add csi-secrets manager

terraform-modules · Jun 7, 2023 · d230eef · d230eef
1 parent 160c4b6
commit d230eef
Show file tree

Hide file tree

Showing 6 changed files with 236 additions and 0 deletions.
diff --git a/examples/csi-secrets-manager/README.md b/examples/csi-secrets-manager/README.md
@@ -0,0 +1,16 @@
+# CSI Secrets Manager
+
+## Parameters
+
+| Name | Description |
+| ---- | ----------- |
+| region | The AWS region that EKS cluster is located. |
+| cluster_name | The name of the cluster in which ebs-provisioner will be installed. |
+
+
+https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html
+
+https://github.com/aws/secrets-store-csi-driver-provider-aws/
+
+https://github.com/andreswebs/terraform-aws-eks-secrets-store-csi-driver/blob/main/variables.tf
+
diff --git a/examples/csi-secrets-manager/locals.tf b/examples/csi-secrets-manager/locals.tf
@@ -0,0 +1,17 @@
+locals {
+  base_tags = {
+    "eks-cluster-name"      = var.cluster_name
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link
+locals {
+  vpc_id               = local.parent_rs.cluster_vpc_id
+  subnet_ids           = local.parent_rs.cluster_subnet_ids
+  cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id
+
+  oidc_provider_url = local.parent_rs.oidc_provider_url
+  oidc_provider_arn = local.parent_rs.oidc_provider_arn
+}
diff --git a/examples/csi-secrets-manager/main.tf b/examples/csi-secrets-manager/main.tf
@@ -0,0 +1,159 @@
+locals {
+  images = [
+    {
+      enabled         = true
+      dest_path       = null
+      name            = "aws-secrets-manager/secrets-store-csi-driver-provider-aws"
+      source_image    = "aws-secrets-manager/secrets-store-csi-driver-provider-aws"
+      source_registry = "public.ecr.aws"
+      source_tag      = null
+      tag             = "1.0.r2-46-gf2a8f35-2023.03.21.21.55"
+    },
+  ]
+  charts = {
+    "secrets-store-csi-driver-provider-aws" = {
+      name       = "secrets-store-csi-driver-provider-aws"
+      repository = "https://aws.github.io/secrets-store-csi-driver-provider-aws"
+      version    = "0.3.2"
+      use_remote = true
+    }
+  }
+  secrets_store_url = "https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml"
+  image_info        = values(module.images.images)[0]
+}
+
+module "images" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git?ref=tf-upgrade"
+
+  profile          = var.profile
+  application_list = []
+  application_name = format("eks/%v", var.cluster_name)
+  image_config     = local.images
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+resource "helm_release" "secrets_store" {
+  chart           = local.charts["secrets-store-csi-driver-provider-aws"].name
+  name            = local.charts["secrets-store-csi-driver-provider-aws"].name
+  namespace       = "kube-system"
+  repository      = local.charts["secrets-store-csi-driver-provider-aws"].use_remote ? local.charts["secrets-store-csi-driver-provider-aws"].repository : "${path.module}/charts"
+  version         = local.charts["secrets-store-csi-driver-provider-aws"].use_remote ? local.charts["secrets-store-csi-driver-provider-aws"].version : null
+  recreate_pods   = true
+  timeout         = 300
+  atomic          = true
+  cleanup_on_fail = true
+  max_history     = 3
+  wait_for_jobs   = true
+
+  set {
+    name  = "image.repository"
+    value = format("%v/%v", local.image_info.dest_registry, local.image_info.dest_repository)
+  }
+  set {
+    name  = "image.tag"
+    value = local.image_info.tag
+  }
+
+  set {
+    name  = "enableSecretRotation"
+    value = "false"
+  }
+  set {
+    name  = "rotationPollInterval"
+    value = "3600s"
+  }
+  set {
+    name  = "syncSecret.enabled"
+    value = "true"
+  }
+}
+
+
+## kubectl apply -f "https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml"
+## https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml
+
+data "http" "secrets_store" {
+  url = local.secrets_store_url
+}
+
+resource "null_resource" "setup_directory" {
+  triggers = {
+    directory = format("%v/setup", path.root)
+  }
+
+  provisioner "local-exec" {
+    command = "test -d ${self.triggers.directory} || mkdir ${self.triggers.directory}"
+  }
+}
+
+resource "local_sensitive_file" "secrets_store_provider" {
+  filename = format("%v/%v", null_resource.setup_directory.triggers.directory, basename(local.secrets_store_url))
+  content  = data.http.secrets_store.response_body
+}
+
+resource "null_resource" "secrets_store_provider" {
+  triggers = {
+    provider_filename = basename(local.secrets_store_url)
+  }
+
+  depends_on = [null_resource.kubeconfig, helm_release.secrets_store]
+  provisioner "local-exec" {
+    environment = {
+      KUBECONFIG = format("%v/kube.config", null_resource.setup_directory.triggers.directory)
+    }
+    command = format("kubectl apply -f %v/%v", null_resource.setup_directory.triggers.directory, self.triggers.provider_filename)
+  }
+}
+
+# module.secrets_store.helm_release.this will be created
+##   + resource "helm_release" "this" {
+##       + atomic                     = true
+##       + chart                      = "secrets-store-csi-driver"
+##       + cleanup_on_fail            = true
+##       + create_namespace           = false
+##       + dependency_update          = false
+##       + disable_crd_hooks          = false
+##       + disable_openapi_validation = false
+##       + disable_webhooks           = false
+##       + force_update               = false
+##       + id                         = (known after apply)
+##       + lint                       = false
+##       + manifest                   = (known after apply)
+##       + max_history                = 3
+##       + metadata                   = (known after apply)
+##       + name                       = "secrets-store-csi-driver"
+##       + namespace                  = "kube-system"
+##       + pass_credentials           = false
+##       + recreate_pods              = true
+##       + render_subchart_notes      = true
+##       + replace                    = false
+##       + repository                 = "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts"
+##       + reset_values               = false
+##       + reuse_values               = false
+##       + skip_crds                  = false
+##       + status                     = "deployed"
+##       + timeout                    = 300
+##       + verify                     = false
+##       + version                    = "0.3.2"
+##       + wait                       = true
+##       + wait_for_jobs              = true
+## 
+##       + set {
+##           + name  = "enableSecretRotation"
+##           + value = "false"
+##         }
+##       + set {
+##           + name  = "rotationPollInterval"
+##           + value = "3600s"
+##         }
+##       + set {
+##           + name  = "syncSecret.enabled"
+##           + value = "true"
+##         }
+##     }
+## 
diff --git a/examples/csi-secrets-manager/region.tf b/examples/csi-secrets-manager/region.tf
@@ -0,0 +1,4 @@
+locals {
+  region = var.region
+}
+
diff --git a/examples/csi-secrets-manager/tf-run.data b/examples/csi-secrets-manager/tf-run.data
@@ -0,0 +1,28 @@
+VERSION 2.0.2
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+LINKTOP init
+LINKTOP includes.d/variables.account_tags.tf
+LINKTOP includes.d/variables.account_tags.auto.tfvars
+LINKTOP includes.d/variables.infrastructure_tags.tf
+LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
+LINKTOP includes.d/variables.application_tags.tf
+## LINKTOP includes.d/variables.application_tags.auto.tfvars
+LINK providers.tf
+LINK versions.tf
+LINK version.tf
+LINK settings.auto.tfvars
+LINK variables.eks.tf
+LINK variables.vpc.tf
+LINK variables.vpc.auto.tfvars
+LINK variables.application_tags.auto.tfvars
+LINK includes.d/kubeconfig.eks-subdirectory.tf
+LINK includes.d/data.eks-subdirectory.tf
+LINK includes.d/parent_rs.tf
+
+COMMAND tf-init -upgrade
+
+#POLICY 
+ALL
+COMMAND tf-directory-setup.py -l s3
diff --git a/examples/csi-secrets-manager/variables.tf b/examples/csi-secrets-manager/variables.tf
@@ -0,0 +1,12 @@
+variable "chart_version" {
+  description = "Which version of the Helm chart from https://github.com/aws/secrets-store-csi-driver-provider-aws/blob/main/charts/secrets-store-csi-driver-provider-aws/Chart.yaml"
+  type        = string
+  default     = "0.3.2"
+}
+
+# will try to see if ECR can pull the public image
+## image:
+##   repository: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws
+##   pullPolicy: IfNotPresent
+##   tag: 1.0.r2-46-gf2a8f35-2023.03.21.21.55
+##