update

examples/extras/secrets-manager/secrets-manager.tf

@@ -2,21 +2,27 @@
 #  name = "AWSXRayDaemonWriteAccess"
 #}
 
+locals {
+  secrets-manager_arns         = length(var.secrets-manager_arns) > 0 ? var.secrets-manager_arns : [format("arn:%v:secretsmanager:%v:%v:secret/%v", data.aws_arn.current.partition, local.region, data.aws_caller_identity.current.account_id, "*")]
+  secrets-manager_kms_key_arns = length(var.secrets-manager_kms_key_arns) > 0 ? var.secrets-manager_kms_key_arns : [format("arn:%v:kms:%v:%v:key/%v", data.aws_arn.current.partition, local.region, data.aws_caller_identity.current.account_id, "*")]
+  ssm_parameter_arns           = length(var.ssm_parameter_arns) > 0 ? var.ssm_parameter_arns : [format("arn:%v:ssm:%v:%v:parameter/%v", data.aws_arn.current.partition, local.region, data.aws_caller_identity.current.account_id, "*")]
+}
+
 module "role_secrets-manager" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
   role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.secrets-manager_namespace}:${var.secrets-manager_name}"
-  role_name        = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.secrets-manager_name)
+  role_name        = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.secrets-manager_name_short)
 
   #  role_policy_arns = {
   #    policy = data.aws_iam_policy.policy_secrets-manager.arn
   #  }
 
   attach_external_secrets_policy                     = true
-  external_secrets_ssm_parameter_arns                = var.ssm_parameter_arns
-  external_secrets_secrets_manager_arns              = var.secrets-manager_arns
-  external_secrets_kms_key_arns                      = var.secrets-manager_kms_key_arns
-  external_secrets_secrets_manager_create_permission = var.secrets_manager_allow_create
+  external_secrets_ssm_parameter_arns                = local.ssm_parameter_arns
+  external_secrets_secrets_manager_arns              = local.secrets-manager_arns
+  external_secrets_kms_key_arns                      = local.secrets-manager_kms_key_arns
+  external_secrets_secrets_manager_create_permission = var.secrets-manager_allow_create
 
   oidc_providers = {
     main = {
@@ -61,21 +67,21 @@ module "images_secrets-manager" {
 # }
 
 resource "helm_release" "secrets-manager" {
-  chart      = "aws-secrets-manager"
-  name       = "aws-secrets-manager"
+  chart      = var.secrets-manager_charts["secrets-manager"].name
+  name       = var.secrets-manager_charts["secrets-manager"].name
   namespace  = var.secrets-manager_namespace
   repository = var.secrets-manager_charts["secrets-manager"].use_remote ? var.secrets-manager_charts["secrets-manager"].repository : "${path.module}/charts"
   version    = var.secrets-manager_charts["secrets-manager"].use_remote ? var.secrets-manager_charts["secrets-manager"].version : null
 
   depends_on = [module.images_secrets-manager]
   set {
     name  = "image.repository"
-    value = split(":", local.secrets-manager_images_output["aws-secrets-manager-daemon"].dest_full_path)[0]
+    value = split(":", local.secrets-manager_images_output["aws-secrets-manager"].dest_full_path)[0]
   }
 
   set {
     name  = "image.tag"
-    value = local.secrets-manager_images_output["aws-secrets-manager-daemon"].tag
+    value = local.secrets-manager_images_output["aws-secrets-manager"].tag
   }
   set {
     name  = "secrets-manager.region"

examples/extras/secrets-manager/variables.secrets-manager.auto.tfvars

@@ -1,10 +1,16 @@
 secrets-manager_charts = {
   "secrets-manager" = {
-    name          = "secrets-store-csi-driver-provider-aws"
-    documentation = "https://aws.github.io/secrets-store-csi-driver-provider-aws"
-    repository    = "https://aws.github.io/secrets-store-csi-driver-provider-aws"
-    version       = "0.3.4"
     use_remote    = true
+    documentation = "https://aws.github.io/secrets-store-csi-driver-provider-aws"
+    #    name          = "eks/csi-secrets-store-provider-aws"
+    #    repository    = "https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts"
+    #    version       = "0.0.4"
+    #    repository    = "https://aws.github.io/secrets-store-csi-driver-provider-aws"
+    #    repository    = "https://aws.github.io/eks-charts"
+    #    version       = "0.3.4"
+    name       = "secrets-store-csi-driver-provider-aws"
+    repository = "https://aws.github.io/secrets-store-csi-driver-provider-aws/"
+    version    = "0.3.4"
   }
 }
 secrets-manager_images = {
@@ -19,3 +25,8 @@ secrets-manager_images = {
     enabled         = true
   }
 }
+
+secrets-manager_allow_create = false
+#secrets-manager_arns =  [ format("arn:%v:secretsmanager:%v:%v:secret/%v"),data.aws_arn.current.partition,local.region,data.aws_caller_identity.current.account_id,"*") ]
+#secrets-manager_kms_key_arns =  [ format("arn:%v:kms:%v:%v:key/%v"),data.aws_arn.current.partition,local.region,data.aws_caller_identity.current.account_id,"*") ]
+#ssm_parameter_arns =  [ format("arn:%v:ssm:%v:%v:parameter/%v"),data.aws_arn.current.partition,local.region,data.aws_caller_identity.current.account_id,"*") ]

examples/extras/secrets-manager/variables.secrets-manager.tf

@@ -1,13 +1,19 @@
 variable "secrets-manager_namespace" {
   description = "Service namespace"
   type        = string
-  default     = "default"
+  default     = "kube-system"
 }
 
 variable "secrets-manager_name" {
   description = "Service account name"
   type        = string
-  default     = "aws-secrets-manager"
+  default     = "csi-secrets-store-provider-aws"
+}
+
+variable "secrets-manager_name_short" {
+  description = "Service account name shortened"
+  type        = string
+  default     = "csi-secrets-mgr"
 }
 
 variable "secrets-manager_charts" {