp-service-account: -``` - ## Directory Structure ``` diff --git a/terraform/main.tf b/terraform/main.tf index 9454f0d..fa82239 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -53,15 +53,13 @@ module "pubsub" { source = "./modules/pubsub" count = var.enable_pubsub ? 1 : 0 - project_id = var.gcp_project_id - namespace = var.kubernetes_namespace - resource_type = "clusters" + project_id = var.gcp_project_id + namespace = var.developer_name + resource_type = "clusters" # Service account names - sentinel_sa_name = "hyperfleet-sentinel-${var.developer_name}" - adapter_sa_name = "hyperfleet-adapter-${var.developer_name}" sentinel_k8s_sa_name = "sentinel" - adapter_k8s_sa_name = "hyperfleet-adapter" + adapter_k8s_sa_name = "adapter" # Dead letter queue enable_dead_letter = var.enable_dead_letter diff --git a/terraform/modules/pubsub/main.tf b/terraform/modules/pubsub/main.tf index 9841b70..49a7638 100644 --- a/terraform/modules/pubsub/main.tf +++ b/terraform/modules/pubsub/main.tf @@ -1,6 +1,6 @@ locals { topic_name = var.topic_name != "" ? var.topic_name : "${var.namespace}-${var.resource_type}" - subscription_name = var.subscription_name != "" ? var.subscription_name : "${var.namespace}-adapter" + subscription_name = var.subscription_name != "" ? var.subscription_name : "${local.topic_name}-sub" dlq_topic_name = "${local.topic_name}-dlq" common_labels = merge(var.labels, { diff --git a/terraform/modules/pubsub/outputs.tf b/terraform/modules/pubsub/outputs.tf index 0323135..1d4bb89 100644 --- a/terraform/modules/pubsub/outputs.tf +++ b/terraform/modules/pubsub/outputs.tf @@ -29,19 +29,6 @@ output "subscription_id" { value = google_pubsub_subscription.adapter.id } -# ============================================================================= -# Service Account Outputs -# ============================================================================= -output "sentinel_service_account_email" { - description = "Email of the Sentinel GCP service account" - value = google_service_account.sentinel.email -} - -output "adapter_service_account_email" { - description = "Email of the Adapter GCP service account" - value = google_service_account.adapter.email -} - # ============================================================================= # Helm Values Snippet # ============================================================================= @@ -52,9 +39,6 @@ output "helm_values_snippet" { # For Sentinel: sentinel: - serviceAccount: - annotations: - iam.gke.io/gcp-service-account: ${google_service_account.sentinel.email} broker: type: googlepubsub topic: ${google_pubsub_topic.events.name} @@ -64,9 +48,6 @@ output "helm_values_snippet" { # For Adapter: hyperfleet-adapter: - serviceAccount: - annotations: - iam.gke.io/gcp-service-account: ${google_service_account.adapter.email} broker: type: googlepubsub subscriptionId: ${google_pubsub_subscription.adapter.name} diff --git a/terraform/modules/pubsub/service_accounts.tf b/terraform/modules/pubsub/service_accounts.tf index 0a18b69..72e58f4 100644 --- a/terraform/modules/pubsub/service_accounts.tf +++ b/terraform/modules/pubsub/service_accounts.tf @@ -1,44 +1,26 @@ # ============================================================================= # Sentinel Service Account (Publisher) # ============================================================================= -resource "google_service_account" "sentinel" { - account_id = var.sentinel_sa_name - display_name = "HyperFleet Sentinel" - description = "Service account for HyperFleet Sentinel to publish events to Pub/Sub" - project = var.project_id -} -# Grant Sentinel permission to publish to the events topic -resource "google_pubsub_topic_iam_member" "sentinel_publisher" { - topic = google_pubsub_topic.events.name - role = "roles/pubsub.publisher" - member = "serviceAccount:${google_service_account.sentinel.email}" - project = var.project_id + +resource "google_pubsub_topic_iam_member" "sentinel_publisher_wif" { + topic = google_pubsub_topic.events.name + role = "roles/pubsub.publisher" + member = "principal://iam.googleapis.com/projects/${data.google_project.current.number}/locations/global/workloadIdentityPools/${var.project_id}.svc.id.goog/subject/ns/${var.namespace}/sa/${var.sentinel_k8s_sa_name}" + project = var.project_id } # Workload Identity binding for Sentinel -# Allows the Kubernetes service account to impersonate the GCP service account -resource "google_service_account_iam_member" "sentinel_workload_identity" { - service_account_id = google_service_account.sentinel.name - role = "roles/iam.workloadIdentityUser" - member = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${var.sentinel_k8s_sa_name}]" -} # ============================================================================= # Adapter Service Account (Subscriber) # ============================================================================= -resource "google_service_account" "adapter" { - account_id = var.adapter_sa_name - display_name = "HyperFleet Adapter" - description = "Service account for HyperFleet Adapter to consume events from Pub/Sub" - project = var.project_id -} # Grant Adapter permission to subscribe to the adapter subscription resource "google_pubsub_subscription_iam_member" "adapter_subscriber" { subscription = google_pubsub_subscription.adapter.name role = "roles/pubsub.subscriber" - member = "serviceAccount:${google_service_account.adapter.email}" + member = "principal://iam.googleapis.com/projects/${data.google_project.current.number}/locations/global/workloadIdentityPools/${var.project_id}.svc.id.goog/subject/ns/${var.namespace}/sa/${var.adapter_k8s_sa_name}" project = var.project_id } @@ -46,16 +28,10 @@ resource "google_pubsub_subscription_iam_member" "adapter_subscriber" { resource "google_pubsub_subscription_iam_member" "adapter_viewer" { subscription = google_pubsub_subscription.adapter.name role = "roles/pubsub.viewer" - member = "serviceAccount:${google_service_account.adapter.email}" + member = "principal://iam.googleapis.com/projects/${data.google_project.current.number}/locations/global/workloadIdentityPools/${var.project_id}.svc.id.goog/subject/ns/${var.namespace}/sa/${var.adapter_k8s_sa_name}" project = var.project_id } -# Workload Identity binding for Adapter -resource "google_service_account_iam_member" "adapter_workload_identity" { - service_account_id = google_service_account.adapter.name - role = "roles/iam.workloadIdentityUser" - member = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${var.adapter_k8s_sa_name}]" -} # ============================================================================= # Dead Letter Queue Permissions (if enabled) diff --git a/terraform/modules/pubsub/variables.tf b/terraform/modules/pubsub/variables.tf index 154bb3c..56242ac 100644 --- a/terraform/modules/pubsub/variables.tf +++ b/terraform/modules/pubsub/variables.tf @@ -61,18 +61,6 @@ variable "max_delivery_attempts" { } } -variable "sentinel_sa_name" { - description = "Sentinel GCP service account name" - type = string - default = "hyperfleet-sentinel" -} - -variable "adapter_sa_name" { - description = "Adapter GCP service account name" - type = string - default = "hyperfleet-adapter" -} - variable "sentinel_k8s_sa_name" { description = "Sentinel Kubernetes service account name" type = string diff --git a/terraform/outputs.tf b/terraform/outputs.tf index e6256d0..6d4f3a7 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -49,20 +49,6 @@ output "connect_command" { ) } -# ============================================================================= -# Pub/Sub Outputs (when enabled) -# ============================================================================= - -output "sentinel_service_account_email" { - description = "Email of the Sentinel GCP service account" - value = var.enable_pubsub ? module.pubsub[0].sentinel_service_account_email : "" -} - -output "adapter_service_account_email" { - description = "Email of the Adapter GCP service account" - value = var.enable_pubsub ? module.pubsub[0].adapter_service_account_email : "" -} - output "topic_name" { description = "Name of the Pub/Sub topic" value = var.enable_pubsub ? module.pubsub[0].topic_name : "" diff --git a/terraform/variables.tf b/terraform/variables.tf index 2d55ea0..72e1270 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -83,27 +83,13 @@ variable "aws_region" { default = "us-east-1" } -# ============================================================================= -# Kubernetes Configuration -# ============================================================================= -variable "kubernetes_namespace" { - description = "Kubernetes namespace for HyperFleet components" - type = string - default = "hyperfleet-system" - - validation { - condition = length(var.kubernetes_namespace) > 0 - error_message = "kubernetes_namespace must not be empty." - } -} - # ============================================================================= # Pub/Sub Configuration # ============================================================================= variable "enable_pubsub" { description = "Enable Google Pub/Sub for HyperFleet messaging" type = bool - default = false + default = true } variable "enable_dead_letter" {