Adding flexibility for RBACs definition. Chaning tests to `patterns…

…`. Adding new patterns

README.md

@@ -294,6 +294,8 @@ No modules.
 | <a name="input_annotations"></a> [annotations](#input\_annotations) | A map of Kubernetes annotations to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_cluster_arn"></a> [cluster\_arn](#input\_cluster\_arn) | The Amazon Resource Name (ARN) of the cluster | `string` | `""` | no |
 | <a name="input_cluster_role_name"></a> [cluster\_role\_name](#input\_cluster\_role\_name) | Name to use on Kubernetes cluster role created | `string` | `""` | no |
+| <a name="input_cluster_role_ref_name"></a> [cluster\_role\_ref\_name](#input\_cluster\_role\_ref\_name) | Name of an existing ClusterRole to be referenced on the Kubernetes clusterRoleBinding created | `string` | `""` | no |
+| <a name="input_cluster_role_rule"></a> [cluster\_role\_rule](#input\_cluster\_role\_rule) | Defines the Kubernetes RBAC based `api_groups`, `resources`, and `verbs` Rules for the role created | `any` | `{}` | no |
 | <a name="input_create_cluster_role"></a> [create\_cluster\_role](#input\_create\_cluster\_role) | Determines whether a Kubernetes cluster role is created | `bool` | `true` | no |
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
 | <a name="input_create_role"></a> [create\_role](#input\_create\_role) | Determines whether a Kubernetes role is created. Note: the role created is a cluster role but its bound to only namespaced role bindings | `bool` | `true` | no |
@@ -312,6 +314,7 @@ No modules.
 | <a name="input_oidc_provider_arn"></a> [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | ARN of the OIDC provider created by the EKS cluster | `string` | `""` | no |
 | <a name="input_principal_arns"></a> [principal\_arns](#input\_principal\_arns) | A list of IAM principal arns to support passing wildcards for AWS Identity Center (SSO) roles. [Reference](https://docs.aws.amazon.com/singlesignon/latest/userguide/referencingpermissionsets.html#custom-trust-policy-example) | `list(string)` | `[]` | no |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | Name to use on Kubernetes role created | `string` | `""` | no |
+| <a name="input_role_ref"></a> [role\_ref](#input\_role\_ref) | Defines the reference for an existing Kubernetes role | `any` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all AWS resources | `map(string)` | `{}` | no |
 | <a name="input_users"></a> [users](#input\_users) | A list of IAM user and/or role ARNs that can assume the IAM role created | `list(string)` | `[]` | no |
 

main.tf

@@ -316,12 +316,15 @@ resource "kubernetes_cluster_role_v1" "this" {
   }
 
   rule {
-    api_groups = [""]
-    resources  = ["namespaces", "nodes"]
-    verbs      = ["get", "list", "watch"]
+    api_groups = try(var.cluster_role_rule.api_groups, [""])
+    resources  = try(var.cluster_role_rule.resources, ["namespaces", "nodes"])
+    verbs      = try(var.cluster_role_rule.verbs, ["get", "list", "watch"])
   }
 }
 
+################################################################################
+# K8s Cluster Role Binding
+################################################################################
 resource "kubernetes_cluster_role_binding_v1" "this" {
   count = var.create_cluster_role && !var.enable_admin ? 1 : 0
 
@@ -334,7 +337,7 @@ resource "kubernetes_cluster_role_binding_v1" "this" {
   role_ref {
     api_group = "rbac.authorization.k8s.io"
     kind      = "ClusterRole"
-    name      = kubernetes_cluster_role_v1.this[0].metadata[0].name
+    name      = try(var.cluster_role_ref_name == "") ? kubernetes_cluster_role_v1.this[0].metadata[0].name : var.cluster_role_ref_name
   }
 
   subject {
@@ -364,8 +367,8 @@ resource "kubernetes_role_binding_v1" "this" {
   # determined by the fact that this is a role binding (kubernetes_role_binding_v1).
   role_ref {
     api_group = "rbac.authorization.k8s.io"
-    kind      = "ClusterRole"
-    name      = "view"
+    kind      = try(var.role_ref.kind, "ClusterRole")
+    name      = try(var.role_ref.name, "view")
   }
 
   subject {

patterns/cluster-admin/README.md

@@ -0,0 +1,85 @@
+# Amazon EKS Blueprints Teams - Complete
+
+Configuration in this directory creates:
+
+- An EKS cluster (required to support module/tests)
+- An administrative team
+- A red team which demonstrates creating one team per module definition
+- Blue teams which demonstrates creating multiple teams per module definition
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which will incur monetary charges on your AWS bill. Run `terraform destroy` when you no longer need these resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.47 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.17 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.47 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_admin_team"></a> [admin\_team](#module\_admin\_team) | ../.. | n/a |
+| <a name="module_blue_teams"></a> [blue\_teams](#module\_blue\_teams) | ../.. | n/a |
+| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.13 |
+| <a name="module_red_team"></a> [red\_team](#module\_red\_team) | ../.. | n/a |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_admin_team_aws_auth_configmap_role"></a> [admin\_team\_aws\_auth\_configmap\_role](#output\_admin\_team\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap |
+| <a name="output_admin_team_iam_role_arn"></a> [admin\_team\_iam\_role\_arn](#output\_admin\_team\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| <a name="output_admin_team_iam_role_name"></a> [admin\_team\_iam\_role\_name](#output\_admin\_team\_iam\_role\_name) | The name of the IAM role |
+| <a name="output_admin_team_iam_role_unique_id"></a> [admin\_team\_iam\_role\_unique\_id](#output\_admin\_team\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| <a name="output_admin_team_kubeconfig"></a> [admin\_team\_kubeconfig](#output\_admin\_team\_kubeconfig) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig |
+| <a name="output_admin_team_namespaces"></a> [admin\_team\_namespaces](#output\_admin\_team\_namespaces) | Map of Kubernetes namespaces created and their attributes |
+| <a name="output_admin_team_rbac_group"></a> [admin\_team\_rbac\_group](#output\_admin\_team\_rbac\_group) | The name of the Kubernetes RBAC group |
+| <a name="output_blue_teams_aws_auth_configmap_role"></a> [blue\_teams\_aws\_auth\_configmap\_role](#output\_blue\_teams\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap |
+| <a name="output_blue_teams_iam_role_arn"></a> [blue\_teams\_iam\_role\_arn](#output\_blue\_teams\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| <a name="output_blue_teams_iam_role_name"></a> [blue\_teams\_iam\_role\_name](#output\_blue\_teams\_iam\_role\_name) | The name of the IAM role |
+| <a name="output_blue_teams_iam_role_unique_id"></a> [blue\_teams\_iam\_role\_unique\_id](#output\_blue\_teams\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| <a name="output_blue_teams_kubeconfig"></a> [blue\_teams\_kubeconfig](#output\_blue\_teams\_kubeconfig) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig |
+| <a name="output_blue_teams_namespaces"></a> [blue\_teams\_namespaces](#output\_blue\_teams\_namespaces) | Mapf of Kubernetes namespaces created and their attributes |
+| <a name="output_blue_teams_rbac_group"></a> [blue\_teams\_rbac\_group](#output\_blue\_teams\_rbac\_group) | The name of the Kubernetes RBAC group |
+| <a name="output_red_team_aws_auth_configmap_role"></a> [red\_team\_aws\_auth\_configmap\_role](#output\_red\_team\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap |
+| <a name="output_red_team_iam_role_arn"></a> [red\_team\_iam\_role\_arn](#output\_red\_team\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| <a name="output_red_team_iam_role_name"></a> [red\_team\_iam\_role\_name](#output\_red\_team\_iam\_role\_name) | The name of the IAM role |
+| <a name="output_red_team_iam_role_unique_id"></a> [red\_team\_iam\_role\_unique\_id](#output\_red\_team\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| <a name="output_red_team_kubeconfig"></a> [red\_team\_kubeconfig](#output\_red\_team\_kubeconfig) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig |
+| <a name="output_red_team_namespaces"></a> [red\_team\_namespaces](#output\_red\_team\_namespaces) | Mapf of Kubernetes namespaces created and their attributes |
+| <a name="output_red_team_rbac_group"></a> [red\_team\_rbac\_group](#output\_red\_team\_rbac\_group) | The name of the Kubernetes RBAC group |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+Apache-2.0 Licensed. See [LICENSE](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/LICENSE)

patterns/cluster-admin/outputs.tf

@@ -0,0 +1,107 @@
+# Admin
+output "admin_team_namespaces" {
+  description = "Map of Kubernetes namespaces created and their attributes"
+  value       = module.admin_team.namespaces
+}
+
+output "admin_team_rbac_group" {
+  description = "The name of the Kubernetes RBAC group"
+  value       = module.admin_team.rbac_group
+}
+
+output "admin_team_aws_auth_configmap_role" {
+  description = "Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap"
+  value       = module.admin_team.aws_auth_configmap_role
+}
+
+output "admin_team_iam_role_name" {
+  description = "The name of the IAM role"
+  value       = module.admin_team.iam_role_name
+}
+
+output "admin_team_iam_role_arn" {
+  description = "The Amazon Resource Name (ARN) specifying the IAM role"
+  value       = module.admin_team.iam_role_arn
+}
+
+output "admin_team_iam_role_unique_id" {
+  description = "Stable and unique string identifying the IAM role"
+  value       = module.admin_team.iam_role_unique_id
+}
+
+output "admin_team_kubeconfig" {
+  description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig"
+  value       = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name} --role-arn ${module.admin_team.iam_role_arn}"
+}
+
+# Red Team
+output "red_team_namespaces" {
+  description = "Mapf of Kubernetes namespaces created and their attributes"
+  value       = module.red_team.namespaces
+}
+
+output "red_team_rbac_group" {
+  description = "The name of the Kubernetes RBAC group"
+  value       = module.red_team.rbac_group
+}
+
+output "red_team_aws_auth_configmap_role" {
+  description = "Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap"
+  value       = module.red_team.aws_auth_configmap_role
+}
+
+output "red_team_iam_role_name" {
+  description = "The name of the IAM role"
+  value       = module.red_team.iam_role_name
+}
+
+output "red_team_iam_role_arn" {
+  description = "The Amazon Resource Name (ARN) specifying the IAM role"
+  value       = module.red_team.iam_role_arn
+}
+
+output "red_team_iam_role_unique_id" {
+  description = "Stable and unique string identifying the IAM role"
+  value       = module.red_team.iam_role_unique_id
+}
+
+output "red_team_kubeconfig" {
+  description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig"
+  value       = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name} --role-arn ${module.red_team.iam_role_arn}"
+}
+
+# Blue Teams (creates multiple teams)
+output "blue_teams_namespaces" {
+  description = "Mapf of Kubernetes namespaces created and their attributes"
+  value       = [for team in module.blue_teams : team.namespaces]
+}
+
+output "blue_teams_rbac_group" {
+  description = "The name of the Kubernetes RBAC group"
+  value       = [for team in module.blue_teams : team.rbac_group]
+}
+
+output "blue_teams_aws_auth_configmap_role" {
+  description = "Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap"
+  value       = [for team in module.blue_teams : team.aws_auth_configmap_role]
+}
+
+output "blue_teams_iam_role_name" {
+  description = "The name of the IAM role"
+  value       = [for team in module.blue_teams : team.iam_role_name]
+}
+
+output "blue_teams_iam_role_arn" {
+  description = "The Amazon Resource Name (ARN) specifying the IAM role"
+  value       = [for team in module.blue_teams : team.iam_role_arn]
+}
+
+output "blue_teams_iam_role_unique_id" {
+  description = "Stable and unique string identifying the IAM role"
+  value       = [for team in module.blue_teams : team.iam_role_unique_id]
+}
+
+output "blue_teams_kubeconfig" {
+  description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig"
+  value       = [for team in module.blue_teams : "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name} --role-arn ${team.iam_role_arn}"]
+}