Added role for github runner for deploy to dev namespace, move rolebi…

…nding to code for github-runner deploy
maddevsio · Aug 23, 2024 · 68a0d2b · 68a0d2b
1 parent 1686fa2
commit 68a0d2b
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 32 deletions.
diff --git a/terraform/modules/k8s-addons/eks-dev-namespace.tf b/terraform/modules/k8s-addons/eks-dev-namespace.tf
@@ -12,27 +12,4 @@ module "dev_namespace" {
   name             = local.dev_namespace.namespace
   network_policies = []
 
-  depends_on = [helm_release.gha_runner_scale_set]
 }
-resource "kubectl_manifest" "github_runner_role_binding" {
-  count = local.dev_namespace.enabled && local.gha_runner_scale_set_controller.enabled ? 1 : 0
-
-  yaml_body = <<EOF
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: github-runner-role-binding
-  namespace: ${local.dev_namespace.namespace}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: gha-runner-scale-set-gha-rs-no-permission
-  namespace: ${module.gha_runner_scale_set_controller_namespace[0].name}
-EOF
-
-  depends_on = [module.dev_namespace]
-}
-
diff --git a/terraform/modules/k8s-addons/eks-gha-runner-scale-set.tf b/terraform/modules/k8s-addons/eks-gha-runner-scale-set.tf
@@ -1,13 +1,13 @@
 locals {
   gha_runner_scale_set = {
-    name          = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].id
-    enabled       = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].enabled
-    chart         = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].chart
-    chart_version = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].chart_version
-    namespace     = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].namespace
+    name                 = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].id
+    enabled              = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].enabled
+    chart                = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].chart
+    chart_version        = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].chart_version
+    namespace            = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].namespace
+    service_account_name = "gha-runner-scale-set-gha-rs-no-permission"
   }
   kube_github_runner_github_token = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "github_pat_token", "")
-  service_account_name            = "gha-runner-scale-set-gha-rs-no-permission"
   eks_oidc_provider_url           = replace("${data.aws_eks_cluster.main.identity[0].oidc[0].issuer}" , "https://", "")
 
   gha_runner_scale_set_values = <<VALUES
@@ -27,7 +27,7 @@ containerMode:
 
 template:
   spec:
-    serviceAccountName: ${local.service_account_name}
+    serviceAccountName: ${local.gha_runner_scale_set.service_account_name}
     containers:
       - name: runner
         image: ghcr.io/actions/actions-runner:latest
@@ -61,7 +61,7 @@ metadata:
     app.kubernetes.io/instance: gha-runner-scale-set
     app.kubernetes.io/name: gha-runner-scale-set
     app.kubernetes.io/part-of: gha-rs
-  name: ${local.service_account_name}
+  name: ${local.gha_runner_scale_set.service_account_name}
   namespace: ${local.gha_runner_scale_set.namespace}
 EOF
 
@@ -108,7 +108,7 @@ data "aws_iam_policy_document" "github_actions_runner_assume_role_policy" {
     condition {
       test     = "StringEquals"
       variable = "${local.eks_oidc_provider_url}:sub"
-      values   = ["system:serviceaccount:${local.gha_runner_scale_set.namespace}:${local.service_account_name}"]
+      values   = ["system:serviceaccount:${local.gha_runner_scale_set.namespace}:${local.gha_runner_scale_set.service_account_name}"]
     }
   }
 }
@@ -140,3 +140,44 @@ data "aws_iam_policy_document" "github_actions_runner_policy" {
   }
 }
 
+resource "kubectl_manifest" "github_runner_role" {
+  count = local.dev_namespace.enabled && local.gha_runner_scale_set_controller.enabled ? 1 : 0
+
+  yaml_body = <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: ${local.dev_namespace.namespace}
+  name: github-runner-deploy-role
+rules:
+- apiGroups: ["apps"]
+  resources: ["deployments","replicasets"]
+  verbs: ["*"]
+- apiGroups: [""]
+  resources: ["services","secrets"]
+  verbs: ["*"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["*"]
+EOF
+}
+
+resource "kubectl_manifest" "github_runner_role_binding" {
+  count = local.dev_namespace.enabled && local.gha_runner_scale_set_controller.enabled ? 1 : 0
+
+  yaml_body = <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: github-runner-role-binding
+  namespace: ${local.dev_namespace.namespace}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ${kubectl_manifest.github_runner_role[0].name}
+subjects:
+- kind: ServiceAccount
+  name: ${local.gha_runner_scale_set.service_account_name}
+  namespace: ${local.gha_runner_scale_set.namespace}
+EOF
+}