Issue removing default Rbac roles created by namespace-role module.
Hello Team, [namespace module](https://github.com/gruntwork-io/terraform-kubernetes-namespace/blob/main/modules/namespace-roles/main.tf#L36) [parent module](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/dev/us-west-2/dev/services/eks-applications-namespace/terragrunt.hcl#L9) We are following your example infrastructure-live implementation for our aws services/resource creation linked [here](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/dev/us-west-2/dev/services/eks-applications-namespace/terragrunt.hcl#L9). I would like to have remove default RBAC roles which has create permission in namespace module. I would like to define an input `create_resource = false` in parent module. However available variables [link](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/modules/services/k8s-namespace/variables.tf) does not allow me to define this. Could you please provide me a solution to define this or an workaround to remove default RBAC Roles linked [here](https://github.com/gruntwork-io/terraform-kubernetes-namespace/blob/main/modules/namespace-roles/main.tf#L36). Example creation of Default RBAC Roles in k8s Namespace ``` CREATE THE DEFAULT RBAC ROLES This defines four default RBAC roles scoped to the namespace: - namespace-access-all : Admin level permissions on all resources in the namespace. - namespace-access-read-only: Read only permissions on all resources in the namespace. - namespace-helm-metadata-access: Minimal permissions for Helm to manage its metadata in this namespace. - namespace-helm-resource-access: Minimal permissions for Helm to manage resources in this namespace as Helm charts. ``` --- <ins datetime="2023-06-02T07:33:08Z"> <p><a href="https://support.gruntwork.io/hc/requests/110216">Tracked in ticket #110216</a></p> </ins>
You are correct that `create_resources` is not threaded all the way through to the service catalog. However, doing so may not have the intended effect that you want. To recap: https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/dev/us-west-2/dev/services/eks-applications-namespace/terragrunt.hcl#L10 includes: https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/_envcommon/services/eks-applications-namespace.hcl#L16 which references the k8s-namespace service: https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/modules/services/k8s-namespace/main.tf#L29 which not only creates the RBAC roles, but the namespace itself in: https://github.com/gruntwork-io/terraform-kubernetes-namespace/blob/main/modules/namespace/main.tf#L41-L66 Propagating `create_resources` up into the service catalog and then setting it to `false` would then not create the namespace at all, which may not be desirable. My recommendation is to either remove the `k8s-namespace` from `_envcommon` ([here](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/_envcommon/services/eks-applications-namespace.hcl#L16)), or remove it and replace it with the resources that you need. In other words, you might bring the `kubernetes_namespace` resource out of the terraform-kubernetes-namespace module and pull that directly into `_envcommon`, if that's the only thing you need. On our end, I've filed a ticket in https://github.com/gruntwork-io/terraform-kubernetes-namespace/issues/28 for us to consider separate control of the namespace and the namespace roles.