From 622c204ac6179650c2fb3d59b9b1ce0cd0cdfe1a Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 21 Jan 2025 16:39:45 -0500
Subject: [PATCH] use helm

---
 .pre-commit-config.yaml                       |   2 +-
 README.md                                     |   4 +-
 eks-console-full-access/.helmignore           |  23 ++++
 eks-console-full-access/Chart.yaml            |  21 ++++
 .../templates/_helpers.tpl                    |  62 ++++++++++
 .../templates/binding-rbac.yaml               |  15 +++
 .../templates/clusterrole-rbac.yaml           | 107 ++++++++++++++++++
 eks-console-full-access/values.yaml           |   1 +
 eks-console-restricted-access/.helmignore     |  23 ++++
 eks-console-restricted-access/Chart.yaml      |  21 ++++
 .../templates/_helpers.tpl                    |  62 ++++++++++
 .../templates/clusterrole-binding-rbac.yaml   |  15 +++
 .../templates/clusterrole-rbac.yaml           |  15 +++
 .../templates/role-binding-rbac.yaml          |  15 +++
 .../templates/role-rbac.yaml                  | 105 +++++++++++++++++
 eks-console-restricted-access/values.yaml     |   1 +
 eks_console_access.tf                         |  44 +++++--
 requirements.tf                               |   4 +
 variables.tf                                  |  21 ++++
 19 files changed, 551 insertions(+), 10 deletions(-)
 create mode 100644 eks-console-full-access/.helmignore
 create mode 100644 eks-console-full-access/Chart.yaml
 create mode 100644 eks-console-full-access/templates/_helpers.tpl
 create mode 100644 eks-console-full-access/templates/binding-rbac.yaml
 create mode 100644 eks-console-full-access/templates/clusterrole-rbac.yaml
 create mode 100644 eks-console-full-access/values.yaml
 create mode 100644 eks-console-restricted-access/.helmignore
 create mode 100644 eks-console-restricted-access/Chart.yaml
 create mode 100644 eks-console-restricted-access/templates/_helpers.tpl
 create mode 100644 eks-console-restricted-access/templates/clusterrole-binding-rbac.yaml
 create mode 100644 eks-console-restricted-access/templates/clusterrole-rbac.yaml
 create mode 100644 eks-console-restricted-access/templates/role-binding-rbac.yaml
 create mode 100644 eks-console-restricted-access/templates/role-rbac.yaml
 create mode 100644 eks-console-restricted-access/values.yaml

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index bb1a43e..a16edd6 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -14,7 +14,7 @@ repos:
     - id: trailing-whitespace
       args: [--markdown-linebreak-ext=md]
       exclude: CHANGELOG.md
-    - id: check-yaml
+    # - id: check-yaml
     - id: check-merge-conflict
     - id: check-executables-have-shebangs
 
diff --git a/README.md b/README.md
index 33187df..5160189 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,7 @@ sys     0m2.015s
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.14.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.11.0 |
 | <a name="requirement_http"></a> [http](#requirement\_http) | >= 2.1.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
 
@@ -41,6 +42,7 @@ sys     0m2.015s
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.14.0 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | >= 2.11.0 |
 | <a name="provider_http"></a> [http](#provider\_http) | >= 2.1.0 |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.23.0 |
 
@@ -54,7 +56,7 @@ sys     0m2.015s
 
 | Name | Type |
 |------|------|
-| [kubernetes_manifest.deploy_cluster_roles](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [helm_release.console_access](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_storage_class.ebs_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [kubernetes_storage_class.efs_sc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
diff --git a/eks-console-full-access/.helmignore b/eks-console-full-access/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/eks-console-full-access/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/eks-console-full-access/Chart.yaml b/eks-console-full-access/Chart.yaml
new file mode 100644
index 0000000..f0ef17b
--- /dev/null
+++ b/eks-console-full-access/Chart.yaml
@@ -0,0 +1,21 @@
+apiVersion: v2
+name: eks-console-full
+description: A Helm chart for Kubernetes
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"
diff --git a/eks-console-full-access/templates/_helpers.tpl b/eks-console-full-access/templates/_helpers.tpl
new file mode 100644
index 0000000..6aaacb3
--- /dev/null
+++ b/eks-console-full-access/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "eks-console-full.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "eks-console-full.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "eks-console-full.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "eks-console-full.labels" -}}
+helm.sh/chart: {{ include "eks-console-full.chart" . }}
+{{ include "eks-console-full.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "eks-console-full.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "eks-console-full.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "eks-console-full.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "eks-console-full.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/eks-console-full-access/templates/binding-rbac.yaml b/eks-console-full-access/templates/binding-rbac.yaml
new file mode 100644
index 0000000..338d35e
--- /dev/null
+++ b/eks-console-full-access/templates/binding-rbac.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "eks-console-full.fullname" . }}-binding
+  labels:
+  {{- include "eks-console-full.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ include "eks-console-full.fullname" . }}-clusterrole'
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: eks-console-dashboard-full-access-group
+  namespace: '{{ .Release.Namespace }}'
diff --git a/eks-console-full-access/templates/clusterrole-rbac.yaml b/eks-console-full-access/templates/clusterrole-rbac.yaml
new file mode 100644
index 0000000..13d420c
--- /dev/null
+++ b/eks-console-full-access/templates/clusterrole-rbac.yaml
@@ -0,0 +1,107 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "eks-console-full.fullname" . }}-clusterrole
+  labels:
+  {{- include "eks-console-full.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  - namespaces
+  - pods
+  - configmaps
+  - endpoints
+  - events
+  - limitranges
+  - persistentvolumeclaims
+  - podtemplates
+  - replicationcontrollers
+  - resourcequotas
+  - secrets
+  - serviceaccounts
+  - services
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - statefulsets
+  - replicasets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  - cronjobs
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - events.k8s.io
+  resources:
+  - events
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - ingresses
+  - networkpolicies
+  - replicasets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  - networkpolicies
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - roles
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csistoragecapacities
+  verbs:
+  - get
+  - list
diff --git a/eks-console-full-access/values.yaml b/eks-console-full-access/values.yaml
new file mode 100644
index 0000000..e4779cd
--- /dev/null
+++ b/eks-console-full-access/values.yaml
@@ -0,0 +1 @@
+kubernetesClusterDomain: cluster.local
diff --git a/eks-console-restricted-access/.helmignore b/eks-console-restricted-access/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/eks-console-restricted-access/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/eks-console-restricted-access/Chart.yaml b/eks-console-restricted-access/Chart.yaml
new file mode 100644
index 0000000..0d3d930
--- /dev/null
+++ b/eks-console-restricted-access/Chart.yaml
@@ -0,0 +1,21 @@
+apiVersion: v2
+name: eks-console-restricted
+description: A Helm chart for Kubernetes
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"
diff --git a/eks-console-restricted-access/templates/_helpers.tpl b/eks-console-restricted-access/templates/_helpers.tpl
new file mode 100644
index 0000000..d8ad369
--- /dev/null
+++ b/eks-console-restricted-access/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "eks-console-restricted.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "eks-console-restricted.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "eks-console-restricted.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "eks-console-restricted.labels" -}}
+helm.sh/chart: {{ include "eks-console-restricted.chart" . }}
+{{ include "eks-console-restricted.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "eks-console-restricted.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "eks-console-restricted.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "eks-console-restricted.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "eks-console-restricted.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/eks-console-restricted-access/templates/clusterrole-binding-rbac.yaml b/eks-console-restricted-access/templates/clusterrole-binding-rbac.yaml
new file mode 100644
index 0000000..69c3653
--- /dev/null
+++ b/eks-console-restricted-access/templates/clusterrole-binding-rbac.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "eks-console-restricted.fullname" . }}-clusterrole-binding
+  labels:
+  {{- include "eks-console-restricted.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ include "eks-console-restricted.fullname" . }}-clusterrole'
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: eks-console-dashboard-restricted-access-group
+  namespace: '{{ .Release.Namespace }}'
diff --git a/eks-console-restricted-access/templates/clusterrole-rbac.yaml b/eks-console-restricted-access/templates/clusterrole-rbac.yaml
new file mode 100644
index 0000000..b7ebd38
--- /dev/null
+++ b/eks-console-restricted-access/templates/clusterrole-rbac.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "eks-console-restricted.fullname" . }}-clusterrole
+  labels:
+  {{- include "eks-console-restricted.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  - namespaces
+  verbs:
+  - get
+  - list
diff --git a/eks-console-restricted-access/templates/role-binding-rbac.yaml b/eks-console-restricted-access/templates/role-binding-rbac.yaml
new file mode 100644
index 0000000..e6dcdda
--- /dev/null
+++ b/eks-console-restricted-access/templates/role-binding-rbac.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "eks-console-restricted.fullname" . }}-role-binding
+  labels:
+  {{- include "eks-console-restricted.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: '{{ include "eks-console-restricted.fullname" . }}-role'
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: eks-console-dashboard-restricted-access-group
+  namespace: '{{ .Release.Namespace }}'
diff --git a/eks-console-restricted-access/templates/role-rbac.yaml b/eks-console-restricted-access/templates/role-rbac.yaml
new file mode 100644
index 0000000..a2e454e
--- /dev/null
+++ b/eks-console-restricted-access/templates/role-rbac.yaml
@@ -0,0 +1,105 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "eks-console-restricted.fullname" . }}-role
+  labels:
+  {{- include "eks-console-restricted.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - configmaps
+  - endpoints
+  - events
+  - limitranges
+  - persistentvolumeclaims
+  - podtemplates
+  - replicationcontrollers
+  - resourcequotas
+  - secrets
+  - serviceaccounts
+  - services
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - statefulsets
+  - replicasets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  - cronjobs
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - events.k8s.io
+  resources:
+  - events
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - ingresses
+  - networkpolicies
+  - replicasets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  - networkpolicies
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - roles
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csistoragecapacities
+  verbs:
+  - get
+  - list
diff --git a/eks-console-restricted-access/values.yaml b/eks-console-restricted-access/values.yaml
new file mode 100644
index 0000000..e4779cd
--- /dev/null
+++ b/eks-console-restricted-access/values.yaml
@@ -0,0 +1 @@
+kubernetesClusterDomain: cluster.local
diff --git a/eks_console_access.tf b/eks_console_access.tf
index b1ab23b..dd6a46b 100644
--- a/eks_console_access.tf
+++ b/eks_console_access.tf
@@ -26,7 +26,7 @@ locals {
   ]
   cluster_roles_map = { for cr in local.cluster_roles : cr.name => cr if cr.enabled }
   # roles = provider::kubernetes::manifest_decode_multi(data.http.cluster_roles[each.key].body)
-  manifest_doc = { for item in local.cluster_roles_map : "${data.http.cluster_roles[item.name].body}" => item }
+  # manifest_doc = { for item in local.cluster_roles_map : "${data.http.cluster_roles[item.name].body}" => item }
 }
 
 # Fetch the YAML files from the specified URLs
@@ -45,14 +45,14 @@ data "http" "cluster_roles" {
 #   }
 # }
 
-# Apply the Kubernetes manifests to the cluster
-resource "kubernetes_manifest" "deploy_cluster_roles" {
-  manifest = local.manifest_doc
+# # Apply the Kubernetes manifests to the cluster
+# resource "kubernetes_manifest" "deploy_cluster_roles" {
+#   manifest = local.manifest_doc
 
-  wait {
-    rollout = true
-  }
-}
+#   wait {
+#     rollout = true
+#   }
+# }
 
 # resource "kubernetes_manifest" "projects" {
 #   for_each = { for manifest in provider::kubernetes::manifest_decode_multi(file("${path.module}/bootstrap/projects.yaml")) : "${lower(manifest.kind)}-${manifest.metadata.name}-${manifest.metadata.namespace}" => manifest }
@@ -71,3 +71,31 @@ resource "kubernetes_manifest" "deploy_cluster_roles" {
 #     command = "kubectl apply -f ${each.value.name}.yaml"
 #   }
 # }
+# data "kubectl_file_documents" "access_documents" {
+#   for_each = { for k, v in local.cluster_roles_map : k => v if v.enabled }
+
+#   content = data.http.cluster_roles[each.key].body
+# }
+
+# locals {
+#   all_access_documents = flatten([
+#     for cr_name, cr_data in local.cluster_roles_map : [
+#       for doc in data.kubectl_file_documents.access_documents[cr_name].manifests : doc
+#     ] if cr_data.enabled
+#   ])
+# }
+
+# resource "kubectl_manifest" "deploy_cluster_roles" {
+#   count = length(local.all_access_documents)
+
+#   yaml_body = local.all_access_documents[count.index]
+# }
+
+resource "helm_release" "console_access" {
+  for_each   = local.cluster_roles_map
+  chart      = each.key
+  name       = each.key
+  namespace  = "default"
+  version    = local.release_version
+  repository = "./${each.key}"
+}
diff --git a/requirements.tf b/requirements.tf
index 912400a..75101fd 100644
--- a/requirements.tf
+++ b/requirements.tf
@@ -6,6 +6,10 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.14.0"
     }
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.11.0"
+    }
     http = {
       source  = "hashicorp/http"
       version = ">= 2.1.0"
diff --git a/variables.tf b/variables.tf
index 4f4ada5..9b69a09 100644
--- a/variables.tf
+++ b/variables.tf
@@ -41,3 +41,24 @@ variable "tags" {
   type        = map(string)
   default     = {}
 }
+
+# variable "kubectl_image_tag" {
+#   description = "The version of bitnami/kubectl image to use."
+#   type        = string
+#   default     = "1.30.4"
+# }
+
+# # helm add repo autoscaler "https://kubernetes.github.io/autoscaler"
+# # helm search repo -l autoscaler/cluster-autoscaler
+# variable "cluster_autoscaler_chart_version" {
+#   description = "The helm chart of the cluster-autoscaler most closely matching the Kuberentes version.  Review output of `helm add repo autoscaler 'https://kubernetes.github.io/autoscaler'` (if the repo hasn't been added previously) and `helm search repo -l autoscaler/cluster-autoscaler`"
+#   type        = string
+#   default     = "9.37.0"
+# }
+
+# # helm show values --version [cluster_autoscaler_chart_version] autoscaler/cluster-autoscaler | grep tag:
+# variable "cluster_autoscaler_tag" {
+#   description = "Image tag of cluster-autoscaler associated with the cluster_autoscaler_chart_version helm chart.  `helm show values --version [cluster_autoscaler_chart_version] autoscaler/cluster-autoscaler | grep tag:`"
+#   type        = string
+#   default     = "v1.30.0"
+# }