feat(docker-service): allow adding group, capabilities, and device mappings

2025-08-21 17:41:10 +10:00
parent 4edfd642f3
commit 2c8c43ff68
2 changed files with 50 additions and 0 deletions
--- a/modules/10-services-generic/docker-service/main.tf
+++ b/modules/10-services-generic/docker-service/main.tf
@@ -144,12 +144,32 @@ resource "docker_container" "service_container" {
  hostname              = var.hostname
  domainname            = var.domainname
  user                  = var.user
+  group_add             = var.group_add
  working_dir           = var.working_dir
  command               = var.command
  entrypoint            = var.entrypoint
  privileged            = var.privileged
  destroy_grace_seconds = var.destroy_grace_seconds

+  # Linux capabilities controls
+  dynamic "capabilities" {
+    for_each = length(var.capabilities_add) > 0 || length(var.capabilities_drop) > 0 ? [1] : []
+    content {
+      add  = var.capabilities_add
+      drop = var.capabilities_drop
+    }
+  }
+
+  # Device mappings
+  dynamic "devices" {
+    for_each = var.devices
+    content {
+      host_path      = devices.value.host_path
+      container_path = devices.value.container_path
+      permissions    = devices.value.permissions
+    }
+  }
+
  # Set log options
  log_driver = var.log_driver
  log_opts   = var.log_opts
--- a/modules/10-services-generic/docker-service/variables.tf
+++ b/modules/10-services-generic/docker-service/variables.tf
@@ -179,12 +179,42 @@ variable "entrypoint" {
  default     = null
 }

+variable "group_add" {
+  description = "Additional groups to add to the container"
+  type        = list(string)
+  default     = []
+}
+
 variable "privileged" {
  description = "Run container in privileged mode"
  type        = bool
  default     = false
 }

+// Linux capabilities controls
+variable "capabilities_add" {
+  description = "Linux capabilities to add to the container"
+  type        = list(string)
+  default     = []
+}
+
+variable "capabilities_drop" {
+  description = "Linux capabilities to drop from the container"
+  type        = list(string)
+  default     = []
+}
+
+// Devices to pass through to container
+variable "devices" {
+  description = "List of device mappings for the container"
+  type = list(object({
+    host_path      = string
+    container_path = string
+    permissions    = string
+  }))
+  default = []
+}
+
 variable "destroy_grace_seconds" {
  description = "Grace period in seconds before the container is destroyed"
  type        = number