Name		Name	Last commit message	Last commit date
parent directory ..
.terraform-docs.yml		.terraform-docs.yml
README.md		README.md
main.tf		main.tf
outputs.tf		outputs.tf
providers.tf		providers.tf
variables.tf		variables.tf
versions.tf		versions.tf

README.md

RBAC Example

Recreate the Kubernetes RBAC examples from the Using RBAC Authorization documentation.

locals {
  labels = {
    "terraform-example"            = "ex-${replace(basename(path.cwd), "_", "-")}"
    "app.kubernetes.io/managed-by" = "Terraform"
    "terraform.io/module"          = "terraform-kubernetes-rbac"
  }
}

resource "kubernetes_namespace" "development" {
  metadata {
    name   = "development"
    labels = local.labels
  }
}

module "rbac" {
  # source = "aidan-melen/rbac/kubernetes"
  source = "../../"

  labels = local.labels

  roles = {
    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-example
    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-example
    "pod-reader" = {
      role_namespace = "default"
      role_rules = [
        {
          api_groups = [""]
          resources  = ["pods"]
          verbs      = ["get", "watch", "list"]
        },
      ]

      # This role binding allows "jane" to read pods in the "default" namespace.
      # You need to already have a Role named "pod-reader" in that namespace.
      role_binding_name = "read-pods"
      role_binding_subjects = [
        {
          kind     = "User"
          name     = "jane" # Name is case sensitive
          apiGroup = "rbac.authorization.k8s.io"
        }
      ]
    },
  }

  cluster_roles = {
    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#clusterrole-example
    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-example
    "secret-reader" = {
      # at the HTTP level, the name of the resource for accessing Secret
      # objects is "secrets"
      # "namespace" omitted since ClusterRoles are not namespaced
      cluster_role_rules = [
        {
          api_groups = [""]
          resources  = ["secrets"]
          verbs      = ["get", "watch", "list"]
        },
      ]

      role_binding_name = "read-secret"
      # The namespace of the RoleBinding determines where the permissions are granted.
      # This only grants permissions within the "development" namespace.
      role_binding_namespace = kubernetes_namespace.development.metadata[0].name
      role_binding_subjects = [
        {
          kind     = "User"
          name     = "dave" # Name is case sensitive
          apiGroup = "rbac.authorization.k8s.io"
        }
      ]
    },

    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#clusterrole-example
    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#clusterrolebinding-example
    "secret-reader-global" = {
      # "namespace" omitted since ClusterRoles are not namespaced
      cluster_role_rules = [
        {
          api_groups = [""]
          resources  = ["secrets"]
          verbs      = ["get", "watch", "list"]
        },
      ]

      # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
      cluster_role_binding_name = "read-secrets-global"
      cluster_role_binding_subjects = [
        {
          kind     = "Group"
          name     = "manager" # Name is case sensitive
          apiGroup = "rbac.authorization.k8s.io"
        }
      ]
    }
  }
}

module "pre_existing" {
  # source = "aidan-melen/rbac/kubernetes"
  source = "../../"

  cluster_roles = {
    "cluster-admin" = {
      create_cluster_role       = false
      cluster_role_binding_name = "cluster-admin-global"
      cluster_role_binding_subjects = [
        {
          kind = "User"
          name = "bob"
        }
      ]
    }
  }
}

Running this module manually

Install Terraform and make sure it's on your PATH.
Run terraform init.
Run terraform apply.
When you're done, run terraform destroy.

Running automated tests against this module

Install Terraform and make sure it's on your PATH.
Install Golang and make sure this code is checked out into your GOPATH.
cd test
go test terraform_rbac_test.go -v

Requirements

Name	Version
terraform	>= 0.13.1
kubernetes	>= 2.7.0

Providers

Name	Version
kubernetes	>= 2.7.0

Modules

Name	Source	Version
pre_existing	../../	n/a
rbac	../../	n/a

Resources

Name	Type
kubernetes_namespace.development	resource

Inputs

No inputs.

Outputs

Name	Description
cluster_admin	The `cluster-admin` pre-existing cluster role.
pod_reader	The `pod-reader` role.
secret_reader	The `secret-reader` cluster role.
secret_reader_global	The `secret-reader-global` cluster role.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

rbac

rbac

README.md

RBAC Example

Running this module manually

Running automated tests against this module

Requirements

Providers

Modules

Resources

Inputs

Outputs

Files

rbac

Directory actions

More options

Directory actions

More options

Latest commit

History

rbac

Folders and files

parent directory

README.md

RBAC Example

Running this module manually

Running automated tests against this module

Requirements

Providers

Modules

Resources

Inputs

Outputs