Feat: 🚀 use external-secret in multiple namespaces (#33)

* feat: use external-secret in multiple namespaces * fix- tf-check secret_manager_name error * fix- tf-check terraform format * fix- tf-lint warnings * feat: multiple istio-gateways on same cluster & fixed tf-lints
clouddrove · Oct 3, 2023 · c549c3a · c549c3a
1 parent 8a40085
commit c549c3a
Show file tree

Hide file tree

Showing 21 changed files with 429 additions and 230 deletions.
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -0,0 +1,113 @@
+plugin "aws" {
+    enabled = true
+    version = "0.21.0"
+    source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+config {
+#Enables module inspection
+module = false
+force = false
+}
+
+# Required that all AWS resources have specified tags.
+rule "aws_resource_missing_tags" {
+  enabled = true
+  tags = [
+    "Name",
+    "Environment",
+  ]
+}
+
+# Disallow deprecated (0.11-style) interpolation
+rule "terraform_deprecated_interpolation" {
+enabled = true
+}
+
+# Disallow legacy dot index syntax.
+rule "terraform_deprecated_index" {
+enabled = true
+}
+
+# Disallow variables, data sources, and locals that are declared but never used.
+rule "terraform_unused_declarations" {
+enabled = true
+}
+
+# Disallow // comments in favor of #.
+rule "terraform_comment_syntax" {
+enabled = false
+}
+
+# Disallow output declarations without description.
+rule "terraform_documented_outputs" {
+enabled = true
+}
+
+# Disallow variable declarations without description.
+rule "terraform_documented_variables" {
+enabled = true
+}
+
+# Disallow variable declarations without type.
+rule "terraform_typed_variables" {
+enabled = true
+}
+
+# Disallow specifying a git or mercurial repository as a module source without pinning to a version.
+rule "terraform_module_pinned_source" {
+enabled = true
+}
+
+# Enforces naming conventions
+rule "terraform_naming_convention" {
+enabled = true
+
+#Require specific naming structure
+variable {
+format = "snake_case"
+}
+
+locals {
+format = "snake_case"
+}
+
+output {
+format = "snake_case"
+}
+
+#Allow any format
+resource {
+format = "none"
+}
+
+module {
+format = "none"
+}
+
+data {
+format = "none"
+}
+
+}
+
+# Disallow terraform declarations without require_version.
+# rule "terraform_required_version" {
+# enabled = true
+# }
+
+# Require that all providers have version constraints through required_providers.
+rule "terraform_required_providers" {
+enabled = true
+}
+
+# Ensure that a module complies with the Terraform Standard Module Structure
+rule "terraform_standard_module_structure" {
+enabled = true
+}
+
+# terraform.workspace should not be used with a "remote" backend with remote execution.
+rule "terraform_workspace_remote" {
+enabled = true
+}
+
diff --git a/_examples/basic/main.tf b/_examples/basic/main.tf
@@ -175,12 +175,11 @@ module "addons" {
   keda                         = true
 
   # -- Addons with mandatory variable
-  istio_ingress             = true
-  istio_manifests           = var.istio_manifests
-  kiali_server              = true
-  kiali_manifests           = var.kiali_manifests
-  external_secrets          = true
-  externalsecrets_manifests = var.externalsecrets_manifests
+  istio_ingress    = true
+  istio_manifests  = var.istio_manifests
+  kiali_server     = true
+  kiali_manifests  = var.kiali_manifests
+  external_secrets = true
 
   # -- Extra helm_release attributes
   velero_extra_configs = var.velero_extra_configs

diff --git a/_examples/basic/variables.tf b/_examples/basic/variables.tf
@@ -24,20 +24,6 @@ variable "kiali_manifests" {
   description = "Path to VirtualService manifest for kiali-dashboard"
 }
 
-variable "externalsecrets_manifests" {
-  type = object({
-    secret_store_manifest_file_path     = string
-    external_secrets_manifest_file_path = string
-    secret_manager_name                 = string
-  })
-  default = {
-    secret_store_manifest_file_path     = "./config/external-secret/secret-store.yaml"
-    external_secrets_manifest_file_path = "./config/external-secret/external-secret.yaml"
-    secret_manager_name                 = "external_secrets"
-  }
-  description = "yaml manifest file path to create ExternalSecret, SecretStore and custome SecretManger name"
-}
-
 #------------ EXTRA CONFIGS -----------
 variable "velero_extra_configs" {
   type = any

diff --git a/_examples/complete/config/istio/gateway-internal.yaml b/_examples/complete/config/istio/gateway-internal.yaml
@@ -0,0 +1,17 @@
+# -- Make sure to use same Namespace for Gateway, Ingress & var.istio_ingress_extra_configs["namespace"], default namespace is set to `istio-system`.
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: istio-gateway-internal
+  namespace: istio-system
+spec:
+  selector:
+    istio: ingress-internal
+  servers:
+  - hosts:
+    - "*.test.clouddrove.com"
+    - "test.clouddrove.com"
+    port:
+      number: 80
+      name: http
+      protocol: HTTP
diff --git a/_examples/complete/config/istio/ingress-internal.yaml b/_examples/complete/config/istio/ingress-internal.yaml
@@ -16,6 +16,6 @@ spec:
           pathType: Prefix
           backend:
             service:
-              name: istio-ingress
+              name: istio-ingress-internal
               port:
                 number: 80
diff --git a/_examples/complete/main.tf b/_examples/complete/main.tf
@@ -160,22 +160,21 @@ module "addons" {
   aws_efs_csi_driver           = true
   aws_ebs_csi_driver           = true
   kube_state_metrics           = true
-  # karpenter                    = false    # -- Set to `false` or comment line to Uninstall Karpenter if installed using terraform.
-  calico_tigera = true
-  new_relic     = true
-  kubeclarity   = true
-  ingress_nginx = true
-  fluent_bit    = true
-  velero        = true
-  keda          = true
+  karpenter                    = false # -- Set to `false` or comment line to Uninstall Karpenter if installed using terraform.
+  calico_tigera                = true
+  new_relic                    = true
+  kubeclarity                  = true
+  ingress_nginx                = true
+  fluent_bit                   = true
+  velero                       = true
+  keda                         = true
 
   # -- Addons with mandatory variable
-  istio_ingress             = true
-  istio_manifests           = var.istio_manifests
-  kiali_server              = true
-  kiali_manifests           = var.kiali_manifests
-  external_secrets          = true
-  externalsecrets_manifests = var.externalsecrets_manifests
+  istio_ingress    = true
+  istio_manifests  = var.istio_manifests
+  kiali_server     = true
+  kiali_manifests  = var.kiali_manifests
+  external_secrets = true
 
   # -- Path of override-values.yaml file
   metrics_server_helm_config               = { values = [file("./config/override-metrics-server.yaml")] }
@@ -208,7 +207,6 @@ module "addons" {
   calico_tigera_extra_configs                = var.calico_tigera_extra_configs
   istio_ingress_extra_configs                = var.istio_ingress_extra_configs
   kiali_server_extra_configs                 = var.kiali_server_extra_configs
-  external_secrets_extra_configs             = var.external_secrets_extra_configs
   ingress_nginx_extra_configs                = var.ingress_nginx_extra_configs
   kubeclarity_extra_configs                  = var.kubeclarity_extra_configs
   fluent_bit_extra_configs                   = var.fluent_bit_extra_configs
@@ -217,6 +215,38 @@ module "addons" {
   kube_state_metrics_extra_configs           = var.kube_state_metrics_extra_configs
   keda_extra_configs                         = var.keda_extra_configs
 
+  external_secrets_extra_configs = {
+    irsa_assume_role_policy = jsonencode({
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Principal" : {
+            "Federated" : module.eks.oidc_provider_arn
+          },
+          "Action" : "sts:AssumeRoleWithWebIdentity",
+          "Condition" : {
+            "StringLike" : {
+              "${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}:aud" : "sts.amazonaws.com"
+            }
+          }
+        }
+      ]
+    })
+    secret_manager_name = "external_secrets_addon"
+  }
+
   # -- Custom IAM Policy Json for Addon's ServiceAccount
   cluster_autoscaler_iampolicy_json_content = file("./custom-iam-policies/cluster-autoscaler.json")
+}
+
+module "addons-internal" {
+  source = "../../"
+
+  depends_on       = [module.eks]
+  eks_cluster_name = module.eks.cluster_name
+
+  istio_ingress               = true
+  istio_manifests             = var.istio_manifests_internal
+  istio_ingress_extra_configs = var.istio_ingress_extra_configs_internal
 }
diff --git a/_examples/complete/outputs.tf b/_examples/complete/outputs.tf
@@ -14,9 +14,5 @@ output "update_kubeconfig" {
 }
 
 output "velero_post_installation" {
-  value = <<EOF
-Once velero server is up and running you need the client before you can use it
-1. wget https://github.com/vmware-tanzu/velero/releases/download/v1.11.1/velero-v1.11.1-darwin-amd64.tar.gz
-2. tar -xvf velero-v1.11.1-darwin-amd64.tar.gz -C velero-client  
-  EOF  
+  value = indent(2, "Once velero server is up and running you need the client before you can use it - \n  1. wget https://github.com/vmware-tanzu/velero/releases/download/v1.11.1/velero-v1.11.1-darwin-amd64.tar.gz \n  2. tar -xvf velero-v1.11.1-darwin-amd64.tar.gz -C velero-client")
 }