diff --git a/rbac.tf b/rbac.tf new file mode 100644 index 0000000..553b907 --- /dev/null +++ b/rbac.tf @@ -0,0 +1,67 @@ +locals { + rbac_roles = concat(var.roles, local.service_accounts_roles) +} + +resource "kubernetes_role" "extra_roles" { + count = length(local.rbac_roles) + + metadata { + name = lookup(local.rbac_roles[count.index], "name", "default") + namespace = kubernetes_namespace.namespace.metadata.0.name + } + + dynamic "rule" { + for_each = lookup(local.rbac_roles[count.index], "rules", []) + + content { + api_groups = rule.value.api_groups + resources = rule.value.resources + verbs = rule.value.verbs + } + } +} + +resource "kubernetes_role_binding" "extra_binding" { + count = length(local.rbac_roles) + + metadata { + name = lookup(local.rbac_roles[count.index], "name", "default") + namespace = kubernetes_namespace.namespace.metadata.0.name + } + + role_ref { + name = element(kubernetes_role.extra_roles.*.metadata.0.name, count.index) + api_group = "rbac.authorization.k8s.io" + kind = "Role" + } + + dynamic "subject" { + for_each = lookup(local.rbac_roles[count.index], "groups", []) + + content { + kind = "Group" + name = subject.value + api_group = "rbac.authorization.k8s.io" + } + } + + dynamic "subject" { + for_each = lookup(local.rbac_roles[count.index], "users", []) + + content { + kind = "User" + name = subject.value + api_group = "rbac.authorization.k8s.io" + } + } + + dynamic "subject" { + for_each = lookup(local.rbac_roles[count.index], "service_accounts", []) + + content { + kind = "ServiceAccount" + name = subject.value + namespace = kubernetes_namespace.namespace.metadata.0.name + } + } +} diff --git a/service-account.tf b/service-account.tf index 17094b2..e3cfa8e 100644 --- a/service-account.tf +++ b/service-account.tf @@ -19,7 +19,7 @@ resource "kubernetes_role" "service_accounts" { count = length(var.service_accounts) metadata { - name = lookup(var.service_accounts[count.index], "name", "default") + name = lookup(var.service_accounts[count.index], "name") namespace = kubernetes_namespace.namespace.metadata.0.name } @@ -34,28 +34,13 @@ resource "kubernetes_role" "service_accounts" { } } -resource "kubernetes_role_binding" "sa_binding" { - count = length(var.service_accounts) - - metadata { - name = lookup(var.service_accounts[count.index], "name", "default") - namespace = kubernetes_namespace.namespace.metadata.0.name - } - - role_ref { - name = element(kubernetes_role.service_accounts.*.metadata.0.name, count.index) - api_group = "rbac.authorization.k8s.io" - kind = "Role" - } - - subject { - kind = "ServiceAccount" - name = element(kubernetes_service_account.users.*.metadata.0.name, count.index) - namespace = kubernetes_namespace.namespace.metadata.0.name - } -} - locals { + service_accounts_roles = [for s in var.service_accounts : { + name = s.name + rules = s.rules + service_accounts = s.name + }] + pull_secret_keys = keys(var.image_pull_secrets) } diff --git a/variables.tf b/variables.tf index a7436dc..e9a6597 100644 --- a/variables.tf +++ b/variables.tf @@ -91,6 +91,12 @@ variable "max_node_ports" { description = "Maximum amount of services with type NodePort" } +variable "roles" { + type = any + default = [] + description = "List of additional RBAC roles and bindings to deploy. List of name and rules. To bind the rules use service_accounts, groups or users list." +} + variable "service_accounts" { type = list(object({ name = string