Adding support for propller pods via workload identity (#21)

dunefro · github-actions[bot] · web-flow · commit 330e280d1eeb · 2025-09-13T00:40:34.000+05:30
* Adding support for propller pods via workload identity

* terraform-docs: automated action

---------

Co-authored-by: github-actions[bot] &lt;github-actions[bot]@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -39,6 +39,7 @@ Truefoundry Google Cloud platform features module
 | [google_project_iam_member.truefoundry_platform_feature_secret_manager_role_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.truefoundry_platform_feature_token_creator_role_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_service_account.truefoundry_platform_feature_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_iam_binding.truefoundry_platform_feature_flyte_propeller_service_account_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
 | [google_service_account_key.truefoundry_platform_feature_service_account_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |
 | [random_string.random_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [google_project.truefoundry_platform_feature_project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
@@ -58,6 +59,8 @@ Truefoundry Google Cloud platform features module
 | <a name="input_feature_docker_registry_enabled"></a> [feature\_docker\_registry\_enabled](#input\_feature\_docker\_registry\_enabled) | Enable docker registry feature in the platform | `bool` | `true` | no |
 | <a name="input_feature_logs_viewer_enabled"></a> [feature\_logs\_viewer\_enabled](#input\_feature\_logs\_viewer\_enabled) | Enable logs viewer permission in the platform | `bool` | `true` | no |
 | <a name="input_feature_secrets_enabled"></a> [feature\_secrets\_enabled](#input\_feature\_secrets\_enabled) | Enable secrets manager feature in the platform | `bool` | `true` | no |
+| <a name="input_flyte_propeller_serviceaccount_name"></a> [flyte\_propeller\_serviceaccount\_name](#input\_flyte\_propeller\_serviceaccount\_name) | Name for the Flyte Propeller service account | `string` | `"flytepropeller"` | no |
+| <a name="input_flyte_propeller_serviceaccount_namespace"></a> [flyte\_propeller\_serviceaccount\_namespace](#input\_flyte\_propeller\_serviceaccount\_namespace) | Namespace for the Flyte Propeller service account | `string` | `"tfy-workflow-propeller"` | no |
 | <a name="input_project"></a> [project](#input\_project) | GCP Project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | region | `string` | n/a | yes |
 | <a name="input_service_account_additional_roles"></a> [service\_account\_additional\_roles](#input\_service\_account\_additional\_roles) | List of additional IAM roles to be added to the service account | `list(string)` | `[]` | no |
diff --git a/iam.tf b/iam.tf
@@ -182,6 +182,16 @@ resource "google_project_iam_member" "truefoundry_platform_feature_additional_ro
   member  = "serviceAccount:${local.serviceaccount_email}"
 }
 
+resource "google_service_account_iam_binding" "truefoundry_platform_feature_flyte_propeller_service_account_binding" {
+  count              = var.service_account_enabled ? 1 : 0
+  service_account_id = google_service_account.truefoundry_platform_feature_service_account[0].id
+  role               = "roles/iam.workloadIdentityUser"
+
+  members = [
+    "serviceAccount:${var.project}.svc.id.goog[${var.flyte_propeller_serviceaccount_namespace}/${var.flyte_propeller_serviceaccount_name}]",
+  ]
+}
+
 // service account key
 resource "google_service_account_key" "truefoundry_platform_feature_service_account_key" {
   count              = var.service_account_enabled && var.service_account_key_creation_enabled ? 1 : 0
diff --git a/variables.tf b/variables.tf
@@ -69,6 +69,21 @@ variable "service_account_additional_roles" {
   default     = []
 }
 
+################################################################################
+## Flyte Propeller
+################################################################################
+variable "flyte_propeller_serviceaccount_namespace" {
+  description = "Namespace for the Flyte Propeller service account"
+  type        = string
+  default     = "tfy-workflow-propeller"
+}
+
+variable "flyte_propeller_serviceaccount_name" {
+  description = "Name for the Flyte Propeller service account"
+  type        = string
+  default     = "flytepropeller"
+}
+
 ################################################################################
 # Blob Storage
 ################################################################################
