resource "kubernetes_service_account" "terraform_ci_cd" { metadata { namespace = "kube-system" name = "terraform-ci-cd" } automount_service_account_token = false } resource "kubernetes_cluster_role_binding" "terraform_ci_is_a_ci" { metadata { name = "terraform-ci-cd-is-a-ci-cd" } role_ref { api_group = "rbac.authorization.k8s.io" kind = "ClusterRole" name = kubernetes_cluster_role.ci_cd.metadata.0.name } subject { kind = "ServiceAccount" name = kubernetes_service_account.terraform_ci_cd.metadata.0.name namespace = kubernetes_service_account.terraform_ci_cd.metadata.0.namespace } } resource "kubernetes_cluster_role" "ci_cd" { metadata { name = "ci-cd" } rule { api_groups = [""] resources = [ "configmaps", "persistentvolumes", "persistentvolumeclaims", "pods", "namespaces", "secrets", "serviceaccounts", "services", ] verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] } rule { api_groups = ["apps"] resources = [ "deployments", "replicasets", # needed for 'helm upgrade --wait' ] verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] } rule { api_groups = ["autoscaling"] resources = [ "horizontalpodautoscalers" ] verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] } rule { api_groups = ["networking.k8s.io"] resources = [ "ingresses", "networkpolicies" ] verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] } rule { api_groups = ["apiextensions.k8s.io"] resources = [ "customresourcedefinitions" ] verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] } rule { api_groups = ["rbac.authorization.k8s.io"] resources = [ "clusterrolebindings", "clusterroles", "rolebindings", "roles", ] verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] } rule { api_groups = ["policy"] resources = [ "podsecuritypolicies", ] verbs = ["create", "delete", "get", "list", "patch", "update", "watch"] } }