Add ValidatingWebhookConfiguration custom resource definition

modules/opa/variables.tf

@@ -5,3 +5,7 @@ variable "cert_pem" {
 variable "key_pem" {
   type = "string"
 }
+
+variable "ca_cert_pem" {
+  type = "string"
+}

modules/opa/webhook.tf

@@ -0,0 +1,49 @@
+resource "kubernetes_manifest" "opa_validating_webhook_configuration" {
+  manifest = {
+    "apiVersion" = "admissionregistration.k8s.io/v1beta1"
+    "kind" = "ValidatingWebhookConfiguration"
+    "metadata" = {
+      "name" = "opa-validating-webhook"
+    }
+    "webhooks" = [
+      {
+        "clientConfig" = {
+          "caBundle" = filebase64("${var.ca_cert_pem}")
+          "service" = {
+            "name" = "opa"
+            "namespace" = "opa"
+          }
+        }
+        "name" = "validating-webhook.openpolicyagent.org"
+        "namespaceSelector" = {
+          "matchExpressions" = [
+            {
+              "key" = "openpolicyagent.org/webhook"
+              "operator" = "NotIn"
+              "values" = [
+                "ignore",
+              ]
+            },
+          ]
+        }
+        "rules" = [
+          {
+            "apiGroups" = [
+              "*",
+            ]
+            "apiVersions" = [
+              "*",
+            ]
+            "operations" = [
+              "CREATE",
+              "UPDATE",
+            ]
+            "resources" = [
+              "*",
+            ]
+          },
+        ]
+      },
+    ]
+  }
+}

platforms/aws/opa.tf

@@ -3,6 +3,7 @@ module "opa" {
 
   cert_pem = "${module.opa_certs.cert_pem}"
   key_pem  = "${module.opa_certs.key_pem}"
+  ca_cert_pem = "placeholder"
 }
 
 provider "kubernetes" {