Resolve: Gonrg 3384 tf framework WKS

modules/osdu/helm-wks.tf

+locals {
+  workload_wks_sa = "workload-wks-sa"
+  wks_name        = "wks"
+  wks_image       = "community.opengroup.org:5555/osdu/platform/data-flow/enrichment/wks/osdu-gcp:latest"
+  wks_roles_name = [
+    "roles/datastore.user",
+    "roles/storage.admin",
+    "roles/iam.serviceAccountTokenCreator"
+  ]
+}
+
+resource "google_service_account" "wks_sa" {
+  # GCP service account ids must be < 30 chars matching regex ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$
+  # KSA do not have this naming restriction.
+  depends_on   = [google_container_node_pool.cluster_node_pool]
+  account_id   = local.workload_wks_sa
+  display_name = substr("GCP SA bound to K8S SA ${local.wks_name}", 0, 100)
+  project      = var.service_google_project
+}
+
+resource "kubernetes_service_account" "wks-k8s" {
+  depends_on = [google_container_node_pool.cluster_node_pool, kubernetes_job.infra_config, google_service_account.wks_sa]
+  metadata {
+    name      = "gke-${local.wks_name}-sa"
+    namespace = "default"
+    annotations = {
+      "iam.gke.io/gcp-service-account" = google_service_account.wks_sa.email
+    }
+  }
+}
+
+resource "google_project_iam_member" "iam-member-wks" {
+  depends_on = [google_container_node_pool.cluster_node_pool, google_service_account.wks_sa]
+  for_each   = toset(local.wks_roles_name)
+  project    = var.service_google_project
+  role       = each.value
+  member     = "serviceAccount:${google_service_account.wks_sa.email}"
+}
+
+resource "google_service_account_iam_member" "wks-k8s" {
+  depends_on         = [kubernetes_service_account.wks-k8s]
+  service_account_id = google_service_account.wks_sa.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.service_google_project}.svc.id.goog[default/${kubernetes_service_account.wks-k8s.metadata[0].name}]"
+}
+
+# Apply configmap from helm chart
+resource "helm_release" "wks-config" {
+  depends_on = [
+    google_container_node_pool.cluster_node_pool
+  ]
+  name          = "wks-configmap"
+  repository    = "https://community.opengroup.org/osdu/platform/data-flow/enrichment/wks/-/jobs/artifacts/gcp-helm-release-0-1/raw/helm-charts/?job=osdu-gcp-helm-charts"
+  chart         = "gcp-wks-configmap"
+  namespace     = "default"
+  recreate_pods = true
+
+  set {
+    name  = "data.project_id"
+    value = var.service_google_project
+  }
+  set {
+    name  = "data.wks_gcp_audiences"
+    value = var.audiences
+  }
+  set {
+    name  = "data.google_cloud_project"
+    value = var.service_google_project
+  }
+  set {
+    name  = "data.wks_gcp_tenant_name"
+    value = var.data_partition_id
+  }
+  set {
+    name  = "data.wks_gcp_storage_bucket_name"
+    value = "${var.service_google_project}-wks-mapping-definitions"
+  }
+  set {
+    name  = "data.wks_gcp_redis_host"
+    value = "${kubernetes_service.k8s-redis-search.metadata[0].name}.${kubernetes_service.k8s-redis-search.metadata[0].namespace}.svc.cluster.local"
+  }
+}
+
+# Apply deploy from helm chart
+resource "helm_release" "wks-deploy" {
+  depends_on = [
+    helm_release.wks-config
+  ]
+  name          = "wks-deploy"
+  repository    = "https://community.opengroup.org/osdu/platform/data-flow/enrichment/wks/-/jobs/artifacts/gcp-helm-release-0-1/raw/helm-charts/?job=osdu-gcp-helm-charts"
+  chart         = "gcp-wks-deploy"
+  namespace     = "default"
+  recreate_pods = true
+
+  set {
+    name  = "data.image"
+    value = local.wks_image
+  }
+  set {
+    name  = "data.serviceAccountName"
+    value = kubernetes_service_account.wks-k8s.metadata[0].name
+  }
+  set {
+    name  = "conf.app_name"
+    value = local.wks_name
+  }
+}