diff --git a/examples/extras/secrets-manager/.tf-control b/examples/extras/secrets-manager/.tf-control new file mode 100644 index 0000000..280f449 --- /dev/null +++ b/examples/extras/secrets-manager/.tf-control @@ -0,0 +1,20 @@ +# .tf-control +# allows for setting a specific command to be used for tf-* commands under this git repo +# see tf-control.sh help for more info + +TFCONTROL_VERSION="1.0.5" + +TFCOMMAND="terraform_latest" +# TF_CLI_CONFIG_FILE=PATH-TO-FILE/.tf-control.tfrc +# TFARGS="" +# TFNOLOG="" +# TFNOCOLOR="" + +# use the following to force a specific version. An upgrade of an existing 0.12.31 to 1.x +# needs you to cycle through 0.13.17, 0.14.11, and then latest (0.15.5 not needed). Other +# steps in between. See https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/terraform-upgrade for details +# +#TFCOMMAND="terraform_0.12.31" +#TFCOMMAND="terraform_0.13.7" +#TFCOMMAND="terraform_0.14.11" +#TFCOMMAND="terraform_0.15.5" diff --git a/examples/extras/secrets-manager/.tf-control.tfrc b/examples/extras/secrets-manager/.tf-control.tfrc new file mode 100644 index 0000000..7425488 --- /dev/null +++ b/examples/extras/secrets-manager/.tf-control.tfrc @@ -0,0 +1,24 @@ +TFCONTROL_VERSION="1.0.5" + +# https://www.terraform.io/docs/cli/config/config-file.html +plugin_cache_dir = "/data/terraform/terraform.d/plugin-cache" +#disable_checkpoint = true + +provider_installation { +# filesystem_mirror { +# path = "/apps/terraform/terraform.d/providers" +# include = [ "*/*/*" ] +# } + filesystem_mirror { + path = "/data/terraform/terraform.d/providers" + include = [ "*/*/*" ] + } +# filesystem_mirror { +# path = "/apps/terraform/terraform.d/providers" +# include = [ "external.terraform.census.gov/*/*" ] +# } + direct { + include = [ "*/*/*" ] + } +} + diff --git a/examples/extras/secrets-manager/locals.tf b/examples/extras/secrets-manager/locals.tf new file mode 100644 index 0000000..4b9ae5a --- /dev/null +++ b/examples/extras/secrets-manager/locals.tf @@ -0,0 +1,17 @@ +locals { + base_tags = { + "eks-cluster-name" = var.cluster_name + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} + +# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link +locals { + vpc_id = local.parent_rs.cluster_vpc_id + subnet_ids = local.parent_rs.cluster_subnet_ids + cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id + + oidc_provider_url = local.parent_rs.oidc_provider_url + oidc_provider_arn = local.parent_rs.oidc_provider_arn +} diff --git a/examples/extras/secrets-manager/region.tf b/examples/extras/secrets-manager/region.tf new file mode 100644 index 0000000..f617506 --- /dev/null +++ b/examples/extras/secrets-manager/region.tf @@ -0,0 +1,3 @@ +locals { + region = var.region +} diff --git a/examples/extras/secrets-manager/secrets-manager.tf b/examples/extras/secrets-manager/secrets-manager.tf new file mode 100644 index 0000000..c36a3b3 --- /dev/null +++ b/examples/extras/secrets-manager/secrets-manager.tf @@ -0,0 +1,105 @@ +#data "aws_iam_policy" "policy_secrets-manager" { +# name = "AWSXRayDaemonWriteAccess" +#} + +module "role_secrets-manager" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + + role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.secrets-manager_namespace}:${var.secrets-manager_name}" + role_name = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.secrets-manager_name) + + # role_policy_arns = { + # policy = data.aws_iam_policy.policy_secrets-manager.arn + # } + + attach_external_secrets_policy = true + external_secrets_ssm_parameter_arns = var.ssm_parameter_arns + external_secrets_secrets_manager_arns = var.secrets-manager_arns + external_secrets_kms_key_arns = var.secrets-manager_kms_key_arns + external_secrets_secrets_manager_create_permission = var.secrets_manager_allow_create + + oidc_providers = { + main = { + provider_arn = local.oidc_provider_arn + namespace_service_accounts = [format("%v:%v", var.secrets-manager_namespace, var.secrets-manager_name)] + } + } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + { + "eks:namespace" = var.secrets-manager_namespace + "eks:user" = var.secrets-manager_name + } + ) +} + +locals { + secrets-manager_images_output = { for k, v in module.images_secrets-manager.images : v.name => v } +} + +module "images_secrets-manager" { + source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git?ref=tf-upgrade" + + profile = var.profile + application_list = [] + application_name = format("eks/%v", var.cluster_name) + image_config = [for k, v in var.secrets-manager_images : v if v.enabled] + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + ) +} + +# resource "kubernetes_namespace" "secrets-manager" { +# metadata { +# name = var.secrets-manager_namespace +# } +# } + +resource "helm_release" "secrets-manager" { + chart = "aws-secrets-manager" + name = "aws-secrets-manager" + namespace = var.secrets-manager_namespace + repository = var.secrets-manager_charts["secrets-manager"].use_remote ? var.secrets-manager_charts["secrets-manager"].repository : "${path.module}/charts" + version = var.secrets-manager_charts["secrets-manager"].use_remote ? var.secrets-manager_charts["secrets-manager"].version : null + + depends_on = [module.images_secrets-manager] + set { + name = "image.repository" + value = split(":", local.secrets-manager_images_output["aws-secrets-manager-daemon"].dest_full_path)[0] + } + + set { + name = "image.tag" + value = local.secrets-manager_images_output["aws-secrets-manager-daemon"].tag + } + set { + name = "secrets-manager.region" + value = local.region + } + set { + name = "clusterName" + value = var.cluster_name + } + set { + name = "serviceAccount.name" + value = var.secrets-manager_name + } + set { + name = "serviceAccount.create" + value = "true" + } + set { + name = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn" + value = module.role_secrets-manager.iam_role_arn + } + set { + name = "secrets-manager.roleArn" + value = module.role_secrets-manager.iam_role_arn + } + timeout = 300 +} diff --git a/examples/extras/secrets-manager/tf-run.data b/examples/extras/secrets-manager/tf-run.data new file mode 100644 index 0000000..0db70b8 --- /dev/null +++ b/examples/extras/secrets-manager/tf-run.data @@ -0,0 +1,31 @@ +VERSION 1.4.2 +REMOTE-STATE +COMMAND tf-directory-setup.py -l none -f +COMMAND setup-new-directory.sh + +LINKTOP init +LINKTOP includes.d/variables.account_tags.tf +LINKTOP includes.d/variables.account_tags.auto.tfvars +LINKTOP includes.d/variables.infrastructure_tags.tf +LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars +LINKTOP includes.d/variables.application_tags.tf +# LINKTOP includes.d/variables.application_tags.auto.tfvars +LINK variables.application_tags.auto.tfvars +LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars +LINKTOP provider_configs.d/provider.ldap_new.tf +LINKTOP provider_configs.d/provider.ldap_new.variables.tf +LINK settings.auto.tfvars +LINK includes.d/parent_rs.tf +LINK includes.d/data.eks-subdirectory.tf +LINK includes.d/kubeconfig.eks-subdirectory.tf +LINK variables.eks.tf +LINK prefixes.tf +LINK providers.tf +LINK variables.addons.tf +LINK versions.tf +LINK version.tf +LINK variables.vpc.tf +LINK variables.vpc.auto.tfvars +COMMAND tf-init + +ALL diff --git a/examples/extras/secrets-manager/tf-run.destroy.data b/examples/extras/secrets-manager/tf-run.destroy.data new file mode 100644 index 0000000..7a82c9f --- /dev/null +++ b/examples/extras/secrets-manager/tf-run.destroy.data @@ -0,0 +1,6 @@ +VERSION 1.0.1 +BACKUP-STATE +COMMAND tf-init +COMMAND tf-state list + +ALL diff --git a/examples/extras/secrets-manager/variables.secrets-manager.auto.tfvars b/examples/extras/secrets-manager/variables.secrets-manager.auto.tfvars new file mode 100644 index 0000000..600ce8a --- /dev/null +++ b/examples/extras/secrets-manager/variables.secrets-manager.auto.tfvars @@ -0,0 +1,21 @@ +secrets-manager_charts = { + "secrets-manager" = { + name = "secrets-store-csi-driver-provider-aws" + documentation = "https://aws.github.io/secrets-store-csi-driver-provider-aws" + repository = "https://aws.github.io/secrets-store-csi-driver-provider-aws" + version = "0.3.4" + use_remote = true + } +} +secrets-manager_images = { + "secrets-manager" = { + name = "aws-secrets-manager" + image = "public.ecr.aws/secrets-manager/aws-secrets-manager-daemon" + dest_path = null + source_registry = "public.ecr.aws" + source_image = "aws-secrets-manager/secrets-store-csi-driver-provider-aws" + source_tag = null + tag = "1.0.r2-50-g5b4aca1-2023.06.09.21.19-linux-amd64" + enabled = true + } +} diff --git a/examples/extras/secrets-manager/variables.secrets-manager.tf b/examples/extras/secrets-manager/variables.secrets-manager.tf new file mode 100644 index 0000000..7741814 --- /dev/null +++ b/examples/extras/secrets-manager/variables.secrets-manager.tf @@ -0,0 +1,63 @@ +variable "secrets-manager_namespace" { + description = "Service namespace" + type = string + default = "default" +} + +variable "secrets-manager_name" { + description = "Service account name" + type = string + default = "aws-secrets-manager" +} + +variable "secrets-manager_charts" { + description = "Map of object with details about remote charts" + type = map(object( + { + name = string + documentation = optional(string, null) + repository = string + version = string + use_remote = bool + })) + default = {} +} + +variable "secrets-manager_images" { + description = "List of image configuration objects to copy from SOURCE to DESTINATION" + type = map(object({ + name = string, + documentation = optional(string, null) + tag = string, + dest_path = string, + source_registry = string, + source_image = string, + source_tag = string, + enabled = bool, + })) + default = {} +} + +variable "secrets-manager_allow_create" { + description = "AWS Secrets Manager Allow for pod to create secret" + type = bool + default = false +} + +variable "secrets-manager_arns" { + description = "AWS Secrets Manager ARNs" + type = list(string) + default = [] +} + +variable "secrets-manager_kms_key_arns" { + description = "AWS Secrets Manager KMS Key ARNs" + type = list(string) + default = [] +} + +variable "ssm_parameter_arns" { + description = "AWS SSM Parameter ARNs" + type = list(string) + default = [] +}