From f07f4fce5e21cdda3ff087125df6e6df77f9f6d5 Mon Sep 17 00:00:00 2001
From: Daniele Monti <62102073+Monska85@users.noreply.github.com>
Date: Tue, 23 Jul 2024 12:36:21 +0200
Subject: [PATCH] feat: add toggle for user_access section that grants
permissions on the root namespace
---
CHANGELOG.md | 4 ++++
README.md | 1 +
files/config.yaml.tftpl | 8 ++++++++
main.tf | 2 +-
variables.tf | 6 ++++++
5 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f8e9b9a..bccdbb6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,10 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased]
+### Added
+
+- Add the `gitlab_agent_grant_user_access_to_root_namespace` variable to grant the `user_access` permission on the root namespace.
+
## [0.4.0] - 2024-07-10
[Compare with previous version](https://github.com/sparkfabrik/terraform-gitlab-kubernetes-gitlab-agent/compare/0.3.0...0.4.0)
diff --git a/README.md b/README.md
index ad25424..4116c16 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,7 @@ provider "gitlab" {
| [gitlab\_agent\_create\_variables\_in\_root\_namespace](#input\_gitlab\_agent\_create\_variables\_in\_root\_namespace) | Create two Gitlab CI/CD variables in the root namespace useful to configure the Kubernetes context and use the Gitlab Agent. These variables are created in the root namespace of the project defined in `gitlab_project_path_with_namespace`, which is the project that hosts the Gitlab Agent configuration. | `bool` | `true` | no |
| [gitlab\_agent\_custom\_config\_file\_content](#input\_gitlab\_agent\_custom\_config\_file\_content) | The content of the Gitlab Agent configuration file. If not provided and `gitlab_agent_grant_access_to_entire_root_namespace` is true, the default configuration file will be used and the root namespace will be granted access to the Gitlab Agent. If you set this variable, it takes precedence over `gitlab_agent_grant_access_to_entire_root_namespace`. | `string` | `""` | no |
| [gitlab\_agent\_grant\_access\_to\_entire\_root\_namespace](#input\_gitlab\_agent\_grant\_access\_to\_entire\_root\_namespace) | Grant access to the entire root namespace. If false, you can provide a custom configuration file content using the variable `gitlab_agent_custom_config_file_content`. Otherwise, you will have to manually manage the access to the Gitlab Agent committing the proper configuration to the Gitlab project. | `bool` | `true` | no |
+| [gitlab\_agent\_grant\_user\_access\_to\_root\_namespace](#input\_gitlab\_agent\_grant\_user\_access\_to\_root\_namespace) | Grant `user_access` to the root namespace. | `bool` | `false` | no |
| [gitlab\_agent\_name](#input\_gitlab\_agent\_name) | The name of the Gitlab Agent. | `string` | n/a | yes |
| [gitlab\_agent\_token\_description](#input\_gitlab\_agent\_token\_description) | The description of the Gitlab Agent token. You can use the placeholder `{{gitlab_agent_name}}` to reference the Gitlab Agent name. | `string` | `"Token for the Gitlab Agent {{gitlab_agent_name}}."` | no |
| [gitlab\_agent\_token\_name](#input\_gitlab\_agent\_token\_name) | The name of the Gitlab Agent token. You can use the placeholder `{{gitlab_agent_name}}` to reference the Gitlab Agent name. | `string` | `"{{gitlab_agent_name}}-token"` | no |
diff --git a/files/config.yaml.tftpl b/files/config.yaml.tftpl
index c4d0861..3f60a79 100644
--- a/files/config.yaml.tftpl
+++ b/files/config.yaml.tftpl
@@ -2,6 +2,14 @@ ci_access:
groups:
- id: ${root_namespace}
+%{~ if gitlab_agent_grant_user_access_to_root_namespace }
+user_access:
+ access_as:
+ agent: {}
+ groups:
+ - id: ${root_namespace}
+%{~ endif ~}
+
%{~ if trimspace(gitlab_agent_append_to_config_file) != "" }
${gitlab_agent_append_to_config_file}
%{~ endif ~}
diff --git a/main.tf b/main.tf
index d0aec2c..051d87e 100644
--- a/main.tf
+++ b/main.tf
@@ -15,7 +15,7 @@ locals {
k8s_gitlab_agent_token_secret_name_computed = replace(var.k8s_gitlab_agent_token_secret_name, "{{gitlab_agent_name}}", var.gitlab_agent_name)
# Gitlab Agent configuration file
- final_configuration_file_content = var.gitlab_agent_custom_config_file_content != "" ? var.gitlab_agent_custom_config_file_content : (var.gitlab_agent_grant_access_to_entire_root_namespace ? templatefile("${path.module}/files/config.yaml.tftpl", { root_namespace = data.gitlab_group.root_namespace.path, gitlab_agent_append_to_config_file = var.gitlab_agent_append_to_config_file }) : "")
+ final_configuration_file_content = var.gitlab_agent_custom_config_file_content != "" ? var.gitlab_agent_custom_config_file_content : (var.gitlab_agent_grant_access_to_entire_root_namespace ? templatefile("${path.module}/files/config.yaml.tftpl", { root_namespace = data.gitlab_group.root_namespace.path, gitlab_agent_append_to_config_file = var.gitlab_agent_append_to_config_file, gitlab_agent_grant_user_access_to_root_namespace = var.gitlab_agent_grant_user_access_to_root_namespace }) : "")
# Gitlab Agent CI/CD variables
gitlab_agent_kubernetes_context_variables = {
diff --git a/variables.tf b/variables.tf
index 550af33..45a787d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -26,6 +26,12 @@ variable "gitlab_agent_grant_access_to_entire_root_namespace" {
default = true
}
+variable "gitlab_agent_grant_user_access_to_root_namespace" {
+ description = "Grant `user_access` to the root namespace."
+ type = bool
+ default = false
+}
+
variable "gitlab_agent_append_to_config_file" {
description = "Append the Gitlab Agent configuration to the configuration file created for the entire root namespace. This variable is only used when `gitlab_agent_grant_access_to_entire_root_namespace` is true."
type = string