feat: allow adding extra rbac roles (#18)

* feat: allow adding extra rbac roles

* run terraform fmt to pass checks

rbac.tf

@@ -0,0 +1,67 @@
+locals {
+  rbac_roles = concat(var.roles, local.service_accounts_roles)
+}
+
+resource "kubernetes_role" "extra_roles" {
+  count = length(local.rbac_roles)
+
+  metadata {
+    name      = lookup(local.rbac_roles[count.index], "name", "default")
+    namespace = kubernetes_namespace.namespace.metadata.0.name
+  }
+
+  dynamic "rule" {
+    for_each = lookup(local.rbac_roles[count.index], "rules", [])
+
+    content {
+      api_groups = rule.value.api_groups
+      resources  = rule.value.resources
+      verbs      = rule.value.verbs
+    }
+  }
+}
+
+resource "kubernetes_role_binding" "extra_binding" {
+  count = length(local.rbac_roles)
+
+  metadata {
+    name      = lookup(local.rbac_roles[count.index], "name", "default")
+    namespace = kubernetes_namespace.namespace.metadata.0.name
+  }
+
+  role_ref {
+    name      = element(kubernetes_role.extra_roles.*.metadata.0.name, count.index)
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "Role"
+  }
+
+  dynamic "subject" {
+    for_each = lookup(local.rbac_roles[count.index], "groups", [])
+
+    content {
+      kind      = "Group"
+      name      = subject.value
+      api_group = "rbac.authorization.k8s.io"
+    }
+  }
+
+  dynamic "subject" {
+    for_each = lookup(local.rbac_roles[count.index], "users", [])
+
+    content {
+      kind      = "User"
+      name      = subject.value
+      api_group = "rbac.authorization.k8s.io"
+    }
+  }
+
+  dynamic "subject" {
+    for_each = lookup(local.rbac_roles[count.index], "service_accounts", [])
+
+    content {
+      kind      = "ServiceAccount"
+      name      = subject.value
+      namespace = kubernetes_namespace.namespace.metadata.0.name
+    }
+  }
+}

service-account.tf

@@ -19,7 +19,7 @@ resource "kubernetes_role" "service_accounts" {
   count = length(var.service_accounts)
 
   metadata {
-    name      = lookup(var.service_accounts[count.index], "name", "default")
+    name      = lookup(var.service_accounts[count.index], "name")
     namespace = kubernetes_namespace.namespace.metadata.0.name
   }
 
@@ -34,28 +34,13 @@ resource "kubernetes_role" "service_accounts" {
   }
 }
 
-resource "kubernetes_role_binding" "sa_binding" {
-  count = length(var.service_accounts)
-
-  metadata {
-    name      = lookup(var.service_accounts[count.index], "name", "default")
-    namespace = kubernetes_namespace.namespace.metadata.0.name
-  }
-
-  role_ref {
-    name      = element(kubernetes_role.service_accounts.*.metadata.0.name, count.index)
-    api_group = "rbac.authorization.k8s.io"
-    kind      = "Role"
-  }
-
-  subject {
-    kind      = "ServiceAccount"
-    name      = element(kubernetes_service_account.users.*.metadata.0.name, count.index)
-    namespace = kubernetes_namespace.namespace.metadata.0.name
-  }
-}
-
 locals {
+  service_accounts_roles = [for s in var.service_accounts : {
+    name             = s.name
+    rules            = s.rules
+    service_accounts = s.name
+  }]
+
   pull_secret_keys = keys(var.image_pull_secrets)
 }
 

variables.tf

@@ -91,6 +91,12 @@ variable "max_node_ports" {
   description = "Maximum amount of services with type NodePort"
 }
 
+variable "roles" {
+  type        = any
+  default     = []
+  description = "List of additional RBAC roles and bindings to deploy. List of name and rules. To bind the rules use service_accounts, groups or users list."
+}
+
 variable "service_accounts" {
   type = list(object({
     name               = string