feat: add toggle for user_access section that grants permissions on the root namespace

CHANGELOG.md

@@ -8,6 +8,10 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+### Added
+
+- Add the `gitlab_agent_grant_user_access_to_root_namespace` variable to grant the `user_access` permission on the root namespace.
+
 ## [0.4.0] - 2024-07-10
 
 [Compare with previous version](https://github.com/sparkfabrik/terraform-gitlab-kubernetes-gitlab-agent/compare/0.3.0...0.4.0)

README.md

@@ -57,6 +57,7 @@ provider "gitlab" {
 | <a name="input_gitlab_agent_create_variables_in_root_namespace"></a> [gitlab\_agent\_create\_variables\_in\_root\_namespace](#input\_gitlab\_agent\_create\_variables\_in\_root\_namespace) | Create two Gitlab CI/CD variables in the root namespace useful to configure the Kubernetes context and use the Gitlab Agent. These variables are created in the root namespace of the project defined in `gitlab_project_path_with_namespace`, which is the project that hosts the Gitlab Agent configuration. | `bool` | `true` | no |
 | <a name="input_gitlab_agent_custom_config_file_content"></a> [gitlab\_agent\_custom\_config\_file\_content](#input\_gitlab\_agent\_custom\_config\_file\_content) | The content of the Gitlab Agent configuration file. If not provided and `gitlab_agent_grant_access_to_entire_root_namespace` is true, the default configuration file will be used and the root namespace will be granted access to the Gitlab Agent. If you set this variable, it takes precedence over `gitlab_agent_grant_access_to_entire_root_namespace`. | `string` | `""` | no |
 | <a name="input_gitlab_agent_grant_access_to_entire_root_namespace"></a> [gitlab\_agent\_grant\_access\_to\_entire\_root\_namespace](#input\_gitlab\_agent\_grant\_access\_to\_entire\_root\_namespace) | Grant access to the entire root namespace. If false, you can provide a custom configuration file content using the variable `gitlab_agent_custom_config_file_content`. Otherwise, you will have to manually manage the access to the Gitlab Agent committing the proper configuration to the Gitlab project. | `bool` | `true` | no |
+| <a name="input_gitlab_agent_grant_user_access_to_root_namespace"></a> [gitlab\_agent\_grant\_user\_access\_to\_root\_namespace](#input\_gitlab\_agent\_grant\_user\_access\_to\_root\_namespace) | Grant `user_access` to the root namespace. | `bool` | `false` | no |
 | <a name="input_gitlab_agent_name"></a> [gitlab\_agent\_name](#input\_gitlab\_agent\_name) | The name of the Gitlab Agent. | `string` | n/a | yes |
 | <a name="input_gitlab_agent_token_description"></a> [gitlab\_agent\_token\_description](#input\_gitlab\_agent\_token\_description) | The description of the Gitlab Agent token. You can use the placeholder `{{gitlab_agent_name}}` to reference the Gitlab Agent name. | `string` | `"Token for the Gitlab Agent {{gitlab_agent_name}}."` | no |
 | <a name="input_gitlab_agent_token_name"></a> [gitlab\_agent\_token\_name](#input\_gitlab\_agent\_token\_name) | The name of the Gitlab Agent token.  You can use the placeholder `{{gitlab_agent_name}}` to reference the Gitlab Agent name. | `string` | `"{{gitlab_agent_name}}-token"` | no |

files/config.yaml.tftpl

@@ -2,6 +2,14 @@ ci_access:
   groups:
     - id: ${root_namespace}
 
+%{~ if gitlab_agent_grant_user_access_to_root_namespace }
+user_access:
+  access_as:
+    agent: {}
+  groups:
+    - id: ${root_namespace}
+%{~ endif ~}
+
 %{~ if trimspace(gitlab_agent_append_to_config_file) != "" }
 ${gitlab_agent_append_to_config_file}
 %{~ endif ~}

main.tf

@@ -15,7 +15,7 @@ locals {
   k8s_gitlab_agent_token_secret_name_computed = replace(var.k8s_gitlab_agent_token_secret_name, "{{gitlab_agent_name}}", var.gitlab_agent_name)
 
   # Gitlab Agent configuration file
-  final_configuration_file_content = var.gitlab_agent_custom_config_file_content != "" ? var.gitlab_agent_custom_config_file_content : (var.gitlab_agent_grant_access_to_entire_root_namespace ? templatefile("${path.module}/files/config.yaml.tftpl", { root_namespace = data.gitlab_group.root_namespace.path, gitlab_agent_append_to_config_file = var.gitlab_agent_append_to_config_file }) : "")
+  final_configuration_file_content = var.gitlab_agent_custom_config_file_content != "" ? var.gitlab_agent_custom_config_file_content : (var.gitlab_agent_grant_access_to_entire_root_namespace ? templatefile("${path.module}/files/config.yaml.tftpl", { root_namespace = data.gitlab_group.root_namespace.path, gitlab_agent_append_to_config_file = var.gitlab_agent_append_to_config_file, gitlab_agent_grant_user_access_to_root_namespace = var.gitlab_agent_grant_user_access_to_root_namespace }) : "")
 
   # Gitlab Agent CI/CD variables
   gitlab_agent_kubernetes_context_variables = {

variables.tf

@@ -26,6 +26,12 @@ variable "gitlab_agent_grant_access_to_entire_root_namespace" {
   default     = true
 }
 
+variable "gitlab_agent_grant_user_access_to_root_namespace" {
+  description = "Grant `user_access` to the root namespace."
+  type        = bool
+  default     = false
+}
+
 variable "gitlab_agent_append_to_config_file" {
   description = "Append the Gitlab Agent configuration to the configuration file created for the entire root namespace. This variable is only used when `gitlab_agent_grant_access_to_entire_root_namespace` is true."
   type        = string