feat: add cross project fleet service agent

autogen/main/sa.tf.tmpl

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project != null || var.fleet_project != var.project_id ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "cross_project_service_agent" {
+  for_each = var.fleet_project != null || var.fleet_project != var.project_id ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project.email[0]}"
+}

modules/beta-autopilot-private-cluster/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project != null || var.fleet_project != var.project_id ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "cross_project_service_agent" {
+  for_each = var.fleet_project != null || var.fleet_project != var.project_id ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project.email[0]}"
+}

modules/beta-autopilot-public-cluster/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project != null || var.fleet_project != var.project_id ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "cross_project_service_agent" {
+  for_each = var.fleet_project != null || var.fleet_project != var.project_id ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project.email[0]}"
+}

modules/beta-private-cluster-update-variant/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project != null || var.fleet_project != var.project_id ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "cross_project_service_agent" {
+  for_each = var.fleet_project != null || var.fleet_project != var.project_id ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project.email[0]}"
+}

modules/beta-private-cluster/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project != null || var.fleet_project != var.project_id ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "cross_project_service_agent" {
+  for_each = var.fleet_project != null || var.fleet_project != var.project_id ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project.email[0]}"
+}

modules/beta-public-cluster-update-variant/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project != null || var.fleet_project != var.project_id ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "cross_project_service_agent" {
+  for_each = var.fleet_project != null || var.fleet_project != var.project_id ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project.email[0]}"
+}

modules/beta-public-cluster/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project != null || var.fleet_project != var.project_id ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "cross_project_service_agent" {
+  for_each = var.fleet_project != null || var.fleet_project != var.project_id ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project.email[0]}"
+}

modules/private-cluster-update-variant/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project != null || var.fleet_project != var.project_id ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "cross_project_service_agent" {
+  for_each = var.fleet_project != null || var.fleet_project != var.project_id ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project.email[0]}"
+}

modules/private-cluster/sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project != null || var.fleet_project != var.project_id ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "cross_project_service_agent" {
+  for_each = var.fleet_project != null || var.fleet_project != var.project_id ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project.email[0]}"
+}

sa.tf

@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project != null || var.fleet_project != var.project_id ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "cross_project_service_agent" {
+  for_each = var.fleet_project != null || var.fleet_project != var.project_id ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project.email[0]}"
+}