Default Compute Service Account is used if root service_account argument used

[harrymyburgh]

TL;DR

Default Compute Service Account is used if root service_account argument used to run the GKE nodes, instead of the custom service account specified. The workaround is to set the service account on a Node Pool level, however, this is not ideal.

Expected behavior

No response

Observed behavior

No response

Terraform Configuration

module "gke" {
  source     = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster"
  version    = "~> 33.1.0"
  project_id = var.main_project
  name       = "${var.gke_cluster_prefix}-${var.environment}"
  region     = var.main_region
  zones      = var.gke_zones
  regional   = var.regional

  network_project_id     = var.host_vpc_project
  network                = data.google_compute_network.host_vpc_network.name
  subnetwork             = data.google_compute_subnetwork.host_vpc_subnetwork.name
  ip_range_pods          = var.ip_range_pods_name
  ip_range_services      = var.ip_range_services_name
  master_ipv4_cidr_block = var.master_ipv4_cidr_block
  master_authorized_networks = concat(
    [
      {
        cidr_block   = data.google_compute_subnetwork.host_vpc_subnetwork.ip_cidr_range
        display_name = "Primary GKE Subnet CIDR"
      }
    ],
    var.additional_master_authorized_networks
  )
  enable_private_endpoint           = true
  deploy_using_private_endpoint     = true
  enable_private_nodes              = true
  add_cluster_firewall_rules        = true
  add_master_webhook_firewall_rules = true
  add_shadow_firewall_rules         = true
  network_tags                      = var.network_tags

  remove_default_node_pool = true

  deletion_protection = false

  http_load_balancing        = var.http_load_balancing
  horizontal_pod_autoscaling = var.horizontal_pod_autoscaling
  filestore_csi_driver       = var.filestore_csi_driver
  dns_cache                  = var.dns_cache

  monitoring_enable_managed_prometheus    = true
  monitoring_enable_observability_metrics = var.monitoring_enable_observability_metrics
  monitoring_enable_observability_relay   = var.monitoring_enable_observability_relay
  monitoring_enabled_components           = var.monitoring_enabled_components
  datapath_provider                       = var.datapath_provider

  security_posture_mode = "BASIC"

  // Enable IP masquerade in island mode
  configure_ip_masq = true
  non_masquerade_cidrs = [
    [for range in data.google_compute_subnetwork.host_vpc_subnetwork.secondary_ip_range : range.ip_cidr_range if range.range_name == var.ip_range_pods_name][0],
    [for range in data.google_compute_subnetwork.host_vpc_subnetwork.secondary_ip_range : range.ip_cidr_range if range.range_name == var.ip_range_services_name][0]
  ]

  create_service_account = false
  service_account        = var.service_account_name

  node_pools = var.node_pools

  node_pools_oauth_scopes = var.node_pools_oauth_scopes

  node_pools_labels = {
    all = {
      environment = var.environment
      managed-by  = "terraform"
    }
  }

  node_pools_metadata = {
    all = {
      project-id = var.main_project
    }
  }

  node_pools_taints = var.node_pools_taints

  node_pools_tags = {
    all = concat(
      [
        "gke-node",
        "${var.gke_cluster_prefix}-${var.environment}-node",
        "private-cluster-node"
      ],
      var.network_tags
    )
  }
}

Terraform Version

1.8

Terraform Provider Versions

Google and Google Beta provider versions are 6.16.0

Additional information

No response