-
-
Notifications
You must be signed in to change notification settings - Fork 28
/
aws_csi_secrets_store.tf
103 lines (83 loc) · 2.82 KB
/
aws_csi_secrets_store.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
resource "helm_release" "csi_secrets_store" {
count = var.csi_secrets_store_enabled ? 1 : 0
name = "csi-secrets-store"
repository = "https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts"
chart = "secrets-store-csi-driver"
version = var.csi_secrets_store_version
namespace = "kube-system"
create_namespace = false
set {
name = "syncSecret.enabled"
value = "true"
}
set {
name = "enableSecretRotation"
value = "true"
}
}
data "http" "csi_secrets_store_aws_provider" {
url = "https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml"
}
resource "null_resource" "csi_secrets_store_aws_provider" {
count = var.csi_secrets_store_enabled ? 1 : 0
triggers = {
name = helm_release.csi_secrets_store[0].name
namespace = helm_release.csi_secrets_store[0].namespace
repository = helm_release.csi_secrets_store[0].repository
}
depends_on = [helm_release.csi_secrets_store]
provisioner "local-exec" {
command = "kubectl apply -f ${data.http.csi_secrets_store_aws_provider.url}"
}
}
resource "aws_iam_policy" "secrets_policy" {
count = var.csi_secrets_store_enabled ? 1 : 0
name = "csi-secrets-access-policy-${var.environment_name}"
description = "Policy for accessing secrets in AWS Secrets Manager"
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = [
"secretsmanager:GetSecretValue",
"ssm:GetParameters",
"secretsmanager:DescribeSecret"
],
Resource = [
"arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:*"
]
}
]
})
}
data "aws_iam_policy_document" "trust_relationship" {
statement {
effect = "Allow"
principals {
type = "Federated"
identifiers = [local.oidc_provider_arn]
}
actions = ["sts:AssumeRoleWithWebIdentity"]
}
}
resource "aws_iam_role" "secrets_manager_role" {
count = var.csi_secrets_store_enabled ? 1 : 0
name = "shared_secrets_manager_role"
assume_role_policy = data.aws_iam_policy_document.trust_relationship.json
}
resource "aws_iam_role_policy_attachment" "secrets_manager_attachment" {
count = var.csi_secrets_store_enabled ? 1 : 0
role = join("", aws_iam_role.secrets_manager_role.*.name)
policy_arn = join("", aws_iam_policy.secrets_policy.*.arn)
}
resource "kubernetes_service_account" "main" {
for_each = toset(var.csi_enabled_namespaces)
metadata {
name = "csi-secrets-service-account"
namespace = each.key
annotations = {
"eks.amazonaws.com/role-arn" = join("", aws_iam_role.secrets_manager_role.*.arn)
}
}
}