Feat: custom irsa iam-policy

clouddrove · Oct 4, 2023 · 4a0c668 · 4a0c668
1 parent e60ed6b
commit 4a0c668
Show file tree

Hide file tree

Showing 11 changed files with 84 additions and 54 deletions.
diff --git a/_examples/complete/config/external-secret/external-secret.yaml b/_examples/complete/config/external-secret/external-secret.yaml
@@ -9,10 +9,10 @@ spec:
     name: external-secrets-store             # -- Provide previously created secret store name
     kind: SecretStore
   target:
-    name: externalsecret-data                # -- Name of secret which will contain data specified below
+    name: externalsecret-data                # -- Name of Kubernetes secret which will contain data specified below
     creationPolicy: Owner
   data:
-  - secretKey: do_not_delete_this_key        # -- AWS Secret-Manager secret key
+  - secretKey: external_secret_key           # -- Kubernetes Secret `externalsecret-data` KEY name
     remoteRef:
-      key: external_secrets                  # -- Same as 'externalsecrets_manifest["secret_manager_name"]
-      property: do_not_delete_this_key       # -- AWS Secret-Manager secret key
+      key: external_secrets_addon            # -- AWS Secret Name, same as `var.external_secrets_extra_configs.secret_manager_name`
+      property: external_secret              # -- AWS Secret-Manager secret key
diff --git a/_examples/complete/custom-iam-policies/external-secrets.json b/_examples/complete/custom-iam-policies/external-secrets.json
@@ -0,0 +1,14 @@
+{
+    "Statement": [
+        {
+            "Action": [
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:DescribeSecret"
+            ],
+            "Effect": "Allow",
+            "Resource": "*",
+            "Sid": "ExternalSecretsDefault"
+        }
+    ],
+    "Version": "2012-10-17"
+} 
diff --git a/_examples/complete/main.tf b/_examples/complete/main.tf
@@ -217,30 +217,11 @@ module "addons" {
   kube_state_metrics_extra_configs           = var.kube_state_metrics_extra_configs
   keda_extra_configs                         = var.keda_extra_configs
   certification_manager_extra_configs        = var.certification_manager_extra_configs
-
-  external_secrets_extra_configs = {
-    irsa_assume_role_policy = jsonencode({
-      "Version" : "2012-10-17",
-      "Statement" : [
-        {
-          "Effect" : "Allow",
-          "Principal" : {
-            "Federated" : module.eks.oidc_provider_arn
-          },
-          "Action" : "sts:AssumeRoleWithWebIdentity",
-          "Condition" : {
-            "StringLike" : {
-              "${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}:aud" : "sts.amazonaws.com"
-            }
-          }
-        }
-      ]
-    })
-    secret_manager_name = "external_secrets_addon"
-  }
+  external_secrets_extra_configs             = var.external_secrets_extra_configs
 
   # -- Custom IAM Policy Json for Addon's ServiceAccount
   cluster_autoscaler_iampolicy_json_content = file("./custom-iam-policies/cluster-autoscaler.json")
+  external_secrets_iampolicy_json_content   = file("./custom-iam-policies/external-secrets.json")
 }
 
 module "addons-internal" {

diff --git a/_examples/complete/variables.tf b/_examples/complete/variables.tf
@@ -168,4 +168,12 @@ variable "kiali_manifests" {
 variable "kiali_server_extra_configs" {
   type    = any
   default = {}
+}
+
+# ------------------ EXTERNAL SECRETS ------------------------------------------
+variable "external_secrets_extra_configs" {
+  type = any
+  default = {
+    secret_manager_name = "external_secrets_addon"
+  }
 }
diff --git a/addons/external-secrets/data.tf b/addons/external-secrets/data.tf
@@ -1,6 +1,5 @@
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
 data "aws_eks_cluster" "eks_cluster" {
-  # this makes downstream resources wait for data plane to be ready
   name = var.eks_cluster_name
-}
-
-data "aws_region" "current" {}
+}
diff --git a/addons/external-secrets/locals.tf b/addons/external-secrets/locals.tf
@@ -13,7 +13,7 @@ locals {
     lint                       = try(var.external_secrets_extra_configs.lint, "false")
     repository_key_file        = try(var.external_secrets_extra_configs.repository_key_file, "")
     repository_cert_file       = try(var.external_secrets_extra_configs.repository_cert_file, "")
-    repository_username        = try(var.external_secrets_extra_configs.repository_password, "")
+    repository_username        = try(var.external_secrets_extra_configs.repository_username, "")
     repository_password        = try(var.external_secrets_extra_configs.repository_password, "")
     verify                     = try(var.external_secrets_extra_configs.verify, "false")
     keyring                    = try(var.external_secrets_extra_configs.keyring, "")
@@ -34,11 +34,8 @@ locals {
     replace                    = try(var.external_secrets_extra_configs.replace, "false")
   }
 
-  external_secrets_extra_configs = var.external_secrets_extra_configs
-
   helm_config = merge(
     local.default_helm_config,
     var.helm_config,
-    local.external_secrets_extra_configs
   )
 }
diff --git a/addons/external-secrets/main.tf b/addons/external-secrets/main.tf
@@ -44,31 +44,45 @@ module "helm_addon" {
     account_id                        = var.account_id
   }
 
-  irsa_assume_role_policy = var.external_secrets_extra_configs.irsa_assume_role_policy
-
+  irsa_assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Federated" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(data.aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer, "https://", "")}"
+        },
+        "Action" : "sts:AssumeRoleWithWebIdentity",
+        "Condition" : {
+          "StringLike" : {
+            "${replace(data.aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer, "https://", "")}:aud" : "sts.amazonaws.com"
+          }
+        }
+      }
+    ]
+  })
 }
 
 resource "aws_iam_policy" "policy" {
   name        = "${local.name}-${var.eks_cluster_name}"
   path        = "/"
   description = "IAM Policy used by ${local.name}-${var.eks_cluster_name} IAM Role"
-  policy      = data.aws_iam_policy_document.iam-policy.json
-}
-
-data "aws_iam_policy_document" "iam-policy" {
-  version = "2012-10-17"
-
-  statement {
-    sid    = "VisualEditor0"
-    effect = "Allow"
-    actions = [
-      "secretsmanager:GetSecretValue",
-      "secretsmanager:DescribeSecret",
-    ]
-    resources = [
-      "arn:aws:secretsmanager:${data.aws_region.current.name}:${var.account_id}:secret:${var.external_secrets_extra_configs.secret_manager_name}*",
-    ]
-  }
+  policy      = var.iampolicy_json_content != null ? var.iampolicy_json_content : <<-EOT
+{
+    "Statement": [
+        {
+            "Action": [
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:DescribeSecret"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:secretsmanager:${data.aws_region.current.name}:${var.account_id}:secret:${try(var.external_secrets_extra_configs.secret_manager_name, "external_secrets_addon")}*",
+            "Sid": "ExternalSecretsDefault"
+        }
+    ],
+    "Version": "2012-10-17"
+}  
+  EOT
 }
 
 module "secrets_manager" {
@@ -79,10 +93,10 @@ module "secrets_manager" {
   name  = "secrets-manager"
   secrets = [
     {
-      name        = try(var.external_secrets_extra_configs.secret_manager_name, "external_secret")
+      name        = try(var.external_secrets_extra_configs.secret_manager_name, "external_secrets_addon")
       description = try(var.external_secrets_extra_configs.secret_manager_description, "AWS EKS external-secrets helm addon.")
       secret_key_value = {
-        external_secret = "external_secret_addon"
+        external_secret = "external_secret_addon_data"
       }
       recovery_window_in_days = try(var.external_secrets_extra_configs.recovery_window_in_days, 7)
     }

diff --git a/addons/external-secrets/variables.tf b/addons/external-secrets/variables.tf
@@ -39,4 +39,10 @@ variable "external_secrets_extra_configs" {
   description = "Override attributes of helm_release terraform resource"
   type        = any
   default     = {}
+}
+
+variable "iampolicy_json_content" {
+  description = "Custom IAM Policy for External-Secrets IRSA"
+  type        = string
+  default     = null
 }
diff --git a/main.tf b/main.tf
@@ -117,6 +117,7 @@ module "external_secrets" {
   eks_cluster_name               = data.aws_eks_cluster.eks_cluster.name
   account_id                     = data.aws_caller_identity.current.account_id
   external_secrets_extra_configs = var.external_secrets_extra_configs
+  iampolicy_json_content         = var.external_secrets_iampolicy_json_content
 }
 
 module "ingress_nginx" {

diff --git a/outputs.tf b/outputs.tf
@@ -159,6 +159,10 @@ output "external_secrets_repository" {
   value       = module.ingress_nginx[*].repository
   description = "helm repository url of external-secrets"
 }
+output "external_secrets_iam_policy" {
+  value       = module.external_secrets[*].iam_policy
+  description = "Name of IAM Policy used in external-secrets irsa"
+}
 
 #----------- INGRESS NGINX ---------------------
 output "ingress_nginx_namespace" {

diff --git a/variables.tf b/variables.tf
@@ -260,6 +260,12 @@ variable "external_secrets_extra_configs" {
   default     = {}
 }
 
+variable "external_secrets_iampolicy_json_content" {
+  description = "Custom IAM Policy for External-Secrets IRSA"
+  type        = string
+  default     = null
+}
+
 #------------------ INGRESS NGINX -------------------------
 variable "ingress_nginx" {
   description = "Enable ingress nginx add-on"