adding secrets policy

opszero · Oct 28, 2024 · a77d178 · a77d178
1 parent 6e2b284
commit a77d178
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/aws_csi_secrets_store.tf b/aws_csi_secrets_store.tf
@@ -45,7 +45,7 @@ resource "aws_iam_policy" "secrets_policy" {
           "secretsmanager:DescribeSecret"
         ],
         Resource = [
-          "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:testing-KBgXuY"
+          "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:*"
         ]
       }
     ]
@@ -59,16 +59,21 @@ data "aws_iam_policy_document" "trust_relationship" {
 
     principals {
       type        = "Federated"
-      identifiers = [replace(aws_eks_cluster.cluster.identity[0].oidc.issuer, "https://", "")]
+      identifiers = [replace(aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")]
     }
 
     actions = ["sts:AssumeRoleWithWebIdentity"]
 
     condition {
       test     = "StringEquals"
-      variable = "${replace(aws_eks_cluster.cluster.identity[0].oidc.issuer, "https://", "")}:aud"
+      variable = "${replace(aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:aud"
       values   = ["sts.amazonaws.com"]
     }
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:sub"
+      values   = ["system:serviceaccount:*:*"]
+    }
   }
 }
 

diff --git a/variables.tf b/variables.tf
@@ -397,12 +397,12 @@ variable "karpenter_ami_family" {
 }
 
 variable "csi_secrets_store_enabled" {
-  default     = false
+  default     = true
   description = "Specify whether the CSI driver is enabled on the EKS cluster"
 }
 
 variable "csi_secrets_store_version" {
-  default     = "1.3.4"
+  default     = "1.4.6"
   description = "The version of the CSI store helm chart"
 }