diff --git a/examples/csi-secrets-manager/README.md b/examples/csi-secrets-manager/README.md new file mode 100644 index 0000000..e5fce48 --- /dev/null +++ b/examples/csi-secrets-manager/README.md @@ -0,0 +1,16 @@ +# CSI Secrets Manager + +## Parameters + +| Name | Description | +| ---- | ----------- | +| region | The AWS region that EKS cluster is located. | +| cluster_name | The name of the cluster in which ebs-provisioner will be installed. | + + +https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html + +https://github.com/aws/secrets-store-csi-driver-provider-aws/ + +https://github.com/andreswebs/terraform-aws-eks-secrets-store-csi-driver/blob/main/variables.tf + diff --git a/examples/csi-secrets-manager/locals.tf b/examples/csi-secrets-manager/locals.tf new file mode 100644 index 0000000..4b9ae5a --- /dev/null +++ b/examples/csi-secrets-manager/locals.tf @@ -0,0 +1,17 @@ +locals { + base_tags = { + "eks-cluster-name" = var.cluster_name + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} + +# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link +locals { + vpc_id = local.parent_rs.cluster_vpc_id + subnet_ids = local.parent_rs.cluster_subnet_ids + cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id + + oidc_provider_url = local.parent_rs.oidc_provider_url + oidc_provider_arn = local.parent_rs.oidc_provider_arn +} diff --git a/examples/csi-secrets-manager/main.tf b/examples/csi-secrets-manager/main.tf new file mode 100644 index 0000000..35231e7 --- /dev/null +++ b/examples/csi-secrets-manager/main.tf @@ -0,0 +1,159 @@ +locals { + images = [ + { + enabled = true + dest_path = null + name = "aws-secrets-manager/secrets-store-csi-driver-provider-aws" + source_image = "aws-secrets-manager/secrets-store-csi-driver-provider-aws" + source_registry = "public.ecr.aws" + source_tag = null + tag = "1.0.r2-46-gf2a8f35-2023.03.21.21.55" + }, + ] + charts = { + "secrets-store-csi-driver-provider-aws" = { + name = "secrets-store-csi-driver-provider-aws" + repository = "https://aws.github.io/secrets-store-csi-driver-provider-aws" + version = "0.3.2" + use_remote = true + } + } + secrets_store_url = "https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml" + image_info = values(module.images.images)[0] +} + +module "images" { + source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git?ref=tf-upgrade" + + profile = var.profile + application_list = [] + application_name = format("eks/%v", var.cluster_name) + image_config = local.images + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + ) +} + +resource "helm_release" "secrets_store" { + chart = local.charts["secrets-store-csi-driver-provider-aws"].name + name = local.charts["secrets-store-csi-driver-provider-aws"].name + namespace = "kube-system" + repository = local.charts["secrets-store-csi-driver-provider-aws"].use_remote ? local.charts["secrets-store-csi-driver-provider-aws"].repository : "${path.module}/charts" + version = local.charts["secrets-store-csi-driver-provider-aws"].use_remote ? local.charts["secrets-store-csi-driver-provider-aws"].version : null + recreate_pods = true + timeout = 300 + atomic = true + cleanup_on_fail = true + max_history = 3 + wait_for_jobs = true + + set { + name = "image.repository" + value = format("%v/%v", local.image_info.dest_registry, local.image_info.dest_repository) + } + set { + name = "image.tag" + value = local.image_info.tag + } + + set { + name = "enableSecretRotation" + value = "false" + } + set { + name = "rotationPollInterval" + value = "3600s" + } + set { + name = "syncSecret.enabled" + value = "true" + } +} + + +## kubectl apply -f "https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml" +## https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml + +data "http" "secrets_store" { + url = local.secrets_store_url +} + +resource "null_resource" "setup_directory" { + triggers = { + directory = format("%v/setup", path.root) + } + + provisioner "local-exec" { + command = "test -d ${self.triggers.directory} || mkdir ${self.triggers.directory}" + } +} + +resource "local_sensitive_file" "secrets_store_provider" { + filename = format("%v/%v", null_resource.setup_directory.triggers.directory, basename(local.secrets_store_url)) + content = data.http.secrets_store.response_body +} + +resource "null_resource" "secrets_store_provider" { + triggers = { + provider_filename = basename(local.secrets_store_url) + } + + depends_on = [null_resource.kubeconfig, helm_release.secrets_store] + provisioner "local-exec" { + environment = { + KUBECONFIG = format("%v/kube.config", null_resource.setup_directory.triggers.directory) + } + command = format("kubectl apply -f %v/%v", null_resource.setup_directory.triggers.directory, self.triggers.provider_filename) + } +} + +# module.secrets_store.helm_release.this will be created +## + resource "helm_release" "this" { +## + atomic = true +## + chart = "secrets-store-csi-driver" +## + cleanup_on_fail = true +## + create_namespace = false +## + dependency_update = false +## + disable_crd_hooks = false +## + disable_openapi_validation = false +## + disable_webhooks = false +## + force_update = false +## + id = (known after apply) +## + lint = false +## + manifest = (known after apply) +## + max_history = 3 +## + metadata = (known after apply) +## + name = "secrets-store-csi-driver" +## + namespace = "kube-system" +## + pass_credentials = false +## + recreate_pods = true +## + render_subchart_notes = true +## + replace = false +## + repository = "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts" +## + reset_values = false +## + reuse_values = false +## + skip_crds = false +## + status = "deployed" +## + timeout = 300 +## + verify = false +## + version = "0.3.2" +## + wait = true +## + wait_for_jobs = true +## +## + set { +## + name = "enableSecretRotation" +## + value = "false" +## } +## + set { +## + name = "rotationPollInterval" +## + value = "3600s" +## } +## + set { +## + name = "syncSecret.enabled" +## + value = "true" +## } +## } +## diff --git a/examples/csi-secrets-manager/region.tf b/examples/csi-secrets-manager/region.tf new file mode 100644 index 0000000..b7b1696 --- /dev/null +++ b/examples/csi-secrets-manager/region.tf @@ -0,0 +1,4 @@ +locals { + region = var.region +} + diff --git a/examples/csi-secrets-manager/tf-run.data b/examples/csi-secrets-manager/tf-run.data new file mode 100644 index 0000000..9705b0d --- /dev/null +++ b/examples/csi-secrets-manager/tf-run.data @@ -0,0 +1,28 @@ +VERSION 2.0.2 +REMOTE-STATE +COMMAND tf-directory-setup.py -l none -f +COMMAND setup-new-directory.sh +LINKTOP init +LINKTOP includes.d/variables.account_tags.tf +LINKTOP includes.d/variables.account_tags.auto.tfvars +LINKTOP includes.d/variables.infrastructure_tags.tf +LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars +LINKTOP includes.d/variables.application_tags.tf +## LINKTOP includes.d/variables.application_tags.auto.tfvars +LINK providers.tf +LINK versions.tf +LINK version.tf +LINK settings.auto.tfvars +LINK variables.eks.tf +LINK variables.vpc.tf +LINK variables.vpc.auto.tfvars +LINK variables.application_tags.auto.tfvars +LINK includes.d/kubeconfig.eks-subdirectory.tf +LINK includes.d/data.eks-subdirectory.tf +LINK includes.d/parent_rs.tf + +COMMAND tf-init -upgrade + +#POLICY +ALL +COMMAND tf-directory-setup.py -l s3 diff --git a/examples/csi-secrets-manager/variables.tf b/examples/csi-secrets-manager/variables.tf new file mode 100644 index 0000000..f04a133 --- /dev/null +++ b/examples/csi-secrets-manager/variables.tf @@ -0,0 +1,12 @@ +variable "chart_version" { + description = "Which version of the Helm chart from https://github.com/aws/secrets-store-csi-driver-provider-aws/blob/main/charts/secrets-store-csi-driver-provider-aws/Chart.yaml" + type = string + default = "0.3.2" +} + +# will try to see if ECR can pull the public image +## image: +## repository: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws +## pullPolicy: IfNotPresent +## tag: 1.0.r2-46-gf2a8f35-2023.03.21.21.55 +##