feat: allow status page for all happy services (#3435)

chanzuckerberg · Jul 17, 2024 · 72999e5 · 72999e5
1 parent d71abad
commit 72999e5
Showing 1 changed file with 21 additions and 9 deletions.
diff --git a/terraform/modules/happy-mesh-access-control/main.tf b/terraform/modules/happy-mesh-access-control/main.tf
@@ -1,6 +1,22 @@
 locals {
   allow_ingress_controller = var.service_type == "EXTERNAL" || var.service_type == "INTERNAL" || var.service_type == "VPC"
   needs_policy             = local.allow_ingress_controller || length(var.allow_mesh_services) > 0
+  # Service accounts that we want to allow access to this protected service
+  mesh_services_service_accounts = [for v in var.allow_mesh_services : {
+    "kind"      = "ServiceAccount"
+    "name"      = v.service_account_name != null && v.service_account_name != "" ? v.service_account_name : "${v.stack}-${v.service}-${var.deployment_stage}-${v.stack}"
+    "namespace" = var.k8s_namespace
+  }]
+  optional_ingress_controller_service_account = local.allow_ingress_controller ? [{
+    "kind"      = "ServiceAccount"
+    "name"      = "nginx-ingress-ingress-nginx"
+    "namespace" = "nginx-encrypted-ingress"
+  }] : []
+  status_page_service_account = [{
+    "kind"      = "ServiceAccount"
+    "name"      = "edu-platform-${var.deployment_stage}-status-page"
+    "namespace" = "status-page"
+  }]
 }
 
 resource "kubernetes_manifest" "linkerd_server" {
@@ -34,15 +50,11 @@ resource "kubernetes_manifest" "linkerd_mesh_tls_authentication" {
       "labels"    = var.labels
     }
     "spec" = {
-      "identityRefs" = concat([for v in var.allow_mesh_services : {
-        "kind"      = "ServiceAccount"
-        "name"      = v.service_account_name != null && v.service_account_name != "" ? v.service_account_name : "${v.stack}-${v.service}-${var.deployment_stage}-${v.stack}"
-        "namespace" = var.k8s_namespace
-        }], local.allow_ingress_controller ? [{
-        "kind"      = "ServiceAccount"
-        "name"      = "nginx-ingress-ingress-nginx"
-        "namespace" = "nginx-encrypted-ingress"
-      }] : [])
+      "identityRefs" = concat(
+        local.mesh_services_service_accounts,
+        local.optional_ingress_controller_service_account,
+        local.status_page_service_account
+      )
     }
   }
 }