Skip to content

Commit

Permalink
add first pass of secrets manager
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed Nov 7, 2023
1 parent 279d0f3 commit e3232af
Show file tree
Hide file tree
Showing 9 changed files with 290 additions and 0 deletions.
20 changes: 20 additions & 0 deletions examples/extras/secrets-manager/.tf-control
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# .tf-control
# allows for setting a specific command to be used for tf-* commands under this git repo
# see tf-control.sh help for more info

TFCONTROL_VERSION="1.0.5"

TFCOMMAND="terraform_latest"
# TF_CLI_CONFIG_FILE=PATH-TO-FILE/.tf-control.tfrc
# TFARGS=""
# TFNOLOG=""
# TFNOCOLOR=""

# use the following to force a specific version. An upgrade of an existing 0.12.31 to 1.x
# needs you to cycle through 0.13.17, 0.14.11, and then latest (0.15.5 not needed). Other
# steps in between. See https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/terraform-upgrade for details
#
#TFCOMMAND="terraform_0.12.31"
#TFCOMMAND="terraform_0.13.7"
#TFCOMMAND="terraform_0.14.11"
#TFCOMMAND="terraform_0.15.5"
24 changes: 24 additions & 0 deletions examples/extras/secrets-manager/.tf-control.tfrc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
TFCONTROL_VERSION="1.0.5"

# https://www.terraform.io/docs/cli/config/config-file.html
plugin_cache_dir = "/data/terraform/terraform.d/plugin-cache"
#disable_checkpoint = true

provider_installation {
# filesystem_mirror {
# path = "/apps/terraform/terraform.d/providers"
# include = [ "*/*/*" ]
# }
filesystem_mirror {
path = "/data/terraform/terraform.d/providers"
include = [ "*/*/*" ]
}
# filesystem_mirror {
# path = "/apps/terraform/terraform.d/providers"
# include = [ "external.terraform.census.gov/*/*" ]
# }
direct {
include = [ "*/*/*" ]
}
}

17 changes: 17 additions & 0 deletions examples/extras/secrets-manager/locals.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
locals {
base_tags = {
"eks-cluster-name" = var.cluster_name
"boc:tf_module_version" = local._module_version
"boc:created_by" = "terraform"
}
}

# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link
locals {
vpc_id = local.parent_rs.cluster_vpc_id
subnet_ids = local.parent_rs.cluster_subnet_ids
cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id

oidc_provider_url = local.parent_rs.oidc_provider_url
oidc_provider_arn = local.parent_rs.oidc_provider_arn
}
3 changes: 3 additions & 0 deletions examples/extras/secrets-manager/region.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
locals {
region = var.region
}
105 changes: 105 additions & 0 deletions examples/extras/secrets-manager/secrets-manager.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
#data "aws_iam_policy" "policy_secrets-manager" {
# name = "AWSXRayDaemonWriteAccess"
#}

module "role_secrets-manager" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"

role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.secrets-manager_namespace}:${var.secrets-manager_name}"
role_name = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.secrets-manager_name)

# role_policy_arns = {
# policy = data.aws_iam_policy.policy_secrets-manager.arn
# }

attach_external_secrets_policy = true
external_secrets_ssm_parameter_arns = var.ssm_parameter_arns
external_secrets_secrets_manager_arns = var.secrets-manager_arns
external_secrets_kms_key_arns = var.secrets-manager_kms_key_arns
external_secrets_secrets_manager_create_permission = var.secrets_manager_allow_create

oidc_providers = {
main = {
provider_arn = local.oidc_provider_arn
namespace_service_accounts = [format("%v:%v", var.secrets-manager_namespace, var.secrets-manager_name)]
}
}

tags = merge(
local.base_tags,
local.common_tags,
var.application_tags,
{
"eks:namespace" = var.secrets-manager_namespace
"eks:user" = var.secrets-manager_name
}
)
}

locals {
secrets-manager_images_output = { for k, v in module.images_secrets-manager.images : v.name => v }
}

module "images_secrets-manager" {
source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git?ref=tf-upgrade"

profile = var.profile
application_list = []
application_name = format("eks/%v", var.cluster_name)
image_config = [for k, v in var.secrets-manager_images : v if v.enabled]
tags = merge(
local.base_tags,
local.common_tags,
var.application_tags,
)
}

# resource "kubernetes_namespace" "secrets-manager" {
# metadata {
# name = var.secrets-manager_namespace
# }
# }

resource "helm_release" "secrets-manager" {
chart = "aws-secrets-manager"
name = "aws-secrets-manager"
namespace = var.secrets-manager_namespace
repository = var.secrets-manager_charts["secrets-manager"].use_remote ? var.secrets-manager_charts["secrets-manager"].repository : "${path.module}/charts"
version = var.secrets-manager_charts["secrets-manager"].use_remote ? var.secrets-manager_charts["secrets-manager"].version : null
depends_on = [module.images_secrets-manager]
set {
name = "image.repository"
value = split(":", local.secrets-manager_images_output["aws-secrets-manager-daemon"].dest_full_path)[0]
}
set {
name = "image.tag"
value = local.secrets-manager_images_output["aws-secrets-manager-daemon"].tag
}
set {
name = "secrets-manager.region"
value = local.region
}
set {
name = "clusterName"
value = var.cluster_name
}
set {
name = "serviceAccount.name"
value = var.secrets-manager_name
}
set {
name = "serviceAccount.create"
value = "true"
}
set {
name = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
value = module.role_secrets-manager.iam_role_arn
}
set {
name = "secrets-manager.roleArn"
value = module.role_secrets-manager.iam_role_arn
}
timeout = 300
}
31 changes: 31 additions & 0 deletions examples/extras/secrets-manager/tf-run.data
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
VERSION 1.4.2
REMOTE-STATE
COMMAND tf-directory-setup.py -l none -f
COMMAND setup-new-directory.sh

LINKTOP init
LINKTOP includes.d/variables.account_tags.tf
LINKTOP includes.d/variables.account_tags.auto.tfvars
LINKTOP includes.d/variables.infrastructure_tags.tf
LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
LINKTOP includes.d/variables.application_tags.tf
# LINKTOP includes.d/variables.application_tags.auto.tfvars
LINK variables.application_tags.auto.tfvars
LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars
LINKTOP provider_configs.d/provider.ldap_new.tf
LINKTOP provider_configs.d/provider.ldap_new.variables.tf
LINK settings.auto.tfvars
LINK includes.d/parent_rs.tf
LINK includes.d/data.eks-subdirectory.tf
LINK includes.d/kubeconfig.eks-subdirectory.tf
LINK variables.eks.tf
LINK prefixes.tf
LINK providers.tf
LINK variables.addons.tf
LINK versions.tf
LINK version.tf
LINK variables.vpc.tf
LINK variables.vpc.auto.tfvars
COMMAND tf-init

ALL
6 changes: 6 additions & 0 deletions examples/extras/secrets-manager/tf-run.destroy.data
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
VERSION 1.0.1
BACKUP-STATE
COMMAND tf-init
COMMAND tf-state list

ALL
21 changes: 21 additions & 0 deletions examples/extras/secrets-manager/variables.secrets-manager.auto.tfvars
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
secrets-manager_charts = {
"secrets-manager" = {
name = "secrets-store-csi-driver-provider-aws"
documentation = "https://aws.github.io/secrets-store-csi-driver-provider-aws"
repository = "https://aws.github.io/secrets-store-csi-driver-provider-aws"
version = "0.3.4"
use_remote = true
}
}
secrets-manager_images = {
"secrets-manager" = {
name = "aws-secrets-manager"
image = "public.ecr.aws/secrets-manager/aws-secrets-manager-daemon"
dest_path = null
source_registry = "public.ecr.aws"
source_image = "aws-secrets-manager/secrets-store-csi-driver-provider-aws"
source_tag = null
tag = "1.0.r2-50-g5b4aca1-2023.06.09.21.19-linux-amd64"
enabled = true
}
}
63 changes: 63 additions & 0 deletions examples/extras/secrets-manager/variables.secrets-manager.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
variable "secrets-manager_namespace" {
description = "Service namespace"
type = string
default = "default"
}

variable "secrets-manager_name" {
description = "Service account name"
type = string
default = "aws-secrets-manager"
}

variable "secrets-manager_charts" {
description = "Map of object with details about remote charts"
type = map(object(
{
name = string
documentation = optional(string, null)
repository = string
version = string
use_remote = bool
}))
default = {}
}

variable "secrets-manager_images" {
description = "List of image configuration objects to copy from SOURCE to DESTINATION"
type = map(object({
name = string,
documentation = optional(string, null)
tag = string,
dest_path = string,
source_registry = string,
source_image = string,
source_tag = string,
enabled = bool,
}))
default = {}
}

variable "secrets-manager_allow_create" {
description = "AWS Secrets Manager Allow for pod to create secret"
type = bool
default = false
}

variable "secrets-manager_arns" {
description = "AWS Secrets Manager ARNs"
type = list(string)
default = []
}

variable "secrets-manager_kms_key_arns" {
description = "AWS Secrets Manager KMS Key ARNs"
type = list(string)
default = []
}

variable "ssm_parameter_arns" {
description = "AWS SSM Parameter ARNs"
type = list(string)
default = []
}

0 comments on commit e3232af

Please sign in to comment.