Add ClusterRoleBinding and small corrections to GKE OIDC config (#2323)

alexsomesan · web-flow · commit 0cdc94587bcc · 2023-10-18T15:47:12.000+02:00
diff --git a/_examples/eks/eks-oidc/main.tf b/_examples/eks/eks-oidc/main.tf
@@ -21,7 +21,7 @@ variable "rbac_group_oidc_claim" {
   default = "terraform_organization_name"
 }
 
-variable "rbac_admin_group_name" {
+variable "rbac_oidc_group_name" {
   type = string
 }
 
@@ -69,6 +69,6 @@ resource "kubernetes_cluster_role_binding_v1" "oidc_role" {
   subject {
     api_group = "rbac.authorization.k8s.io"
     kind      = "Group"
-    name      = var.rbac_admin_group_name
+    name      = var.rbac_oidc_group_name
   }
 }
diff --git a/_examples/gke/gke-oidc/k8s.tf b/_examples/gke/gke-oidc/k8s.tf
@@ -33,11 +33,29 @@ resource "kubernetes_manifest" "oidc_conf" {
             clientID                 = var.oidc_audience
             issuerURI                = var.odic_issuer_uri
             userClaim                = var.oidc_user_claim
-            groupClaim               = var.oidc_group_claim
+            groupsClaim              = var.oidc_group_claim
             certificateAuthorityData = var.TFE_CA_cert
           }
         }
       ]
     }
   }
 }
+
+resource "kubernetes_cluster_role_binding_v1" "oidc_role" {
+  metadata {
+    name = "odic-identity"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = var.rbac_group_cluster_role
+  }
+
+  subject {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "Group"
+    name      = var.rbac_oidc_group_name
+  }
+}
diff --git a/_examples/gke/gke-oidc/variables.tf b/_examples/gke/gke-oidc/variables.tf
@@ -40,3 +40,13 @@ variable "TFE_CA_cert" {
   type        = string
   default     = null
 }
+
+variable "rbac_oidc_group_name" {
+  description = "Name of OIDC group (according to 'oidc_group_claim') to be granted the role designated by 'var.rbac_group_cluster_role'"
+  type = string
+}
+
+variable "rbac_group_cluster_role" {
+  description = "Kubernetes role to be bound to the OIDC group designated by 'var.rbac_oidc_group_name'"
+  default = "cluster-admin"
+}

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ variable "rbac_group_oidc_claim" {`
`21`	`21`	`default = "terraform_organization_name"`
`22`	`22`	`}`
`23`	`23`
`24`		`-variable "rbac_admin_group_name" {`
	`24`	`+variable "rbac_oidc_group_name" {`
`25`	`25`	`type = string`
`26`	`26`	`}`
`27`	`27`
`@@ -69,6 +69,6 @@ resource "kubernetes_cluster_role_binding_v1" "oidc_role" {`
`69`	`69`	`subject {`
`70`	`70`	`api_group = "rbac.authorization.k8s.io"`
`71`	`71`	`kind = "Group"`
`72`		`- name = var.rbac_admin_group_name`
	`72`	`+ name = var.rbac_oidc_group_name`
`73`	`73`	`}`
`74`	`74`	`}`
Original file line number	Diff line number	Diff line change
`@@ -33,11 +33,29 @@ resource "kubernetes_manifest" "oidc_conf" {`
`33`	`33`	`clientID = var.oidc_audience`
`34`	`34`	`issuerURI = var.odic_issuer_uri`
`35`	`35`	`userClaim = var.oidc_user_claim`
`36`		`- groupClaim = var.oidc_group_claim`
	`36`	`+ groupsClaim = var.oidc_group_claim`
`37`	`37`	`certificateAuthorityData = var.TFE_CA_cert`
`38`	`38`	`}`
`39`	`39`	`}`
`40`	`40`	`]`
`41`	`41`	`}`
`42`	`42`	`}`
`43`	`43`	`}`
	`44`	`+`
	`45`	`+resource "kubernetes_cluster_role_binding_v1" "oidc_role" {`
	`46`	`+ metadata {`
	`47`	`+ name = "odic-identity"`
	`48`	`+ }`
	`49`	`+`
	`50`	`+ role_ref {`
	`51`	`+ api_group = "rbac.authorization.k8s.io"`
	`52`	`+ kind = "ClusterRole"`
	`53`	`+ name = var.rbac_group_cluster_role`
	`54`	`+ }`
	`55`	`+`
	`56`	`+ subject {`
	`57`	`+ api_group = "rbac.authorization.k8s.io"`
	`58`	`+ kind = "Group"`
	`59`	`+ name = var.rbac_oidc_group_name`
	`60`	`+ }`
	`61`	`+}`