Merge pull request #27424 from ministryofjustice/adding-service-acc-p…

…ermissions adding service account permissions for stateful sets and volumes
ministryofjustice · Nov 1, 2024 · 3c02649 · 3c02649
2 parents bc20464 + d698df7
commit 3c02649
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 0 deletions.
diff --git a/...spaces/live.cloud-platform.service.justice.gov.uk/laa-sds-dev/resources/serviceaccount.tf b/...spaces/live.cloud-platform.service.justice.gov.uk/laa-sds-dev/resources/serviceaccount.tf
@@ -6,6 +6,7 @@ module "serviceaccount" {
 
   serviceaccount_token_rotated_date = "01-01-2000"
   serviceaccount_name = "laa-sds-serviceaccount-dev"
+  serviceaccount_rules = var.serviceaccount_rules
 
   # Uncomment and provide repository names to create github actions secrets
   # containing the ca.crt and token for use in github actions CI/CD pipelines

diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/laa-sds-dev/resources/variables.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/laa-sds-dev/resources/variables.tf
@@ -71,3 +71,72 @@ variable "github_token" {
 variable "eks_cluster_name" {
   description = "The name of the EKS cluster"
 }
+
+variable "serviceaccount_rules" {
+  description = "The capabilities of this serviceaccount"
+
+  type = list(object({
+    api_groups = list(string),
+    resources  = list(string),
+    verbs      = list(string)
+  }))
+
+  # These values are usually sufficient for a CI/CD pipeline
+  default = [
+    {
+      api_groups = [""]
+      resources = [
+        "pods/portforward",
+        "deployment",
+        "secrets",
+        "services",
+        "serviceaccounts",
+        "pods",
+        "pods/exec",
+        "configmaps",
+        "statefulsets",
+        "persistentvolumeclaims",
+      ]
+      verbs = [
+        "patch",
+        "get",
+        "create",
+        "update",
+        "delete",
+        "list",
+        "watch",
+        "update",
+      ]
+    },
+    {
+      api_groups = [
+        "extensions",
+        "apps",
+        "batch",
+        "networking.k8s.io",
+        "monitoring.coreos.com",
+        "policy",
+      ]
+      resources = [
+        "deployments",
+        "ingresses",
+        "cronjobs",
+        "jobs",
+        "replicasets",
+        "statefulsets",
+        "servicemonitors",
+        "networkpolicies",
+        "poddisruptionbudgets",
+      ]
+      verbs = [
+        "get",
+        "update",
+        "delete",
+        "create",
+        "patch",
+        "list",
+        "watch",
+      ]
+    }
+  ]
+}