-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathr-rbac.tf
68 lines (52 loc) · 2.46 KB
/
r-rbac.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
resource "azurerm_user_assigned_identity" "main" {
name = local.identity_name
location = var.location
resource_group_name = coalesce(var.user_assigned_identity_resource_group_name, var.resource_group_name)
tags = local.uai_tags
}
resource "azurerm_role_assignment" "uai_private_dns_zone_contributor" {
count = local.is_custom_dns_private_cluster && var.private_dns_zone_role_assignment_enabled ? 1 : 0
scope = var.private_dns_zone_id
principal_id = azurerm_user_assigned_identity.main.principal_id
role_definition_name = "Private DNS Zone Contributor"
}
resource "azurerm_role_assignment" "uai_subnets_network_contributor" {
for_each = toset(local.subnet_ids)
scope = each.key
principal_id = azurerm_user_assigned_identity.main.principal_id
role_definition_name = "Network Contributor"
}
resource "azurerm_role_assignment" "uai_route_table_contributor" {
count = local.is_kubenet && var.outbound_type == "userDefinedRouting" ? 1 : 0
scope = var.route_table_id
principal_id = azurerm_user_assigned_identity.main.principal_id
role_definition_name = "Contributor"
}
# Allow Kubelet Identity to manage AKS items in nodes RG
resource "azurerm_role_assignment" "kubelet_uai_nodes_rg_contributor" {
principal_id = azurerm_kubernetes_cluster.main.kubelet_identity[0].object_id
scope = format("/subscriptions/%s/resourceGroups/%s", data.azurerm_subscription.current.subscription_id, azurerm_kubernetes_cluster.main.node_resource_group)
role_definition_name = "Contributor"
}
# Allow Kubelet Identity to authenticate with Azure Container Registry (ACR)
resource "azurerm_role_assignment" "kubelet_uai_acr_pull" {
count = length(var.container_registry_id[*])
scope = var.container_registry_id
principal_id = azurerm_kubernetes_cluster.main.kubelet_identity[0].object_id
role_definition_name = "AcrPull"
lifecycle {
create_before_destroy = true
}
}
# Role assignment for ACI, if ACI is enabled
data "azuread_service_principal" "aci_identity" {
count = length(var.aci_subnet[*])
display_name = "aciconnectorlinux-${local.name}"
depends_on = [azurerm_kubernetes_cluster.main]
}
resource "azurerm_role_assignment" "aci_assignment" {
count = length(var.aci_subnet[*])
scope = var.aci_subnet.id
principal_id = data.azuread_service_principal.aci_identity[0].id
role_definition_name = "Network Contributor"
}