Skip to content

Commit

Permalink
Merge pull request #3 from terraform-modules/add-example
Browse files Browse the repository at this point in the history 
update example code for cluster-roles
  • Loading branch information
@badra001
badra001 committed Nov 21, 2021
2 parents 46ade3a + 0fa6c0c commit 2cad9bc
Show file tree
Hide file tree
Showing 3 changed files with 59 additions and 19 deletions.
41 changes: 24 additions & 17 deletions examples/full-cluster/cluster-roles/deployer-clusterrole.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,23 +6,42 @@ resource "kubernetes_cluster_role" "cicd_deployer_istiosystem_cluster_role" {
rule {
api_groups = ["acme.cert-manager.io"]
resources = ["challenges", "orders", "certificaterequests"]
verbs = ["create","delete","deletecollection","get","list","patch","update","patch"]

verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
}

rule {
api_groups = ["cert-manager.io"]
resources = ["certificates"]
verbs = ["create","delete","deletecollection","get","list","patch","update","patch"]
verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
}


rule {
verbs = ["create","delete","deletecollection","get","list","patch","update","patch"]
verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]

api_groups = ["networking.istio.io"]
resources = ["gateways"]
}
}

resource "kubernetes_cluster_role" "cicd_deployer_istio_cluster_role" {
metadata {
name = var.deployer_application_istio_role_name
}
rule {
api_groups = ["security.istio.io"]
verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
resources = ["requestauthentications", "authorizationpolicies", "peerauthentications"]
}

rule {
verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
api_groups = ["networking.istio.io"]
resources = ["virtualservices", "destinationrules", "gateways"]
}
}

resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" {
metadata {
name = var.deployer_application_role_name
Expand All @@ -38,24 +57,12 @@ resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" {
rule {
api_groups = ["acme.cert-manager.io"]
resources = ["challenges", "orders", "certificaterequests"]
verbs = ["create","delete","deletecollection","get","list","patch","update","patch"]
verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
}

rule {
api_groups = ["cert-manager.io"]
resources = ["certificates"]
verbs = ["create","delete","deletecollection","get","list","patch","update","patch"]
}

rule {
api_groups = ["security.istio.io"]
verbs = ["create","delete","deletecollection","get","list","patch","update","patch"]
resources = ["requestauthentications","authorizationpolicies","peerauthentications"]
}

rule {
verbs = ["create","delete","deletecollection","get","list","patch","update","patch"]
api_groups = ["networking.istio.io"]
resources = ["virtualservices", "destinationrules", "gateways"]
verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
}
}
27 changes: 27 additions & 0 deletions examples/full-cluster/cluster-roles/deployer-rolebinding.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,33 @@ resource "kubernetes_namespace" "cicd_managed_namespaces" {
}
}


resource "kubernetes_role_binding" "deployer_application_istio_rolebinding" {
# for_each = toset(local.cicd_managed_namespaces)
for_each = kubernetes_namespace.cicd_managed_namespaces

metadata {
name = var.deployer_application_istio_rolebinding_name
namespace = each.key
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = var.deployer_application_istio_role_name
}
subject {
kind = "User"
name = var.cicd_k8s_user_name
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "Group"
name = local.cicd_k8s_iam_username
api_group = "rbac.authorization.k8s.io"
}
# depends_on = [kubernetes_namespace.cicd_managed_namespaces]
}

resource "kubernetes_role_binding" "deployer_application_rolebinding" {
# for_each = toset(local.cicd_managed_namespaces)
for_each = kubernetes_namespace.cicd_managed_namespaces
Expand Down
10 changes: 8 additions & 2 deletions examples/full-cluster/providers.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,17 @@ terraform {
required_version = ">= 0.12.31"
}

provider "kubernetes" {
host = local.aws_eks_cluster.endpoint
# to import, you cannot have provider fields which count on data elements (as these locals show). You need to use the config_path.
# see these for more info:
# https://github.com/hashicorp/terraform-provider-kubernetes/issues/793
# https://www.terraform.io/docs/cli/commands/import.html#provider-configuration
# https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs

provider "kubernetes" {
host = local.aws_eks_cluster.endpoint
cluster_ca_certificate = base64decode(local.aws_eks_cluster.certificate_authority[0].data)
token = local.aws_eks_cluster_auth.token
# config_path = "${path.root}/setup/kube.config"
}

provider "helm" {
Expand Down

0 comments on commit 2cad9bc

Please sign in to comment.