Skip to content

Commit

Permalink
Grant cluster wide crd access to deploy roles (#214)
Browse files Browse the repository at this point in the history 
* Grant cluster wide crd access to deploy roles

* terraform-docs: automated action

* update terraform fmt

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
  • Loading branch information
@OlamideOl1 @github-actions
OlamideOl1 and github-actions[bot] authored Oct 24, 2024
1 parent 8b85174 commit d0b1811
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 4 deletions.
4 changes: 3 additions & 1 deletion aws/deploy-role-bindings/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,10 @@ module "workload_platform" {

| Name | Type |
|------|------|
| [kubernetes_cluster_role.cluster_crd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
| [kubernetes_cluster_role_binding.cluster](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource |
| [kubernetes_cluster_role_binding.cluster_crd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource |
| [kubernetes_role.deploy_crd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role) | resource |
| [kubernetes_role_binding.cluster](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
| [kubernetes_role_binding.crd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |

## Inputs
Expand Down
37 changes: 34 additions & 3 deletions aws/deploy-role-bindings/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
resource "kubernetes_role_binding" "cluster" {
resource "kubernetes_cluster_role_binding" "cluster" {
for_each = toset(var.cluster_roles)

metadata {
name = var.name
namespace = var.namespace
name = var.name
}

role_ref {
Expand All @@ -19,6 +18,38 @@ resource "kubernetes_role_binding" "cluster" {
}
}

resource "kubernetes_cluster_role" "cluster_crd" {
metadata {
name = "${var.name}-cluster-crd"
}

rule {
api_groups = ["apiextensions.k8s.io"]
resources = ["customresourcedefinitions"]
verbs = ["get", "list"]
}
}

resource "kubernetes_cluster_role_binding" "cluster_crd" {
metadata {
name = "${var.name}-cluster-crd"
}

role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "${var.name}-cluster-crd"
}

subject {
kind = "Group"
name = var.group
api_group = "rbac.authorization.k8s.io"
}

depends_on = [kubernetes_cluster_role.cluster_crd]
}

resource "kubernetes_role_binding" "crd" {
metadata {
name = kubernetes_role.deploy_crd.metadata[0].name
Expand Down

0 comments on commit d0b1811

Please sign in to comment.