move sa file logic to constellation

terraform/constellation-cluster/main.tf

@@ -9,6 +9,7 @@ locals {
       "./yq eval '.nodeGroups.${name}.initialCount = ${group.initial_count}' -i constellation-conf.yaml"
     ]
   ]))
+  gcp_sa_file_path = "service_account_file.json"
 }
 
 resource "null_resource" "ensure_cli" {
@@ -52,14 +53,34 @@ resource "null_resource" "aws_config" {
   ]
 }
 
+
+
+resource "null_resource" "service_account_file" {
+  count = var.gcp_config != null ? 1 : 0
+  provisioner "local-exec" {
+    command = <<EOT
+          echo ${var.gcp_config.serviceAccountKey} | base64 -d > "${local.gcp_sa_file_path}"
+
+    EOT
+  }
+  provisioner "local-exec" {
+    when    = destroy
+    command = "rm ${self.triggers.file_path}"
+  }
+  triggers = {
+    always_run = timestamp()
+    file_path  = local.gcp_sa_file_path
+  }
+}
+
 resource "null_resource" "gcp_config" {
   count = var.gcp_config != null ? 1 : 0
   provisioner "local-exec" {
     command = <<EOT
       ./yq eval '.provider.gcp.project = "${var.gcp_config.project}"' -i constellation-conf.yaml
       ./yq eval '.provider.gcp.region = "${var.gcp_config.region}"' -i constellation-conf.yaml
       ./yq eval '.provider.gcp.zone = "${var.gcp_config.zone}"' -i constellation-conf.yaml
-      ./yq eval '.provider.gcp.serviceAccountKeyPath = "${var.gcp_config.serviceAccountKeyPath}"' -i constellation-conf.yaml
+      ./yq eval '.provider.gcp.serviceAccountKeyPath = "${local.gcp_sa_file_path}"' -i constellation-conf.yaml
 
       ./yq eval '.infrastructure.gcp.projectID = "${var.gcp_config.project}"' -i constellation-state.yaml
       ./yq eval '.infrastructure.gcp.ipCidrPod = "${var.gcp_config.ipCidrPod}"' -i constellation-state.yaml
@@ -69,7 +90,7 @@ resource "null_resource" "gcp_config" {
     always_run = timestamp()
   }
   depends_on = [
-    terraform_data.config_generate
+    terraform_data.config_generate, null_resource.service_account_file
   ]
 }
 

terraform/constellation-cluster/variables.tf

@@ -72,11 +72,11 @@ variable "aws_config" {
 
 variable "gcp_config" {
   type = object({
-    region                = string
-    zone                  = string
-    project               = string
-    serviceAccountKeyPath = string
-    ipCidrPod             = string
+    region            = string
+    zone              = string
+    project           = string
+    ipCidrPod         = string
+    serviceAccountKey = string
   })
   description = "The cluster config for GCP."
   default     = null

terraform/gcp-constellation/main.tf

@@ -43,24 +43,6 @@ module "gcp" {
   custom_endpoint = var.custom_endpoint
 }
 
-resource "null_resource" "sa_account_file" {
-  provisioner "local-exec" {
-    command = <<EOT
-          #echo "${module.gcp_iam.sa_key}" TODO use base64decode fn
-          echo ${module.gcp_iam.sa_key} | base64 -d > "sa_account_file.json"
-
-    EOT
-  }
-  provisioner "local-exec" {
-    when    = destroy
-    command = "rm sa_account_file.json"
-  }
-  triggers = {
-    always_run = timestamp()
-  }
-}
-
-
 module "constellation" {
   source               = "../constellation-cluster"
   csp                  = "gcp"
@@ -76,11 +58,11 @@ module "constellation" {
   apiServerCertSANs    = module.gcp.api_server_cert_sans
   node_groups          = var.node_groups
   gcp_config = {
-    region                = local.region
-    zone                  = var.zone
-    serviceAccountKeyPath = "sa_account_file.json"
-    project               = var.project
-    ipCidrPod             = module.gcp.ip_cidr_pods
+    region            = local.region
+    zone              = var.zone
+    project           = var.project
+    ipCidrPod         = module.gcp.ip_cidr_pods
+    serviceAccountKey = module.gcp_iam.sa_key
   }
-  depends_on = [module.gcp, null_resource.sa_account_file, null_resource.ensure_yq]
+  depends_on = [module.gcp, null_resource.ensure_yq]
 }