Add ClusterRoleBinding and small corrections to GKE OIDC config (#2323)

_examples/eks/eks-oidc/main.tf

@@ -21,7 +21,7 @@ variable "rbac_group_oidc_claim" {
   default = "terraform_organization_name"
 }
 
-variable "rbac_admin_group_name" {
+variable "rbac_oidc_group_name" {
   type = string
 }
 
@@ -69,6 +69,6 @@ resource "kubernetes_cluster_role_binding_v1" "oidc_role" {
   subject {
     api_group = "rbac.authorization.k8s.io"
     kind      = "Group"
-    name      = var.rbac_admin_group_name
+    name      = var.rbac_oidc_group_name
   }
 }

_examples/gke/gke-oidc/k8s.tf

@@ -33,11 +33,29 @@ resource "kubernetes_manifest" "oidc_conf" {
             clientID                 = var.oidc_audience
             issuerURI                = var.odic_issuer_uri
             userClaim                = var.oidc_user_claim
-            groupClaim               = var.oidc_group_claim
+            groupsClaim              = var.oidc_group_claim
             certificateAuthorityData = var.TFE_CA_cert
           }
         }
       ]
     }
   }
 }
+
+resource "kubernetes_cluster_role_binding_v1" "oidc_role" {
+  metadata {
+    name = "odic-identity"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = var.rbac_group_cluster_role
+  }
+
+  subject {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "Group"
+    name      = var.rbac_oidc_group_name
+  }
+}

_examples/gke/gke-oidc/variables.tf

@@ -40,3 +40,13 @@ variable "TFE_CA_cert" {
   type        = string
   default     = null
 }
+
+variable "rbac_oidc_group_name" {
+  description = "Name of OIDC group (according to 'oidc_group_claim') to be granted the role designated by 'var.rbac_group_cluster_role'"
+  type = string
+}
+
+variable "rbac_group_cluster_role" {
+  description = "Kubernetes role to be bound to the OIDC group designated by 'var.rbac_oidc_group_name'"
+  default = "cluster-admin"
+}