From f73213485f9b2b6aa8d5b9efe7a207237f8e393a Mon Sep 17 00:00:00 2001 From: Sohan Yadav Date: Mon, 28 Oct 2024 18:42:33 +0530 Subject: [PATCH] adding secrets policy --- aws_csi_secrets_store.tf | 66 ++++++++++++++++++++++++++-------------- locals.tf | 1 + variables.tf | 7 ++++- 3 files changed, 50 insertions(+), 24 deletions(-) diff --git a/aws_csi_secrets_store.tf b/aws_csi_secrets_store.tf index 89650dd..b540e2f 100644 --- a/aws_csi_secrets_store.tf +++ b/aws_csi_secrets_store.tf @@ -40,8 +40,10 @@ resource "null_resource" "csi_secrets_store_aws_provider" { } + resource "aws_iam_policy" "secrets_policy" { - name = "secrets-access-policy" + count = var.csi_secrets_store_enabled ? 1 : 0 + name = "csi-secrets-access-policy-${var.environment_name}" description = "Policy for accessing secrets in AWS Secrets Manager" policy = jsonencode({ @@ -62,38 +64,56 @@ resource "aws_iam_policy" "secrets_policy" { }) } - data "aws_iam_policy_document" "trust_relationship" { - statement { - effect = "Allow" + # Create a statement for each namespace + dynamic "statement" { + for_each = var.csi_enabled_namespaces - principals { - type = "Federated" - identifiers = [replace(aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")] - } + content { + effect = "Allow" - actions = ["sts:AssumeRoleWithWebIdentity"] + principals { + type = "Federated" + identifiers = [local.oidc_provider_arn] + } - condition { - test = "StringEquals" - variable = "${replace(aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:aud" - values = ["sts.amazonaws.com"] - } - condition { - test = "StringEquals" - variable = "${replace(aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:sub" - values = ["system:serviceaccount:*:*"] + actions = ["sts:AssumeRoleWithWebIdentity"] + + condition { + test = "StringEquals" + variable = "${replace(aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:aud" + values = ["sts.amazonaws.com"] + } + + condition { + test = "StringEquals" + variable = "${replace(aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:sub" + values = ["system:serviceaccount:${statement.value}:csi-secrets-service-account"] + } } } } resource "aws_iam_role" "secrets_manager_role" { - name = "secrets_manager_role" + count = var.csi_secrets_store_enabled ? 1 : 0 + name = "shared_secrets_manager_role" assume_role_policy = data.aws_iam_policy_document.trust_relationship.json } -# Step 3: Attach Policy to Role -resource "aws_iam_role_policy_attachment" "secrets_policy_attachment" { - role = aws_iam_role.secrets_manager_role.name - policy_arn = aws_iam_policy.secrets_policy.arn +resource "aws_iam_role_policy_attachment" "secrets_manager_attachment" { + role = join("",aws_iam_role.secrets_manager_role.*.name) + policy_arn = join ("", aws_iam_policy.secrets_policy.*.arn) } + + +resource "kubernetes_service_account" "main" { + for_each = var.csi_secrets_store_enabled ? toset(var.csi_enabled_namespaces) : [] + + metadata { + name = "csi-secrets-service-account" + namespace = each.key + annotations = { + "eks.amazonaws.com/role-arn" = join("",aws_iam_role.secrets_manager_role.*.name) + } + } +} \ No newline at end of file diff --git a/locals.tf b/locals.tf index 507466e..a7f6b56 100644 --- a/locals.tf +++ b/locals.tf @@ -1,5 +1,6 @@ locals { alb_name = "aws-load-balancer-controller" + oidc_provider_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}" partition = data.aws_partition.current.partition account_id = data.aws_caller_identity.current.account_id # https://github.com/aws-samples/amazon-cloudwatch-container-insights/releases diff --git a/variables.tf b/variables.tf index 87cdd6b..63ee9d8 100644 --- a/variables.tf +++ b/variables.tf @@ -397,10 +397,15 @@ variable "karpenter_ami_family" { } variable "csi_secrets_store_enabled" { - default = true + default = false description = "Specify whether the CSI driver is enabled on the EKS cluster" } +variable "csi_enabled_namespaces" { + type = list(string) + default = [] +} + variable "csi_secrets_store_version" { default = "1.4.6" description = "The version of the CSI store helm chart"