feat: Added namespace as a prefix in stackdriver sa name

main.tf

@@ -199,6 +199,10 @@ locals {
   internal_lb_name = "${var.namespace}-internal"
 }
 
+locals {
+  workload_hash = var.create_workload_identity ? substr(sha256("yes"), 0, 50) : null
+}
+
 data "google_client_config" "current" {}
 
 module "wandb" {
@@ -208,6 +212,7 @@ module "wandb" {
   spec = {
     values = {
       global = {
+        pod = { labels = { workload_hash: local.workload_hash } }
         host    = local.url
         license = var.license
         cloudProvider = "gcp"
@@ -258,7 +263,7 @@ module "wandb" {
         extraEnvs = var.app_wandb_env
         serviceAccount = var.create_workload_identity ? {
           name        = var.kms_gcs_sa_name
-          annotations = { "iam.gke.io/gcp-service-account" = module.service_accounts.sa_account_email }
+          annotations = { "iam.gke.io/gcp-service-account" = module.service_accounts.sa_account_role }
           } : {
           name        = ""
           annotations = {}
@@ -291,7 +296,7 @@ module "wandb" {
           projectId          = data.google_client_config.current.project
           serviceAccountName = var.stackdriver_sa_name
         }
-        serviceAccount = { annotations = { "iam.gke.io/gcp-service-account" = module.service_accounts.stackdriver_email } }
+        serviceAccount = { annotations = { "iam.gke.io/gcp-service-account" = module.service_accounts.stackdriver_role } }
         } : {
         install        = false
         stackdriver    = {}

modules/service_accounts/main.tf

@@ -62,10 +62,11 @@ resource "google_project_iam_member" "secretmanager_admin" {
   role    = "roles/secretmanager.admin"
 }
 
-####### service account for kms and gcs cross project access
+
+####### service account for kms and gcs
 resource "google_service_account" "kms_gcs_sa" {
   count        = var.create_workload_identity == true ? 1 : 0
-  account_id   = var.kms_gcs_sa_name
+  account_id   = substr("kms-gcs-${random_id.main.dec}", 0, 30)
   display_name = "Service Account For Workload Identity"
 }
 
@@ -83,8 +84,6 @@ resource "google_project_iam_member" "secretmanager_admin_gcs" {
   role    = "roles/secretmanager.admin"
 }
 
-# For some reason we need this permission otherwise backend is throwing an error
-# hopfully this is a short term fix.
 resource "google_project_iam_member" "log_writer_gcs" {
   count   = var.create_workload_identity == true ? 1 : 0
   project = local.project_id
@@ -106,7 +105,6 @@ resource "google_storage_bucket_iam_member" "gcs_admin" {
   role   = "roles/storage.objectAdmin"
 }
 
-
 resource "google_project_iam_member" "kms" {
   count   = var.create_workload_identity == true ? 1 : 0
   project = local.project_id
@@ -132,7 +130,7 @@ resource "google_service_account_iam_member" "workload_binding" {
 ### service account for stackdriver
 resource "google_service_account" "stackdriver" {
   count        = var.enable_stackdriver == true ? 1 : 0
-  account_id   = var.stackdriver_sa_name
+  account_id   = substr("stackdriver-${random_id.main.dec}", 0, 30)
   display_name = "Service Account For Workload Identity"
 }
 

modules/service_accounts/outputs.tf

@@ -3,10 +3,10 @@ output "service_account" {
   description = "The service account."
 }
 
-output "sa_account_email" {
+output "sa_account_role" {
   value = var.create_workload_identity == true ? google_service_account.kms_gcs_sa[0].email : null
 }
 
-output "stackdriver_email" {
+output "stackdriver_role" {
   value = var.enable_stackdriver == true ? google_service_account.stackdriver[0].email : null
 }

modules/service_accounts/variables.tf

@@ -9,7 +9,6 @@ variable "bucket_name" {
   default     = ""
 }
 
-
 variable "create_workload_identity" {
   description = "Flag to indicate whether to create a workload identity for the service account."
   type        = bool
@@ -27,4 +26,4 @@ variable "stackdriver_sa_name" {
 variable "enable_stackdriver" {
   description = "Flag to indicate whether to enable workload identity for the service account."
   type        = bool
-}
+}

outputs.tf

@@ -92,5 +92,5 @@ output "private_attachement_id" {
 
 output "sa_account_email" {
   description =  "This output provides the email address of the service account created for workload identity, if workload identity is enabled. Otherwise, it returns null"
-  value = var.create_workload_identity == true ? module.service_accounts.sa_account_email : null
+  value = var.create_workload_identity == true ? module.service_accounts.sa_account_role : null
 }

variables.tf

@@ -312,4 +312,3 @@ variable "stackdriver_sa_name" {
   type    = string
   default = "wandb-stackdriver"
 }
-