terraform-module-kustomization/main.tf at master · e-breuninger/terraform-module-kustomization · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
terraform {
  required_providers {
    kustomization = {
      source  = "kbst/kustomization"
      version = "~> 0.9"
    }
  }
  required_version = "~> 1.0"
}

variable "kustomization_data_source" {
  type = object({
    ids       = set(string)
    ids_prio  = list(set(string))
    manifests = map(string)
  })
  description = "This input accepts a kustomization_build or kustomization_overlay data source as input."
}

variable "timeout" {
  type        = string
  default     = "5m"
  description = "Timeout for create, update and delete"
}

locals {
  # We move roles to prio 0 to prevent the creation of rolebindings before their roles exist.
  # The cluster might reject those orphan rolebindings because of potential privilege escalation.
  role_ids = toset([
    for _, id in var.kustomization_data_source.ids_prio[1] : id
    if startswith(id, "rbac.authorization.k8s.io/Role/")
  ])
  secret_ids = toset([
    for _, id in var.kustomization_data_source.ids_prio[1] : id
    if startswith(id, "_/Secret/")
  ])

  p0               = setunion(var.kustomization_data_source.ids_prio[0], local.role_ids)
  p1_sensitive_ids = local.secret_ids
  p1_nonsensitive_ids = setsubtract(
    var.kustomization_data_source.ids_prio[1],
    setunion(local.p1_sensitive_ids, local.role_ids)
  )
}

# first loop through resources in ids_prio[0]
resource "kustomization_resource" "p0" {
  for_each = local.p0

  manifest = var.kustomization_data_source.manifests[each.value]
  timeouts {
    create = var.timeout
    update = var.timeout
    delete = var.timeout
  }
}

resource "kustomization_resource" "p1_sensitive" {
  for_each = local.p1_sensitive_ids

  manifest = sensitive(var.kustomization_data_source.manifests[each.value])

  wait = true

  timeouts {
    create = var.timeout
    update = var.timeout
    delete = var.timeout
  }

  depends_on = [kustomization_resource.p0]
}

# then loop through resources in ids_prio[1]
# and set an explicit depends_on on kustomization_resource.p0
# wait for any deployment or daemonset to become ready
resource "kustomization_resource" "p1" {
  for_each = local.p1_nonsensitive_ids

  manifest = var.kustomization_data_source.manifests[each.value]

  wait = true
  timeouts {
    create = var.timeout
    update = var.timeout
    delete = var.timeout
  }

  depends_on = [kustomization_resource.p0]
}

# finally, loop through resources in ids_prio[2]
# and set an explicit depends_on on kustomization_resource.p1
resource "kustomization_resource" "p2" {
  for_each = var.kustomization_data_source.ids_prio[2]

  manifest = var.kustomization_data_source.manifests[each.value]

  timeouts {
    create = var.timeout
    update = var.timeout
    delete = var.timeout
  }

  depends_on = [kustomization_resource.p1]
}

output "p0" {
  value       = kustomization_resource.p0
  description = "Kustomization resources applied with priority 0"
}

output "p1_sensitive" {
  value       = kustomization_resource.p1_sensitive
  description = "Sensitive kustomization resources applied with priority 1"
}

output "p1" {
  value       = kustomization_resource.p1
  description = "Kustomization resources applied with priority 1"
}

output "p2" {
  value       = kustomization_resource.p2
  description = "Kustomization resources applied with priority 2"
}