GKE IAM setup for External DNS

gke-iam-for-sexternal-dns.tf

# For accessing properites defined in my default `google` terraform provider.
data google_project current {}

# Create a google service account
resource google_service_account "external-dns" {
  account_id   = "gke-external-dns-manager"
  display_name = "Cluster-controlled DNS management"
}

# Bind the ExternalDNS Service Account to the DNS admin role
resource google_project_iam_member "external-dns" {
  project           = data.google_project.current.project_id
  role               = "roles/dns.admin"
  member            = "serviceAccount:${google_service_account.external-dns.email}"
}

# Link the ExternalDNS GSA to the Kubernetes service account (KSA) that
# external-dns will run under, i.e., the 'external-dns' KSA in the 'external-dns' namespace.
resource google_service_account_iam_member "external-dns" {
  service_account_id = google_service_account.external-dns.name
  role               = "roles/iam.workloadIdentityUser"
  member             = "serviceAccount:${data.google_project.current.project_id}.svc.id.goog[external-dns/external-dns]"
}