tf_cod/oidc.tf at main · IndicoDataSolutions/tf_cod · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
resource "null_resource" "enable-oidc" {
  depends_on = [
    module.cluster,
    module.fsx-storage
  ]

  count = var.multitenant_enabled == false ? 1 : 0

  provisioner "local-exec" {
    command = "aws --region ${var.region} eks associate-identity-provider-config --cluster-name ${var.label} --oidc identityProviderConfigName=google-ws,issuerUrl=https://keycloak.devops.indico.io/auth/realms/GoogleAuth,clientId=kube-oidc-proxy,usernameClaim=sub,usernamePrefix=oidcuser:,groupsClaim=groups,groupsPrefix=oidcgroup:"
  }

}

resource "kubernetes_cluster_role_binding" "cod-role-bindings" {
  depends_on = [
    module.cluster,
    time_sleep.wait_1_minutes_after_cluster
  ]

  count = var.oidc_enabled == true && strcontains(lower(var.aws_account), "indico-") && var.multitenant_enabled == false ? 1 : 0

  metadata {
    name = "oidc-cod-admins"
  }

  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "cluster-admin"
  }

  subject {
    kind      = "Group"
    name      = "oidcgroup:engineering@indico.io"
    api_group = "rbac.authorization.k8s.io"
  }

  subject {
    kind      = "Group"
    name      = "oidcgroup:qa@indico.io"
    api_group = "rbac.authorization.k8s.io"
  }

  subject {
    kind      = "Group"
    name      = "oidcgroup:devops@indico.io"
    api_group = "rbac.authorization.k8s.io"
  }
}

resource "kubernetes_cluster_role_binding" "eng-qa-rbac-bindings" {
  depends_on = [
    module.cluster,
    time_sleep.wait_1_minutes_after_cluster
  ]

  count = var.oidc_enabled == true && strcontains(lower(var.aws_account), "indico-") && var.multitenant_enabled == false ? 1 : 0

  metadata {
    name = "oidc-cod-eng-qa-admins"
  }

  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "cluster-admin"
  }

  subject {
    kind      = "Group"
    name      = "oidcgroup:engineering@indico.io"
    api_group = "rbac.authorization.k8s.io"
  }

  subject {
    kind      = "Group"
    name      = "oidcgroup:qa@indico.io"
    api_group = "rbac.authorization.k8s.io"
  }
}

resource "kubernetes_cluster_role_binding" "devops-rbac-bindings" {
  depends_on = [
    module.cluster,
    time_sleep.wait_1_minutes_after_cluster
  ]

  count = var.oidc_enabled == true && var.multitenant_enabled == false ? 1 : 0

  metadata {
    name = "oidc-cod-devops-admins"
  }

  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "cluster-admin"
  }

  subject {
    kind      = "Group"
    name      = "oidcgroup:devops@indico.io"
    api_group = "rbac.authorization.k8s.io"
  }
}