Updating patterns to cover different scenarios

aws-ia · Sep 22, 2023 · 5d57296 · 5d57296
1 parent c7e7698
commit 5d57296
Show file tree

Hide file tree

Showing 7 changed files with 23 additions and 32 deletions.
diff --git a/main.tf b/main.tf
@@ -322,32 +322,6 @@ resource "kubernetes_cluster_role_v1" "this" {
   }
 }
 
-# ################################################################################
-# # K8s Cluster Role Binding
-# ################################################################################
-# resource "kubernetes_cluster_role_binding_v1" "this" {
-#   count = var.create_cluster_role && !var.enable_admin ? 1 : 0
-
-#   metadata {
-#     name        = kubernetes_cluster_role_v1.this[0].metadata[0].name
-#     annotations = var.annotations
-#     labels      = var.labels
-#   }
-
-#   role_ref {
-#     api_group = "rbac.authorization.k8s.io"
-#     kind      = "ClusterRole"
-#     name      = try(var.cluster_role_ref_name == "") ? kubernetes_cluster_role_v1.this[0].metadata[0].name : var.cluster_role_ref_name
-#   }
-
-#   subject {
-#     kind      = "Group"
-#     name      = var.name
-#     api_group = "rbac.authorization.k8s.io"
-#     namespace = ""
-#   }
-# }
-
 ################################################################################
 # K8s Cluster Role Binding
 ################################################################################

diff --git a/patterns/development-team/README.md b/patterns/development-team/README.md
@@ -10,7 +10,7 @@ This example shows how to create a team with privileges restricted to the Namesp
 
 ## Areas of Interest
 
-- `teams.tf` contains a sample configuration of the `teams` module, in this case providing restricted access to specific Namespaces, and *read-only* access to list Namespaces and Nodes for the specified identities.
+- `teams.tf` contains a sample configuration of the `teams` module, in this case providing restricted *view* Role access to specific Namespaces, and *read-only* access to list Namespaces, StorageClasses and Nodes for the specified identities.
 
 https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/4def6e7e437c5b8f2c5e6479f2585fac58bf060c/patterns/development-team/teams.tf#L5-L123
 

diff --git a/patterns/development-team/teams.tf b/patterns/development-team/teams.tf
@@ -18,6 +18,11 @@ module "development_team" {
     team = "dev"
   }
 
+  cluster_role_rule = {
+    resources = ["namespaces", "nodes", "storageclasses"]
+    verbs     = ["get", "list"]
+  }
+
   namespaces = {
     default = {
       # Provides access to an existing namespace

diff --git a/patterns/multiple-app-teams/README.md b/patterns/multiple-app-teams/README.md
@@ -10,7 +10,7 @@ This example shows how to create a multiple teams using the same approach of the
 
 ## Areas of Interest
 
-- `teams.tf` contains a sample configuration of the `teams` module, using the `for_each` Terraform Meta-Argument at the Module level creating multiple teams with the same configuration, in this case providing restricted access to specific Namespaces, and *read-only* access to list Namespaces and Nodes for the specified identities.
+- `teams.tf` contains a sample configuration of the `teams` module, using the `for_each` Terraform Meta-Argument at the Module level creating multiple teams with the same configuration, in this case providing *edit* Role access to specific Namespaces, and *read-only* access to list Namespaces and Nodes for the specified identities.
 
 https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/bcc264abb8b0c76fba5a14a38d522a73d70015ae/patterns/multiple-app-teams/teams.tf#L5-L40
 

diff --git a/patterns/multiple-app-teams/teams.tf b/patterns/multiple-app-teams/teams.tf
@@ -14,6 +14,11 @@ module "application_teams" {
   cluster_arn       = module.eks.cluster_arn
   oidc_provider_arn = module.eks.oidc_provider_arn
 
+  role_ref = {
+    kind = "ClusterRole"
+    name = "edit"
+  }
+
   namespaces = {
     "app-${each.key}" = {
       labels = {

diff --git a/tests/complete/teams.tf b/tests/complete/teams.tf
@@ -34,10 +34,6 @@ module "platform_team" {
   additional_role_ref = {
     name = "admin"
   }
-  role_ref = {
-    kind = "ClusterRole"
-    name = "admin"
-  }
 
   tags = local.tags
 }
@@ -59,6 +55,11 @@ module "red_team" {
     team = "red-team"
   }
 
+  cluster_role_rule = {
+    resources = ["namespaces", "nodes", "persistentvolumes", "storageclasses"]
+    verbs     = ["get", "list"]
+  }
+
   namespaces = {
     default = {
       # Provides access to an existing namespace
@@ -174,6 +175,11 @@ module "blue_teams" {
   cluster_arn       = module.eks.cluster_arn
   oidc_provider_arn = module.eks.oidc_provider_arn
 
+  role_ref = {
+    kind = "ClusterRole"
+    name = "edit"
+  }
+
   namespaces = {
     "blue-${each.key}" = {
       labels = {

diff --git a/variables.tf b/variables.tf
@@ -81,6 +81,7 @@ variable "role_ref" {
   type        = any
   default     = {}
 }
+
 ################################################################################
 # IAM Role
 ################################################################################