diff --git a/examples/extras/secrets-manager/secrets-manager.tf b/examples/extras/secrets-manager/secrets-manager.tf index c36a3b3..b0f8146 100644 --- a/examples/extras/secrets-manager/secrets-manager.tf +++ b/examples/extras/secrets-manager/secrets-manager.tf @@ -2,21 +2,27 @@ # name = "AWSXRayDaemonWriteAccess" #} +locals { + secrets-manager_arns = length(var.secrets-manager_arns) > 0 ? var.secrets-manager_arns : [format("arn:%v:secretsmanager:%v:%v:secret/%v", data.aws_arn.current.partition, local.region, data.aws_caller_identity.current.account_id, "*")] + secrets-manager_kms_key_arns = length(var.secrets-manager_kms_key_arns) > 0 ? var.secrets-manager_kms_key_arns : [format("arn:%v:kms:%v:%v:key/%v", data.aws_arn.current.partition, local.region, data.aws_caller_identity.current.account_id, "*")] + ssm_parameter_arns = length(var.ssm_parameter_arns) > 0 ? var.ssm_parameter_arns : [format("arn:%v:ssm:%v:%v:parameter/%v", data.aws_arn.current.partition, local.region, data.aws_caller_identity.current.account_id, "*")] +} + module "role_secrets-manager" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.secrets-manager_namespace}:${var.secrets-manager_name}" - role_name = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.secrets-manager_name) + role_name = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.secrets-manager_name_short) # role_policy_arns = { # policy = data.aws_iam_policy.policy_secrets-manager.arn # } attach_external_secrets_policy = true - external_secrets_ssm_parameter_arns = var.ssm_parameter_arns - external_secrets_secrets_manager_arns = var.secrets-manager_arns - external_secrets_kms_key_arns = var.secrets-manager_kms_key_arns - external_secrets_secrets_manager_create_permission = var.secrets_manager_allow_create + external_secrets_ssm_parameter_arns = local.ssm_parameter_arns + external_secrets_secrets_manager_arns = local.secrets-manager_arns + external_secrets_kms_key_arns = local.secrets-manager_kms_key_arns + external_secrets_secrets_manager_create_permission = var.secrets-manager_allow_create oidc_providers = { main = { @@ -61,8 +67,8 @@ module "images_secrets-manager" { # } resource "helm_release" "secrets-manager" { - chart = "aws-secrets-manager" - name = "aws-secrets-manager" + chart = var.secrets-manager_charts["secrets-manager"].name + name = var.secrets-manager_charts["secrets-manager"].name namespace = var.secrets-manager_namespace repository = var.secrets-manager_charts["secrets-manager"].use_remote ? var.secrets-manager_charts["secrets-manager"].repository : "${path.module}/charts" version = var.secrets-manager_charts["secrets-manager"].use_remote ? var.secrets-manager_charts["secrets-manager"].version : null @@ -70,12 +76,12 @@ resource "helm_release" "secrets-manager" { depends_on = [module.images_secrets-manager] set { name = "image.repository" - value = split(":", local.secrets-manager_images_output["aws-secrets-manager-daemon"].dest_full_path)[0] + value = split(":", local.secrets-manager_images_output["aws-secrets-manager"].dest_full_path)[0] } set { name = "image.tag" - value = local.secrets-manager_images_output["aws-secrets-manager-daemon"].tag + value = local.secrets-manager_images_output["aws-secrets-manager"].tag } set { name = "secrets-manager.region" diff --git a/examples/extras/secrets-manager/variables.secrets-manager.auto.tfvars b/examples/extras/secrets-manager/variables.secrets-manager.auto.tfvars index 600ce8a..dfe0a9e 100644 --- a/examples/extras/secrets-manager/variables.secrets-manager.auto.tfvars +++ b/examples/extras/secrets-manager/variables.secrets-manager.auto.tfvars @@ -1,10 +1,16 @@ secrets-manager_charts = { "secrets-manager" = { - name = "secrets-store-csi-driver-provider-aws" - documentation = "https://aws.github.io/secrets-store-csi-driver-provider-aws" - repository = "https://aws.github.io/secrets-store-csi-driver-provider-aws" - version = "0.3.4" use_remote = true + documentation = "https://aws.github.io/secrets-store-csi-driver-provider-aws" + # name = "eks/csi-secrets-store-provider-aws" + # repository = "https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts" + # version = "0.0.4" + # repository = "https://aws.github.io/secrets-store-csi-driver-provider-aws" + # repository = "https://aws.github.io/eks-charts" + # version = "0.3.4" + name = "secrets-store-csi-driver-provider-aws" + repository = "https://aws.github.io/secrets-store-csi-driver-provider-aws/" + version = "0.3.4" } } secrets-manager_images = { @@ -19,3 +25,8 @@ secrets-manager_images = { enabled = true } } + +secrets-manager_allow_create = false +#secrets-manager_arns = [ format("arn:%v:secretsmanager:%v:%v:secret/%v"),data.aws_arn.current.partition,local.region,data.aws_caller_identity.current.account_id,"*") ] +#secrets-manager_kms_key_arns = [ format("arn:%v:kms:%v:%v:key/%v"),data.aws_arn.current.partition,local.region,data.aws_caller_identity.current.account_id,"*") ] +#ssm_parameter_arns = [ format("arn:%v:ssm:%v:%v:parameter/%v"),data.aws_arn.current.partition,local.region,data.aws_caller_identity.current.account_id,"*") ] diff --git a/examples/extras/secrets-manager/variables.secrets-manager.tf b/examples/extras/secrets-manager/variables.secrets-manager.tf index 7741814..136ea43 100644 --- a/examples/extras/secrets-manager/variables.secrets-manager.tf +++ b/examples/extras/secrets-manager/variables.secrets-manager.tf @@ -1,13 +1,19 @@ variable "secrets-manager_namespace" { description = "Service namespace" type = string - default = "default" + default = "kube-system" } variable "secrets-manager_name" { description = "Service account name" type = string - default = "aws-secrets-manager" + default = "csi-secrets-store-provider-aws" +} + +variable "secrets-manager_name_short" { + description = "Service account name shortened" + type = string + default = "csi-secrets-mgr" } variable "secrets-manager_charts" {