tofu-controller icon indicating copy to clipboard operation
tofu-controller copied to clipboard
verified publisher icon flux-iac

Feature: Add cross-namespace writeOutputsToSecret for Terraform

Open hirenko-v opened this issue 1 year ago • 1 comments

It might be useful when we have the folowing case:

  • We run terraform in flux-system namespace where we have an appropriate ServiceAccount with permissions in cloud to create resources
  • We generate outputs and save them to secret using writeOutputsToSecret
  • We want to consume those outputs in services namepace with HelmRelease's valuesFrom

In above case we don't want to create Terraform and ServiceAccount with cloud permissions for each service namespace but it is not possible to create cross-namespaced secret with Terraform custom resource

hirenko-v avatar Mar 25 '24 22:03 hirenko-v

With security-first, we have a strong multi-tenancy design which must not violate the namespace boundary. For example in this design, a runner is solely responsible to writing outputs. A runner is namespace scoped Pod, and it must not be allowed to access anything beyond its scope.

Relaxing this enforcement will cause many security problems. So we cannot implement this relaxation.

chanwit avatar Mar 26 '24 13:03 chanwit