forked from aidanmelen/terraform-kubernetes-rbac
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
95 lines (76 loc) · 2.68 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
module "roles" {
source = "./modules/rbac"
for_each = { for k, v in var.roles : k => v if var.create }
create = try(each.value.create, true)
# annotations = try(var.annotations, null)
# labels = try(var.labels, null)
annotations = try(
merge(
var.annotations,
try(each.value.annotations, {})
),
null)
labels = try(
merge(
var.labels,
try(each.value.labels, {})
),
null)
create_role = try(each.value.create_role, true)
role_name = each.key
role_namespace = try(each.value.role_namespace, null)
role_rules = try(each.value.role_rules, [])
role_binding_name = try(each.value.role_binding_name, null)
role_binding_namespace = try(each.value.role_binding_namespace, null)
role_binding_subjects = try(each.value.role_binding_subjects, null)
depends_on = [ kubectl_manifest.role_namespace ]
}
resource "kubectl_manifest" "role_namespace" {
for_each = toset(
compact(
concat(
[ for k, v in var.roles : v.role_binding_namespace != null ? v.role_binding_namespace : try(v.role_namespace, null) ],
[ for k, v in var.cluster_roles : try(v.role_binding_namespace, null) ]
)
)
)
## resource will not be deleted for safety
apply_only = true
# apply_only = try(var.only_create_namespace, true)
force_conflicts = try(var.resolve_conflicts, true)
yaml_body = <<YAML
apiVersion: v1
kind: Namespace
metadata:
name: ${each.value}
YAML
}
module "cluster_roles" {
source = "./modules/rbac"
for_each = { for k, v in var.cluster_roles : k => v if var.create }
create = try(each.value.create, true)
annotations = try(
merge(
var.annotations,
try(each.value.annotations, {})
),
null)
labels = try(
merge(
var.labels,
try(each.value.labels, {})
),
null)
cluster_role_aggregation_rules = try(each.value.cluster_role_aggregation_rules, [])
create_cluster_role = try(each.value.create_cluster_role, true)
### using cluster_role_name allow to use the same cluster role for rolebinding in different namespaces
cluster_role_name = try(each.value.cluster_role_name, each.key)
cluster_role_rules = try(each.value.cluster_role_rules, [])
cluster_role_binding_name = try(each.value.cluster_role_binding_name, null)
cluster_role_binding_subjects = try(each.value.cluster_role_binding_subjects, null)
# Ignored when cluster_role_binding_name is provided
role_binding_name = try(each.value.role_binding_name, null)
role_binding_namespace = try(each.value.role_binding_namespace, null)
role_binding_subjects = try(each.value.role_binding_subjects, null)
depends_on = [ kubectl_manifest.role_namespace ]
}