clouddrove · anmolnagpal · Oct 3, 2023 · Sep 29, 2023 · Sep 29, 2023 · Oct 2, 2023
@@ -0,0 +1,113 @@
+plugin "aws" {
+    enabled = true
+    version = "0.21.0"
+    source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+config {
+#Enables module inspection
+module = false
+force = false
+}
+
+# Required that all AWS resources have specified tags.
+rule "aws_resource_missing_tags" {
+  enabled = true
+  tags = [
+    "Name",
+    "Environment",
+  ]
+}
+
+# Disallow deprecated (0.11-style) interpolation
+rule "terraform_deprecated_interpolation" {
+enabled = true
+}
+
+# Disallow legacy dot index syntax.
+rule "terraform_deprecated_index" {
+enabled = true
+}
+
+# Disallow variables, data sources, and locals that are declared but never used.
+rule "terraform_unused_declarations" {
+enabled = true
+}
+
+# Disallow // comments in favor of #.
+rule "terraform_comment_syntax" {
+enabled = false
+}
+
+# Disallow output declarations without description.
+rule "terraform_documented_outputs" {
+enabled = true
+}
+
+# Disallow variable declarations without description.
+rule "terraform_documented_variables" {
+enabled = true
+}
+
+# Disallow variable declarations without type.
+rule "terraform_typed_variables" {
+enabled = true
+}
+
+# Disallow specifying a git or mercurial repository as a module source without pinning to a version.
+rule "terraform_module_pinned_source" {
+enabled = true
+}
+
+# Enforces naming conventions
+rule "terraform_naming_convention" {
+enabled = true
+
+#Require specific naming structure
+variable {
+format = "snake_case"
+}
+
+locals {
+format = "snake_case"
+}
+
+output {
+format = "snake_case"
+}
+
+#Allow any format
+resource {
+format = "none"
+}
+
+module {
+format = "none"
+}
+
+data {
+format = "none"
+}
+
+}
+
+# Disallow terraform declarations without require_version.
+# rule "terraform_required_version" {
+# enabled = true
+# }
+
+# Require that all providers have version constraints through required_providers.
+rule "terraform_required_providers" {
+enabled = true
+}
+
+# Ensure that a module complies with the Terraform Standard Module Structure
+rule "terraform_standard_module_structure" {
+enabled = true
+}
+
+# terraform.workspace should not be used with a "remote" backend with remote execution.
+rule "terraform_workspace_remote" {
+enabled = true
+}
+
@@ -174,12 +174,11 @@ module "addons" {
   velero                       = true
 
   # -- Addons with mandatory variable
-  istio_ingress             = true
-  istio_manifests           = var.istio_manifests
-  kiali_server              = true
-  kiali_manifests           = var.kiali_manifests
-  external_secrets          = true
-  externalsecrets_manifests = var.externalsecrets_manifests
+  istio_ingress    = true
+  istio_manifests  = var.istio_manifests
+  kiali_server     = true
+  kiali_manifests  = var.kiali_manifests
+  external_secrets = true
 
   # -- Extra helm_release attributes
   velero_extra_configs = var.velero_extra_configs

@@ -24,20 +24,6 @@ variable "kiali_manifests" {
   description = "Path to VirtualService manifest for kiali-dashboard"
 }
 
-variable "externalsecrets_manifests" {
-  type = object({
-    secret_store_manifest_file_path     = string
-    external_secrets_manifest_file_path = string
-    secret_manager_name                 = string
-  })
-  default = {
-    secret_store_manifest_file_path     = "./config/external-secret/secret-store.yaml"
-    external_secrets_manifest_file_path = "./config/external-secret/external-secret.yaml"
-    secret_manager_name                 = "external_secrets"
-  }
-  description = "yaml manifest file path to create ExternalSecret, SecretStore and custome SecretManger name"
-}
-
 #------------ EXTRA CONFIGS -----------
 variable "velero_extra_configs" {
   type = any

@@ -160,21 +160,20 @@
   aws_efs_csi_driver           = true
   aws_ebs_csi_driver           = true
   kube_state_metrics           = true
-  # karpenter                    = false    # -- Set to `false` or comment line to Uninstall Karpenter if installed using terraform.
-  calico_tigera = true
-  new_relic     = true
-  kubeclarity   = true
-  ingress_nginx = true
-  fluent_bit    = true
-  velero        = true
+  karpenter                    = false # -- Set to `false` or comment line to Uninstall Karpenter if installed using terraform.
+  calico_tigera                = true
+  new_relic                    = true
+  kubeclarity                  = true
+  ingress_nginx                = true
+  fluent_bit                   = true
+  velero                       = true
 
   # -- Addons with mandatory variable
-  istio_ingress             = true
-  istio_manifests           = var.istio_manifests
-  kiali_server              = true
-  kiali_manifests           = var.kiali_manifests
-  external_secrets          = true
-  externalsecrets_manifests = var.externalsecrets_manifests
+  istio_ingress    = true
+  istio_manifests  = var.istio_manifests
+  kiali_server     = true
+  kiali_manifests  = var.kiali_manifests
+  external_secrets = true
 
   # -- Path of override-values.yaml file
   metrics_server_helm_config               = { values = [file("./config/override-metrics-server.yaml")] }
@@ -206,13 +205,32 @@
   calico_tigera_extra_configs                = var.calico_tigera_extra_configs
   istio_ingress_extra_configs                = var.istio_ingress_extra_configs
   kiali_server_extra_configs                 = var.kiali_server_extra_configs
-  external_secrets_extra_configs             = var.external_secrets_extra_configs
   ingress_nginx_extra_configs                = var.ingress_nginx_extra_configs
   kubeclarity_extra_configs                  = var.kubeclarity_extra_configs
   fluent_bit_extra_configs                   = var.fluent_bit_extra_configs
   velero_extra_configs                       = var.velero_extra_configs
   new_relic_extra_configs                    = var.new_relic_extra_configs
   kube_state_metrics_extra_configs           = var.kube_state_metrics_extra_configs
+  external_secrets_extra_configs = {
+    secret_manager_name = "external_secrets_addon"
+    irsa_assume_role_policy = jsonencode({
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Principal" : {
+            "Federated" : "${module.eks.oidc_provider_arn}"
+          },
+          "Action" : "sts:AssumeRoleWithWebIdentity",
+          "Condition" : {
+            "StringLike" : {
+              "${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}:aud" : "sts.amazonaws.com"
+            }
+          }
+        }
+      ]
+    })
+  }
 
   # -- Custom IAM Policy Json for Addon's ServiceAccount
   cluster_autoscaler_iampolicy_json_content = file("./custom-iam-policies/cluster-autoscaler.json")

diff --git a/_examples/complete/providers.tf b/_examples/complete/providers.tf
@@ -37,4 +37,6 @@
   name       = module.eks.cluster_name
   depends_on = [module.eks.cluster_id]
 }
-data "aws_availability_zones" "available" {}
+data "aws_availability_zones" "available" {}
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
@@ -25,20 +25,6 @@ variable "kiali_manifests" {
   }
 }
 
-# ------------------ EXTERNAL SECRETS ------------------------------------------
-variable "externalsecrets_manifests" {
-  type = object({
-    secret_store_manifest_file_path     = string
-    external_secrets_manifest_file_path = string
-    secret_manager_name                 = string
-  })
-  default = {
-    secret_store_manifest_file_path     = "./config/external-secret/secret-store.yaml"
-    external_secrets_manifest_file_path = "./config/external-secret/external-secret.yaml"
-    secret_manager_name                 = "external_secrets"
-  }
-}
-
 #--------------OVERRIDE HELM RELEASE ATTRIBUTES --------------------------------
 variable "metrics_server_extra_configs" {
   type    = any
@@ -94,11 +80,6 @@ variable "kiali_server_extra_configs" {
   default = {}
 }
 
-variable "external_secrets_extra_configs" {
-  type    = any
-  default = {}
-}
-
 variable "ingress_nginx_extra_configs" {
   type    = any
   default = {}

@@ -5,7 +5,6 @@ module "helm_addon" {
   helm_config       = local.helm_config
   addon_context     = var.addon_context
 
-  depends_on = [kubernetes_namespace_v1.this]
   set_values = [
     {
       name  = "serviceAccount.create"
@@ -45,6 +44,8 @@ module "helm_addon" {
     account_id                        = var.account_id
   }
 
+  irsa_assume_role_policy = var.external_secrets_extra_configs.irsa_assume_role_policy
+
 }
 
 resource "aws_iam_policy" "policy" {
@@ -54,15 +55,6 @@ resource "aws_iam_policy" "policy" {
   policy      = data.aws_iam_policy_document.iam-policy.json
 }
 
-resource "kubernetes_namespace_v1" "this" {
-  count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
-  metadata {
-    name = local.helm_config["namespace"]
-  }
-}
-
-
 data "aws_iam_policy_document" "iam-policy" {
   version = "2012-10-17"
 
@@ -74,34 +66,25 @@ data "aws_iam_policy_document" "iam-policy" {
       "secretsmanager:DescribeSecret",
     ]
     resources = [
-      "arn:aws:secretsmanager:${data.aws_region.current.name}:${var.account_id}:secret:${var.externalsecrets_manifests.secret_manager_name}*",
+      "arn:aws:secretsmanager:${data.aws_region.current.name}:${var.account_id}:secret:${var.external_secrets_extra_configs.secret_manager_name}*",
     ]
   }
 }
 
-resource "kubectl_manifest" "secret_store" {
-  depends_on = [module.helm_addon]
-  yaml_body  = file(var.externalsecrets_manifests.secret_store_manifest_file_path)
-}
-
-resource "kubectl_manifest" "external_secrets" {
-  depends_on = [kubectl_manifest.secret_store, module.secrets_manager]
-  yaml_body  = file(var.externalsecrets_manifests.external_secrets_manifest_file_path)
-}
-
 module "secrets_manager" {
   source  = "clouddrove/secrets-manager/aws"
   version = "2.0.0"
 
-  name = "secrets-manager"
+  count = try(var.external_secrets_extra_configs.create_secret_manager, true) ? 1 : 0
+  name  = "secrets-manager"
   secrets = [
     {
-      name        = var.externalsecrets_manifests.secret_manager_name
-      description = "AWS EKS external-secrets helm addon."
+      name        = try(var.external_secrets_extra_configs.secret_manager_name, "external_secret")
+      description = try(var.external_secrets_extra_configs.secret_manager_description, "AWS EKS external-secrets helm addon.")
       secret_key_value = {
-        do_not_delete_this_key = "do_not_delete_this_value"
+        external_secret = "external_secret_addon"
       }
-      recovery_window_in_days = 7
+      recovery_window_in_days = try(var.external_secrets_extra_configs.recovery_window_in_days, 7)
     }
   ]
 }
@@ -1,7 +1,3 @@
-output "secret_manager_name" {
-  value = var.externalsecrets_manifests.secret_manager_name
-}
-
 output "service_account" {
   value = "${local.name}-sa"
 }

@@ -35,16 +35,14 @@
   })
 }
 
-variable "externalsecrets_manifests" {
-  type = object({
-    secret_store_manifest_file_path     = string
-    external_secrets_manifest_file_path = string
-    secret_manager_name                 = string
-  })
-}
-
 variable "external_secrets_extra_configs" {
   description = "Override attributes of helm_release terraform resource"
   type        = any
   default     = {}
+}
+
+variable "irsa_assume_role_policy" {
+  description = "Custom Trust Relationship policy for IAM Role"
+  type        = any
+  default     = null
 }
@@ -76,4 +76,5 @@ module "irsa" {
   irsa_iam_permissions_boundary     = lookup(var.addon_context, "irsa_iam_permissions_boundary", null)
   eks_oidc_provider_arn             = lookup(var.irsa_config, "eks_oidc_provider_arn", "")
   account_id                        = lookup(var.irsa_config, "account_id", "")
+  irsa_assume_role_policy           = var.irsa_assume_role_policy
 }
@@ -32,3 +32,9 @@ variable "addon_context" {
   description = "Input configuration for the addon"
   type        = any
 }
+
+variable "irsa_assume_role_policy" {
+  description = "Custom Trust Relationship policy for IAM Role"
+  type        = any
+  default     = null
+}
@@ -116,7 +116,6 @@ module "external_secrets" {
   addon_context                  = local.addon_context
   eks_cluster_name               = data.aws_eks_cluster.eks_cluster.name
   account_id                     = data.aws_caller_identity.current.account_id
-  externalsecrets_manifests      = var.externalsecrets_manifests
   external_secrets_extra_configs = var.external_secrets_extra_configs
 }