feat: configure fl service accounts

platforms/gke/base/use-cases/federated-learning/common.sh

@@ -35,6 +35,7 @@ FEDERATED_LEARNING_SHARED_CONFIG_DIR="${FEDERATED_LEARNING_USE_CASE_TERRAFORM_DI
 # Terraservices that are necessary for the core platform
 federated_learning_core_platform_terraservices=(
   "key_management_service"
+  "service_account"
 )
 
 # shellcheck disable=SC2034 # Variable is used in other scripts

platforms/gke/base/use-cases/federated-learning/terraform/_shared_config/uc_federated_learning_variables.tf

@@ -15,4 +15,29 @@
 locals {
   gke_robot_service_account           = "service-${data.google_project.default.number}@container-engine-robot.iam.gserviceaccount.com"
   gke_robot_service_account_iam_email = "serviceAccount:${local.gke_robot_service_account}"
+
+  tenants = {
+    for name in var.federated_learning_tenant_names : name => {
+      tenant_name                                 = name
+      tenant_nodepool_name                        = format("%s-%s-pool", local.cluster_name, name)
+      tenant_nodepool_sa_name                     = format("%s-%s-nodes-sa", local.cluster_name, name)
+      tenant_apps_sa_name                         = format("%s-%s-apps-sa", local.cluster_name, name)
+      tenant_apps_kubernetes_service_account_name = local.tenant_apps_kubernetes_service_account_name
+    }
+  }
+
+  # Put all service account names in a list so we can create them with a single
+  # google_service_account resource
+  service_account_names = concat(
+    [for tenant in local.tenants : tenant.tenant_nodepool_sa_name],
+    [for tenant in local.tenants : tenant.tenant_apps_sa_name],
+  )
+
+  tenant_apps_kubernetes_service_account_name = "fl-ksa"
+}
+
+variable "federated_learning_tenant_names" {
+  default     = ["fl-tenant-1"]
+  description = "List of named tenants to be created in the cluster. Each tenant gets a dedicated node pool and Kubernetes namespace, isolated from other tenants."
+  type        = list(string)
 }

platforms/gke/base/use-cases/federated-learning/terraform/service_account/_cluster.auto.tfvars

@@ -0,0 +1 @@
+../../../../_shared_config/cluster.auto.tfvars

platforms/gke/base/use-cases/federated-learning/terraform/service_account/_cluster_variables.tf

@@ -0,0 +1 @@
+../../../../_shared_config/cluster_variables.tf

platforms/gke/base/use-cases/federated-learning/terraform/service_account/_platform.auto.tfvars

@@ -0,0 +1 @@
+../../../../_shared_config/platform.auto.tfvars

platforms/gke/base/use-cases/federated-learning/terraform/service_account/_platform_variables.tf

@@ -0,0 +1 @@
+../../../../_shared_config/platform_variables.tf

platforms/gke/base/use-cases/federated-learning/terraform/service_account/_terraform.auto.tfvars

@@ -0,0 +1 @@
+../../../../_shared_config/terraform.auto.tfvars

platforms/gke/base/use-cases/federated-learning/terraform/service_account/_terraform_variables.tf

@@ -0,0 +1 @@
+../../../../_shared_config/terraform_variables.tf

platforms/gke/base/use-cases/federated-learning/terraform/service_account/_uc_federated_learning.auto.tfvars

@@ -0,0 +1 @@
+../_shared_config/uc_federated_learning.auto.tfvars

platforms/gke/base/use-cases/federated-learning/terraform/service_account/_uc_federated_learning_variables.tf

@@ -0,0 +1 @@
+../_shared_config/uc_federated_learning_variables.tf

platforms/gke/base/use-cases/federated-learning/terraform/service_account/main.tf

@@ -0,0 +1,21 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "google_service_account" "federated_learning_service_account" {
+  for_each     = local.service_account_names
+  account_id   = "${local.prefix}${lower(each.value)}"
+  display_name = "Terraform-managed service account for the federated learning use case in cluster ${local.cluster_name}"
+  description  = index(var.names, each.value) >= length(var.descriptions) ? var.description : element(var.descriptions, index(var.names, each.value))
+  project      = google_project_service.iam_googleapis_com.project
+}

platforms/gke/base/use-cases/federated-learning/terraform/service_account/output.tf

@@ -0,0 +1,13 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

platforms/gke/base/use-cases/federated-learning/terraform/service_account/project.tf

@@ -0,0 +1,24 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+data "google_project" "default" {
+  project_id = var.cluster_project_id
+}
+
+resource "google_project_service" "iam_googleapis_com" {
+  disable_dependent_services = false
+  disable_on_destroy         = false
+  project                    = data.google_project.default.project_id
+  service                    = "iam.googleapis.com"
+}

platforms/gke/base/use-cases/federated-learning/terraform/service_account/versions.tf

@@ -0,0 +1,28 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_version = ">= 1.5.7"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "6.12.0"
+    }
+  }
+
+  provider_meta "google" {
+    module_name = "cloud-solutions/acp_fl_service_account_deploy-v1"
+  }
+}