chore: Use cluster-role view for app teams (#6)

Signed-off-by: Carlos Santana <[email protected]>
aws-ia · Mar 21, 2023 · 2cdce17 · 2cdce17
1 parent 7b995d8
commit 2cdce17
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 50 deletions.
diff --git a/README.md b/README.md
@@ -275,7 +275,6 @@ No modules.
 | [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [kubernetes_cluster_role_binding_v1.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding_v1) | resource |
-| [kubernetes_cluster_role_v1.namespaced](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_v1) | resource |
 | [kubernetes_cluster_role_v1.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_v1) | resource |
 | [kubernetes_limit_range_v1.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/limit_range_v1) | resource |
 | [kubernetes_namespace_v1.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |

diff --git a/main.tf b/main.tf
@@ -338,68 +338,26 @@ resource "kubernetes_cluster_role_binding_v1" "this" {
 }
 
 ################################################################################
-# K8s Role
-
-# Note: we are using a cluster role but using a role binding
-# this allows us to have one role but bind it to n-number of namespaces.
-# Just because its a clsuter role does not mean it has cluster access, its all
-# determined by the role binding.
+# K8s Role Binding
 ################################################################################
 
-resource "kubernetes_cluster_role_v1" "namespaced" {
-  count = var.create_role && !var.enable_admin ? 1 : 0
-
-  metadata {
-    name        = coalesce(var.role_name, var.name)
-    annotations = var.annotations
-    labels      = var.labels
-  }
-
-  rule {
-    api_groups = ["*"]
-
-    resources = [
-      "configmaps",
-      "pods",
-      "podtemplates",
-      "secrets",
-      "serviceaccounts",
-      "services",
-      "deployments",
-      "horizontalpodautoscalers",
-      "networkpolicies",
-      "statefulsets",
-      "replicasets",
-    ]
-
-    verbs = [
-      "get",
-      "list",
-      "watch",
-    ]
-  }
-
-  rule {
-    api_groups = ["*"]
-    resources  = ["resourcequotas"]
-    verbs      = ["get", "list", "watch"]
-  }
-}
-
 resource "kubernetes_role_binding_v1" "this" {
   for_each = { for k, v in var.namespaces : k => v if var.create_role && !var.enable_admin }
 
   metadata {
-    name        = "${kubernetes_cluster_role_v1.namespaced[0].metadata[0].name}-${each.key}"
+    name        = "${coalesce(var.role_name, var.name)}-${each.key}"
     namespace   = each.key
     annotations = var.annotations
     labels      = var.labels
   }
-
+  # Note: We are using a cluster role but using a role binding
+  # this allows us to have one role but bind it to n-number of namespaces.
+  # Just because its a cluster role does not mean it has cluster access, its all
+  # determined by the fact that this is a role binding (kubernetes_role_binding_v1).
   role_ref {
     api_group = "rbac.authorization.k8s.io"
     kind      = "ClusterRole"
-    name      = kubernetes_cluster_role_v1.namespaced[0].metadata[0].name
+    name      = "view"
   }
 
   subject {