Issue removing default Rbac roles created by namespace-role module.

[snanjundappa-3as]

Hello Team,

namespace module
parent module

We are following your example infrastructure-live implementation for our aws services/resource creation linked here. I would like to have remove default RBAC roles which has create permission in namespace module.

I would like to define an input create_resource = false in parent module. However available variables link does not allow me to define this.
Could you please provide me a solution to define this or an workaround to remove default RBAC Roles linked here.

Example creation of Default RBAC Roles in k8s Namespace

CREATE THE DEFAULT RBAC ROLES
This defines four default RBAC roles scoped to the namespace:
- namespace-access-all : Admin level permissions on all resources in the namespace.
- namespace-access-read-only: Read only permissions on all resources in the namespace.
- namespace-helm-metadata-access: Minimal permissions for Helm to manage its metadata in this namespace.
- namespace-helm-resource-access: Minimal permissions for Helm to manage resources in this namespace as Helm charts.

---

Tracked in ticket #110216

[pete0emerson]

You are correct that create_resources is not threaded all the way through to the service catalog. However, doing so may not have the intended effect that you want. To recap:

https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/dev/us-west-2/dev/services/eks-applications-namespace/terragrunt.hcl#L10

includes:

https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/_envcommon/services/eks-applications-namespace.hcl#L16

which references the k8s-namespace service:

https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/modules/services/k8s-namespace/main.tf#L29

which not only creates the RBAC roles, but the namespace itself in:

https://github.com/gruntwork-io/terraform-kubernetes-namespace/blob/main/modules/namespace/main.tf#L41-L66

Propagating create_resources up into the service catalog and then setting it to false would then not create the namespace at all, which may not be desirable.

My recommendation is to either remove the k8s-namespace from _envcommon (here), or remove it and replace it with the resources that you need. In other words, you might bring the kubernetes_namespace resource out of the terraform-kubernetes-namespace module and pull that directly into _envcommon, if that's the only thing you need.

On our end, I've filed a ticket in gruntwork-io/terraform-kubernetes-namespace#28 for us to consider separate control of the namespace and the namespace roles.