forseti-security · gkowalski-google · Mar 9, 2020 · Mar 9, 2020 · Mar 9, 2020 · Mar 9, 2020
@@ -174,4 +174,5 @@ module "forseti" {
   policy_library_sync_enabled        = var.policy_library_sync_enabled
   server_log_level                   = var.server_log_level
   client_instance_metadata           = var.client_instance_metadata
+  workload_identity_namespace        = module.gke.identity_namespace
 }
@@ -69,7 +69,7 @@ locals {
     "storage-api.googleapis.com",
     "groupssettings.googleapis.com",
   ]
-  workload_identity                = "${var.project_id}.svc.id.goog"
+  workload_identity_namespace      = var.workload_identity_namespace == null ? "${var.project_id}.svc.id.goog" : var.workload_identity_namespace
   workload_identity_server_suffix  = "[${local.kubernetes_namespace}/forseti-server]"
   workload_identity_client_suffix  = "[${local.kubernetes_namespace}/forseti-orchestrator]"
   workload_config_validator_suffix = "[${local.kubernetes_namespace}/config-validator]"
@@ -158,7 +158,7 @@ resource "google_service_account_iam_binding" "forseti_server_workload_identity"
   role               = "roles/iam.workloadIdentityUser"
 
   members = [
-    "serviceAccount:${local.workload_identity}${local.workload_identity_server_suffix}"
+    "serviceAccount:${local.workload_identity_namespace}${local.workload_identity_server_suffix}"
   ]
 }
 
@@ -167,8 +167,8 @@ resource "google_service_account_iam_binding" "forseti_client_workload_identity"
   role               = "roles/iam.workloadIdentityUser"
 
   members = [
-    "serviceAccount:${local.workload_identity}${local.workload_identity_client_suffix}",
-    "serviceAccount:${local.workload_identity}${local.workload_config_validator_suffix}"
+    "serviceAccount:${local.workload_identity_namespace}${local.workload_identity_client_suffix}",
+    "serviceAccount:${local.workload_identity_namespace}${local.workload_config_validator_suffix}"
   ]
 }
 

@@ -60,12 +60,16 @@ variable "sendgrid_api_key" {
 #------------#
 # GKE config #
 #------------#
-
 variable "gke_node_pool_name" {
   description = "The name of the GKE node-pool where Forseti is being deployed"
   default     = "default-pool"
 }
 
+variable "workload_identity_namespace" {
+  description = "Workload Identity namespace"
+  default     = null
+}
+
 #----------------#
 # Forseti config #
 #----------------#
@@ -710,7 +714,6 @@ variable "inventory_email_summary_enabled" {
 #---------------------------------------#
 # Groups Settings scanner configuration #
 #---------------------------------------#
-
 variable "groups_settings_max_calls" {
   description = "Maximum calls that can be made to the G Suite Groups API"
   default     = "5"
@@ -893,7 +896,6 @@ variable "cloudsql_password" {
 #-------------#
 # Helm config #
 #-------------#
-
 variable "git_sync_image" {
   description = "The container image used by the config-validator git-sync side-car"
   default     = "gcr.io/google-containers/git-sync"