first commit!

Author: ridwanbejo

.github/workflows/action.yml

@@ -0,0 +1,52 @@
+name: "Terraform-MongoDB-User Module"
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  terraform-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: 1.6.3
+
+      - uses: terraform-linters/setup-tflint@v3
+        name: Setup TFLint
+        with:
+          tflint_version: v0.44.1
+
+      - name: Terraform Init
+        id: tf-init
+        run: terraform init
+
+      - name: Terraform Validate
+        id: tf-validate
+        run: terraform validate
+
+      - name: Terraform Format Check
+        id: tf-fmt-check
+        run: terraform fmt -recursive -check
+        continue-on-error: true
+
+      - name: Show version
+        run: tflint --version
+
+      - name: Init TFLint
+        run: tflint --init
+        env:
+          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+          GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Run TFLint
+        run: tflint -f compact
+
+      - name: TFSec
+        uses: aquasecurity/[email protected]
+        with:
+          soft_fail: true

.gitignore

@@ -0,0 +1,37 @@
+.DS_Store
+*.lock.hcl
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+# *.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

.pre-commit-config.yaml

@@ -0,0 +1,15 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v2.3.0
+  hooks:
+  - id: trailing-whitespace
+  - id: end-of-file-fixer
+  - id: check-yaml
+  - id: check-added-large-files
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.64.1
+  hooks:
+  - id: terraform_validate
+  - id: terraform_fmt
+  - id: terraform_tflint
+  - id: terraform_tfsec

LICENSE

@@ -0,0 +1,28 @@
+BSD 3-Clause License
+
+Copyright (c) 2023, ridwanfs
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1,68 @@
+# Terraform Kubernetes IAM
+
+This is a Terraform module for managing IAM at Kubernetes. You can use this module both for commercial or non-commercial purposes.
+
+Currently, you can manage these resources in Kubernetes by using this module:
+
+- service account
+- token requests
+- role
+- role binding
+- cluster role
+- cluster role binding
+
+Tested in:
+
+- Minikube
+
+## A. Prerequisites
+
+Requirements:
+
+- Terraform with version >= 1.4
+
+## B. How to use this module for your Terraform project ?
+
+You can check any examples projects that use this module under `examples` directory.
+
+- iam-1-basic
+- iam-2-role-binding
+- iam-3-cluster-role-binding
+- iam-4-token
+
+## C. Understanding tfvars scenarios
+
+You can check any examples tfvars that use this module under `examples` directory.
+
+- iam-1-basic
+- iam-2-role-binding
+- iam-3-cluster-role-binding
+- iam-4-token
+
+## D. Ensuring quality
+
+I am trying to follow these approaches for ensuring quality of the tf-module:
+
+- **validate**, ensure my Terraform module is in correct configuration based on Terraform guideline
+- **auto-format**, ensure my Terraform script is edited with correct format based on Terraform guideline
+- **linter**, ensure my Terraform script is in correct format based on Terraform guideline
+- **security**, ensure my Terraform module is free from CVE and stay compliance
+- **automation**, run all above steps by using automation tool to improve development time and keep best quality before or after merging to Git repository
+
+
+The tools:
+
+- [terraform validate](https://developer.hashicorp.com/terraform/cli/commands)
+- [terraform fmt](https://developer.hashicorp.com/terraform/cli/commands)
+- [tflint](https://github.com/terraform-lint48ers/tflint)
+- [tfsec](https://github.com/aquasecurity/tfsec)
+- [Pre-commit](https://pre-commit.com/)
+- Github Action [Setup Terraform pipeline](https://github.com/hashicorp/setup-terraform)
+
+## E. How to contribute ?
+
+If you find any issue, you can raise it here at our [Issue Tracker](https://github.com/ridwanbejo/terraform-kubernetes-iam/issues)
+
+If you have something that you want to merge to this repo, just raise [Pull Requests](https://github.com/ridwanbejo/terraform-kubernetes-iam/pulls)
+
+Ensure that you install all the tools from section D. for development purpose.

TFDOCS.md

@@ -0,0 +1,53 @@
+
+# Terraform-Kubernetes-IAM module
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | 2.25.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.25.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [kubernetes_cluster_role_binding_v1.cluster_role_bindings](https://registry.terraform.io/providers/hashicorp/kubernetes/2.25.1/docs/resources/cluster_role_binding_v1) | resource |
+| [kubernetes_cluster_role_v1.cluster_roles](https://registry.terraform.io/providers/hashicorp/kubernetes/2.25.1/docs/resources/cluster_role_v1) | resource |
+| [kubernetes_role_binding_v1.role_bindings](https://registry.terraform.io/providers/hashicorp/kubernetes/2.25.1/docs/resources/role_binding_v1) | resource |
+| [kubernetes_role_v1.roles](https://registry.terraform.io/providers/hashicorp/kubernetes/2.25.1/docs/resources/role_v1) | resource |
+| [kubernetes_service_account_v1.service_accounts](https://registry.terraform.io/providers/hashicorp/kubernetes/2.25.1/docs/resources/service_account_v1) | resource |
+| [kubernetes_token_request_v1.tokens](https://registry.terraform.io/providers/hashicorp/kubernetes/2.25.1/docs/resources/token_request_v1) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cluster_role_bindings"></a> [cluster\_role\_bindings](#input\_cluster\_role\_bindings) | n/a | <pre>list(object({<br>    metadata = object({<br>      annotations = optional(map(any))<br>      labels      = optional(map(any))<br>      name        = string<br>    })<br><br>    role_ref = object({<br>      api_group = string<br>      kind      = string<br>      name      = string <br>    })<br><br>    subject = list(object({<br>      name      = string<br>      namespace = optional(string)<br>      kind      = string<br>      api_group = optional(string)<br>    }))<br>  }))</pre> | n/a | yes |
+| <a name="input_cluster_roles"></a> [cluster\_roles](#input\_cluster\_roles) | n/a | <pre>list(object({<br>    metadata = object({<br>      annotations = optional(map(any))<br>      labels      = optional(map(any))<br>      name        = string<br>    })<br><br>    rule = optional(list(object({<br>      verbs             = list(string)<br>      api_groups        = optional(list(string))<br>      resources         = optional(list(string))<br>      resource_names    = optional(list(string))<br>      non_resource_urls = optional(list(string))<br>    })))<br><br>    aggregation_rule = optional(object({<br>      cluster_role_selectors = optional(object({<br>        match_labels = optional(map(string))<br>        match_expressions = optional(list(object({<br>          key = optional(string)<br>          operator = optional(string)<br>          values = optional(list(string))<br>        })))<br>      }))<br>    }))<br>  }))</pre> | n/a | yes |
+| <a name="input_role_bindings"></a> [role\_bindings](#input\_role\_bindings) | n/a | <pre>list(object({<br>    metadata = object({<br>      annotations = optional(map(any))<br>      labels      = optional(map(any))<br>      name        = string<br>      namespace   = optional(string)<br>    })<br><br>    role_ref = object({<br>      api_group = string<br>      kind      = string<br>      name      = string <br>    })<br><br>    subject = list(object({<br>      name      = string<br>      namespace = optional(string)<br>      kind      = string<br>      api_group = optional(string)<br>    }))<br>  }))</pre> | n/a | yes |
+| <a name="input_roles"></a> [roles](#input\_roles) | n/a | <pre>list(object({<br>    metadata = object({<br>      annotations = optional(map(any))<br>      labels      = optional(map(any))<br>      name        = string<br>      namespace   = optional(string)<br>    })<br><br>    rule = list(object({<br>      verbs             = list(string)<br>      api_groups        = optional(list(string))<br>      resources         = optional(list(string))<br>      resource_names    = optional(list(string))<br>    }))<br>  }))</pre> | n/a | yes |
+| <a name="input_service_accounts"></a> [service\_accounts](#input\_service\_accounts) | n/a | <pre>list(object({<br>    metadata = object({<br>      annotations = optional(map(any))<br>      labels      = optional(map(any))<br>      name        = string<br>      namespace   = optional(string)<br>    })<br><br>    secret = optional(list(object({<br>      name = optional(string)<br>    })))<br><br>    image_pull_secret = optional(list(object({<br>      name = optional(string)<br>    })))<br><br>    automount_service_account_token = optional(bool)<br>  }))</pre> | n/a | yes |
+| <a name="input_token_requests"></a> [token\_requests](#input\_token\_requests) | n/a | <pre>list(object({<br>    metadata = object({<br>      annotations = optional(map(any))<br>      labels      = optional(map(any))<br>      name        = string<br>      namespace   = optional(string)<br>    })<br><br>    spec = optional(object({<br>      expiration_seconds = optional(number)<br>      audiences          = optional(list(string))<br><br>      bound_object_ref = optional(object({<br>        api_version = optional(string)<br>        kind        = optional(string)<br>        name        = optional(list(string))<br>        uid         = optional(list(string))<br>      }))<br>    }))<br>  }))</pre> | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_kubernetes_cluster_role_bindings"></a> [kubernetes\_cluster\_role\_bindings](#output\_kubernetes\_cluster\_role\_bindings) | List of Kubernetes cluster role bindings |
+| <a name="output_kubernetes_cluster_roles"></a> [kubernetes\_cluster\_roles](#output\_kubernetes\_cluster\_roles) | List of Kubernetes cluster roles |
+| <a name="output_kubernetes_role_bindings"></a> [kubernetes\_role\_bindings](#output\_kubernetes\_role\_bindings) | List of Kubernetes role bindings |
+| <a name="output_kubernetes_roles"></a> [kubernetes\_roles](#output\_kubernetes\_roles) | List of Kubernetes roles |
+| <a name="output_kubernetes_service_accounts"></a> [kubernetes\_service\_accounts](#output\_kubernetes\_service\_accounts) | List of Kubernetes service accounts |
+| <a name="output_kubernetes_token_requests"></a> [kubernetes\_token\_requests](#output\_kubernetes\_token\_requests) | List of Kubernetes token requests |
+<!-- END_TF_DOCS -->

examples/iam-1-basic/README.md

@@ -0,0 +1,44 @@
+# Basic example for Terraform-Kubernetes-IAM module
+
+To run this example you need to execute:
+
+```
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | 2.25.1 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_tf_kube_iam"></a> [tf\_kube\_iam](#module\_tf\_kube\_iam) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_kube_service_accounts"></a> [kube\_service\_accounts](#input\_kube\_service\_accounts) | n/a | `list(any)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_kube_service_accounts"></a> [kube\_service\_accounts](#output\_kube\_service\_accounts) | Current Kubernetes service accounts |
+<!-- END_TF_DOCS -->

examples/iam-1-basic/main.tf

@@ -0,0 +1,10 @@
+module "tf_kube_iam" {
+  source = "../../"
+
+  service_accounts      = var.kube_service_accounts
+  token_requests        = []
+  cluster_roles         = []
+  cluster_role_bindings = []
+  roles                 = []
+  role_bindings         = []
+}

examples/iam-1-basic/outputs.tf

@@ -0,0 +1,4 @@
+output "kube_service_accounts" {
+  description = "Current Kubernetes service accounts"
+  value       = module.tf_kube_iam.kubernetes_service_accounts
+}

examples/iam-1-basic/providers.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_version = ">= 1.4"
+
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.25.1"
+    }
+  }
+}
+
+provider "kubernetes" {
+  config_path    = "~/.kube/config"
+  config_context = "minikube"
+}