Adding additional_role_ref variable

aws-ia · Sep 22, 2023 · 32f64bd · 32f64bd
1 parent f76fd48
commit 32f64bd
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -74,11 +74,11 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_additional_role_ref"></a> [additional\_role\_ref](#input\_additional\_role\_ref) | Existing Role or ClusterRole to be referenced on the Kubernetes clusterRoleBinding created | `any` | `{}` | no |
 | <a name="input_admin_policy_name"></a> [admin\_policy\_name](#input\_admin\_policy\_name) | Name to use on admin IAM policy created | `string` | `""` | no |
 | <a name="input_annotations"></a> [annotations](#input\_annotations) | A map of Kubernetes annotations to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_cluster_arn"></a> [cluster\_arn](#input\_cluster\_arn) | The Amazon Resource Name (ARN) of the cluster | `string` | `""` | no |
 | <a name="input_cluster_role_name"></a> [cluster\_role\_name](#input\_cluster\_role\_name) | Name to use on Kubernetes cluster role created | `string` | `""` | no |
-| <a name="input_cluster_role_ref_name"></a> [cluster\_role\_ref\_name](#input\_cluster\_role\_ref\_name) | Name of an existing ClusterRole to be referenced on the Kubernetes clusterRoleBinding created | `string` | `""` | no |
 | <a name="input_cluster_role_rule"></a> [cluster\_role\_rule](#input\_cluster\_role\_rule) | Defines the Kubernetes RBAC based `api_groups`, `resources`, and `verbs` Rules for the role created | `any` | `{}` | no |
 | <a name="input_create_cluster_role"></a> [create\_cluster\_role](#input\_create\_cluster\_role) | Determines whether a Kubernetes cluster role is created | `bool` | `true` | no |
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no |

diff --git a/main.tf b/main.tf
@@ -322,22 +322,48 @@ resource "kubernetes_cluster_role_v1" "this" {
   }
 }
 
+# ################################################################################
+# # K8s Cluster Role Binding
+# ################################################################################
+# resource "kubernetes_cluster_role_binding_v1" "this" {
+#   count = var.create_cluster_role && !var.enable_admin ? 1 : 0
+
+#   metadata {
+#     name        = kubernetes_cluster_role_v1.this[0].metadata[0].name
+#     annotations = var.annotations
+#     labels      = var.labels
+#   }
+
+#   role_ref {
+#     api_group = "rbac.authorization.k8s.io"
+#     kind      = "ClusterRole"
+#     name      = try(var.cluster_role_ref_name == "") ? kubernetes_cluster_role_v1.this[0].metadata[0].name : var.cluster_role_ref_name
+#   }
+
+#   subject {
+#     kind      = "Group"
+#     name      = var.name
+#     api_group = "rbac.authorization.k8s.io"
+#     namespace = ""
+#   }
+# }
+
 ################################################################################
 # K8s Cluster Role Binding
 ################################################################################
 resource "kubernetes_cluster_role_binding_v1" "this" {
-  count = var.create_cluster_role && !var.enable_admin ? 1 : 0
+  for_each = var.create_cluster_role && !var.enable_admin ? { for k, v in flatten([kubernetes_cluster_role_v1.this[0].metadata[0].name, try(var.additional_role_ref.name, "")]) : k => v if var.additional_role_ref != {} } : {}
 
   metadata {
-    name        = kubernetes_cluster_role_v1.this[0].metadata[0].name
+    name        = "${each.value}-rolebinding"
     annotations = var.annotations
     labels      = var.labels
   }
 
   role_ref {
     api_group = "rbac.authorization.k8s.io"
-    kind      = "ClusterRole"
-    name      = try(var.cluster_role_ref_name == "") ? kubernetes_cluster_role_v1.this[0].metadata[0].name : var.cluster_role_ref_name
+    kind      = try(var.additional_role_ref.kind, "ClusterRole")
+    name      = each.value
   }
 
   subject {

diff --git a/patterns/namespaced-admin/teams.tf b/patterns/namespaced-admin/teams.tf
@@ -18,8 +18,10 @@ module "operations_team" {
     team = "ops"
   }
 
-  cluster_role_name     = "ops-team"
-  cluster_role_ref_name = "admin"
+  cluster_role_name = "ops-team"
+  additional_role_ref = {
+    name = "admin"
+  }
   role_ref = {
     kind = "ClusterRole"
     name = "admin"

diff --git a/tests/complete/teams.tf b/tests/complete/teams.tf
@@ -30,8 +30,10 @@ module "platform_team" {
     team = "platform"
   }
 
-  cluster_role_name     = "platform-team"
-  cluster_role_ref_name = "admin"
+  cluster_role_name = "platform-team"
+  additional_role_ref = {
+    name = "admin"
+  }
   role_ref = {
     kind = "ClusterRole"
     name = "admin"

diff --git a/variables.tf b/variables.tf
@@ -48,10 +48,10 @@ variable "cluster_role_name" {
   default     = ""
 }
 
-variable "cluster_role_ref_name" {
-  description = "Name of an existing ClusterRole to be referenced on the Kubernetes clusterRoleBinding created"
-  type        = string
-  default     = ""
+variable "additional_role_ref" {
+  description = "Existing Role or ClusterRole to be referenced on the Kubernetes clusterRoleBinding created"
+  type        = any
+  default     = {}
 }
 
 variable "cluster_role_rule" {