8 meses atrás · daf3e36e1f
--- a/.github/actions/e2e-managed/action.yml
+++ b/.github/actions/e2e-managed/action.yml
@@ -98,16 +98,6 @@ runs:
 
				         tenant-id: ${{ env.TFC_AZURE_TENANT_ID }}
			
 
				         subscription-id: ${{ env.TFC_AZURE_SUBSCRIPTION_ID }}
			
 
				 
			
 
				-    - name: Show TF
			
 
				-      shell: bash
			
 
				-      env:
			
 
				-        ARM_CLIENT_ID: "${{ env.TFC_AZURE_CLIENT_ID }}"
			
 
				-        ARM_SUBSCRIPTION_ID: "${{ env.TFC_AZURE_SUBSCRIPTION_ID }}"
			
 
				-        ARM_TENANT_ID: "${{ env.TFC_AZURE_TENANT_ID }}"
			
 
				-      run: |-
			
 
				-        PROVIDER=${{env.CLOUD_PROVIDER}}
			
 
				-        make tf.show.${PROVIDER}
			
 
				-
			
 
				     - name: Apply TF
			
 
				       shell: bash
			
 
				       env:
			
--- a/.github/workflows/e2e-managed.yml
+++ b/.github/workflows/e2e-managed.yml
@@ -2,6 +2,8 @@ on:
 
				   repository_dispatch:
			
 
				     types: [ok-to-test-managed-command]
			
 
				 
			
 
				+  pull_request:
			
 
				+
			
 
				 permissions:
			
 
				   contents: read
			
 
				 
			
@@ -42,20 +44,24 @@ env:
 
				   TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL}}
			
 
				 
			
 
				   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
			
 
				-  GITHUB_PR_NUMBER: ${{ github.event.client_payload.pull_request.number }}
			
 
				-  CLOUD_PROVIDER: ${{ github.event.client_payload.slash_command.args.named.provider }}
			
 
				+
			
 
				+  # TODO: temporarily replace vars for testing in PR
			
 
				+  GITHUB_PR_NUMBER: "5409"
			
 
				+  CLOUD_PROVIDER: "gcp"
			
 
				+  #GITHUB_PR_NUMBER: ${{ github.event.client_payload.pull_request.number }}
			
 
				+  #CLOUD_PROVIDER: ${{ github.event.client_payload.slash_command.args.named.provider }}
			
 
				 
			
 
				 name: managed e2e tests
			
 
				 
			
 
				 jobs:
			
 
				   run-e2e-managed:
			
 
				     runs-on: ubuntu-latest
			
 
				+    # TODO: temporarily disabled to test in PR
			
 
				+    #if: github.event_name == 'repository_dispatch'
			
 
				     permissions:
			
 
				       id-token: write #for oidc auth with aws/gcp/azure
			
 
				       checks: write   #publish the commit status
			
 
				       contents: read  #for checkout
			
 
				-    if: github.event_name == 'repository_dispatch'
			
 
				-
			
 
				     steps:
			
 
				     - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
			
 
				       with:
			
--- a/.github/workflows/ok-to-test-managed.yml
+++ b/.github/workflows/ok-to-test-managed.yml
@@ -37,7 +37,6 @@ jobs:
 
				         TOKEN: ${{ steps.generate_token.outputs.token }}
			
 
				       with:
			
 
				         token: ${{ env.TOKEN }} # GitHub App installation access token
			
 
				-        # token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} # PAT or OAuth token will also work
			
 
				         reaction-token: ${{ secrets.GITHUB_TOKEN }}
			
 
				         issue-type: pull-request
			
 
				         commands: ok-to-test-managed
			
--- a/Makefile
+++ b/Makefile
@@ -72,7 +72,7 @@ FAIL	= (echo ${TIME} ${RED}[FAIL]${CNone} && false)
 
				 # ====================================================================================
			
 
				 # Conformance
			
 
				 
			
 
				-reviewable: generate docs manifests helm.generate helm.schema.update helm.docs lint license.check ## Ensure a PR is ready for review.
			
 
				+reviewable: generate docs manifests helm.generate helm.schema.update helm.docs lint license.check tf.fmt ## Ensure a PR is ready for review.
			
 
				 	@go mod tidy
			
 
				 	@cd e2e/ && go mod tidy
			
 
				 
			
@@ -324,26 +324,32 @@ docker.promote: ## Promote the docker image to the registry
 
				 # ====================================================================================
			
 
				 # Terraform
			
 
				 
			
 
				-tf.plan.%: ## Runs terraform plan for a provider
			
 
				-	@cd $(TF_DIR)/$*; \
			
 
				-	terraform init; \
			
 
				-	terraform plan
			
 
				+define run_terraform
			
 
				+	@cd $(TF_DIR)/$1/infrastructure && \
			
 
				+	terraform init && \
			
 
				+	$2 && \
			
 
				+	cd ../kubernetes && \
			
 
				+	terraform init && \
			
 
				+	$3
			
 
				+endef
			
 
				+
			
 
				+tf.plan.%:
			
 
				+	$(call run_terraform,$*,terraform plan,terraform plan)
			
 
				 
			
 
				-tf.apply.%: ## Runs terraform apply for a provider
			
 
				-	@cd $(TF_DIR)/$*; \
			
 
				-	terraform init; \
			
 
				-	terraform apply -auto-approve
			
 
				+tf.apply.%:
			
 
				+	$(call run_terraform,$*,terraform apply -auto-approve,terraform apply -auto-approve)
			
 
				 
			
 
				-tf.destroy.%: ## Runs terraform destroy for a provider
			
 
				-	@cd $(TF_DIR)/$*; \
			
 
				-	terraform init; \
			
 
				+tf.destroy.%:
			
 
				+	@cd $(TF_DIR)/$*/kubernetes && \
			
 
				+	terraform init && \
			
 
				+	terraform destroy -auto-approve && \
			
 
				+	cd ../infrastructure && \
			
 
				+	terraform init && \
			
 
				 	terraform destroy -auto-approve
			
 
				 
			
 
				-tf.show.%: ## Runs terraform show for a provider and outputs to a file
			
 
				-	@cd $(TF_DIR)/$*; \
			
 
				-	terraform init; \
			
 
				-	terraform plan -out tfplan.binary; \
			
 
				-	terraform show -json tfplan.binary > plan.json
			
 
				+tf.fmt:
			
 
				+	@cd $(TF_DIR) && \
			
 
				+	terraform fmt -recursive
			
 
				 
			
 
				 # ====================================================================================
			
 
				 # Help
			
--- a/terraform/aws/infrastructure/main.tf
+++ b/terraform/aws/infrastructure/main.tf
@@ -1,3 +1,12 @@
 
				+locals {
			
 
				+  tags = {
			
 
				+    Environment = "development"
			
 
				+    Owner       = "external-secrets"
			
 
				+    Repository  = "external-secrets"
			
 
				+    Purpose     = "managed e2e tests"
			
 
				+  }
			
 
				+}
			
 
				+
			
 
				 module "cluster" {
			
 
				   source = "./modules/cluster"
			
 
				 
			
@@ -5,4 +14,5 @@ module "cluster" {
 
				   cluster_region    = var.AWS_REGION
			
 
				   irsa_sa_name      = var.AWS_SA_NAME
			
 
				   irsa_sa_namespace = var.AWS_SA_NAMESPACE
			
 
				+  tags              = local.tags
			
 
				 }
			
--- a/terraform/aws/infrastructure/modules/cluster/irsa.tf
+++ b/terraform/aws/infrastructure/modules/cluster/irsa.tf
@@ -0,0 +1,55 @@
 
				+data "aws_iam_policy_document" "assume-policy" {
			
 
				+  statement {
			
 
				+    actions = ["sts:AssumeRoleWithWebIdentity"]
			
 
				+    condition {
			
 
				+      test     = "StringEquals"
			
 
				+      variable = "${trimprefix(module.eks.cluster_oidc_issuer_url, "https://")}:sub"
			
 
				+
			
 
				+      values = [
			
 
				+        "system:serviceaccount:${local.serviceaccount_namespace}:${local.serviceaccount_name}"
			
 
				+      ]
			
 
				+    }
			
 
				+
			
 
				+    principals {
			
 
				+      type        = "Federated"
			
 
				+      identifiers = [module.eks.oidc_provider_arn]
			
 
				+    }
			
 
				+  }
			
 
				+}
			
 
				+
			
 
				+# Create the IAM policy document for SSM Parameter Store access
			
 
				+data "aws_iam_policy_document" "ssm_parameterstore" {
			
 
				+  statement {
			
 
				+    actions = [
			
 
				+      "ssm:GetParameter*",
			
 
				+      "ssm:PutParameter",
			
 
				+      "ssm:DescribeParameters",
			
 
				+      "ssm:DeleteParameter*",
			
 
				+      "ssm:AddTagsToResource",
			
 
				+      "ssm:ListTagsForResource",
			
 
				+      "ssm:RemoveTagsFromResource",
			
 
				+      "tag:GetResources"
			
 
				+    ]
			
 
				+    effect    = "Allow"
			
 
				+    resources = ["*"]
			
 
				+  }
			
 
				+}
			
 
				+
			
 
				+resource "aws_iam_role" "eso-e2e-irsa" {
			
 
				+  name               = "eso-e2e-irsa"
			
 
				+  path               = "/"
			
 
				+  assume_role_policy = data.aws_iam_policy_document.assume-policy.json
			
 
				+}
			
 
				+
			
 
				+# Attach the AWS managed policy for Secrets Manager
			
 
				+resource "aws_iam_role_policy_attachment" "secrets_manager" {
			
 
				+  role       = aws_iam_role.eso-e2e-irsa.name
			
 
				+  policy_arn = "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
			
 
				+}
			
 
				+
			
 
				+# Create and attach the inline policy for SSM Parameter Store
			
 
				+resource "aws_iam_role_policy" "ssm_parameterstore" {
			
 
				+  name   = "aws_ssm_parameterstore"
			
 
				+  role   = aws_iam_role.eso-e2e-irsa.id
			
 
				+  policy = data.aws_iam_policy_document.ssm_parameterstore.json
			
 
				+}
			
--- a/terraform/aws/infrastructure/modules/cluster/main.tf
+++ b/terraform/aws/infrastructure/modules/cluster/main.tf
@@ -0,0 +1,89 @@
 
				+
			
 
				+locals {
			
 
				+  name            = var.cluster_name
			
 
				+  cluster_version = "1.33"
			
 
				+  region          = var.cluster_region
			
 
				+
			
 
				+  serviceaccount_name      = var.irsa_sa_name
			
 
				+  serviceaccount_namespace = var.irsa_sa_namespace
			
 
				+}
			
 
				+
			
 
				+data "aws_caller_identity" "current" {}
			
 
				+
			
 
				+module "eks" {
			
 
				+  source  = "terraform-aws-modules/eks/aws"
			
 
				+  version = "~> 21.0"
			
 
				+
			
 
				+  name               = local.name
			
 
				+  kubernetes_version = local.cluster_version
			
 
				+
			
 
				+  compute_config = {
			
 
				+    enabled    = true
			
 
				+    node_pools = ["general-purpose"]
			
 
				+  }
			
 
				+
			
 
				+  vpc_id                  = module.vpc.vpc_id
			
 
				+  subnet_ids              = module.vpc.private_subnets
			
 
				+  endpoint_private_access = true
			
 
				+  endpoint_public_access  = true
			
 
				+  enable_irsa             = true
			
 
				+
			
 
				+  addons = {
			
 
				+    coredns = {
			
 
				+      most_recent = true
			
 
				+    }
			
 
				+    kube-proxy = {
			
 
				+      most_recent = true
			
 
				+    }
			
 
				+    vpc-cni = {
			
 
				+      most_recent = true
			
 
				+    }
			
 
				+    eks-pod-identity-agent = {
			
 
				+      most_recent = true
			
 
				+    }
			
 
				+  }
			
 
				+
			
 
				+  access_entries = {
			
 
				+    tf-admin = {
			
 
				+      principal_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/admin"
			
 
				+      policy_associations = {
			
 
				+        tf-admin = {
			
 
				+          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
			
 
				+          access_scope = {
			
 
				+            type = "cluster"
			
 
				+          }
			
 
				+        }
			
 
				+      }
			
 
				+    }
			
 
				+  }
			
 
				+}
			
 
				+
			
 
				+################################################################################
			
 
				+# Supporting resources
			
 
				+################################################################################
			
 
				+
			
 
				+module "vpc" {
			
 
				+  source  = "terraform-aws-modules/vpc/aws"
			
 
				+  version = "~> 6.0"
			
 
				+
			
 
				+  name = local.name
			
 
				+  cidr = "10.0.0.0/16"
			
 
				+
			
 
				+  azs             = ["${local.region}a", "${local.region}b", "${local.region}c"]
			
 
				+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
			
 
				+  public_subnets  = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
			
 
				+
			
 
				+  enable_nat_gateway   = true
			
 
				+  single_nat_gateway   = true
			
 
				+  enable_dns_hostnames = true
			
 
				+
			
 
				+  public_subnet_tags = {
			
 
				+    "kubernetes.io/cluster/${local.name}" = "shared"
			
 
				+    "kubernetes.io/role/elb"              = 1
			
 
				+  }
			
 
				+
			
 
				+  private_subnet_tags = {
			
 
				+    "kubernetes.io/cluster/${local.name}" = "shared"
			
 
				+    "kubernetes.io/role/internal-elb"     = 1
			
 
				+  }
			
 
				+}
			
--- a/terraform/aws/infrastructure/modules/cluster/outputs.tf
+++ b/terraform/aws/infrastructure/modules/cluster/outputs.tf
@@ -0,0 +1,44 @@
 
				+output "cluster_id" {
			
 
				+  description = "The ID/name of the EKS cluster"
			
 
				+  value       = module.eks.cluster_id
			
 
				+}
			
 
				+
			
 
				+output "cluster_arn" {
			
 
				+  description = "The Amazon Resource Name (ARN) of the cluster"
			
 
				+  value       = module.eks.cluster_arn
			
 
				+}
			
 
				+
			
 
				+output "cluster_endpoint" {
			
 
				+  description = "Endpoint for your Kubernetes API server"
			
 
				+  value       = module.eks.cluster_endpoint
			
 
				+}
			
 
				+
			
 
				+output "cluster_security_group_id" {
			
 
				+  description = "Cluster security group that was created by Amazon EKS for the cluster"
			
 
				+  value       = module.eks.cluster_security_group_id
			
 
				+}
			
 
				+
			
 
				+output "cluster_iam_role_name" {
			
 
				+  description = "IAM role name associated with EKS cluster"
			
 
				+  value       = module.eks.cluster_iam_role_name
			
 
				+}
			
 
				+
			
 
				+output "cluster_iam_role_arn" {
			
 
				+  description = "IAM role ARN associated with EKS cluster"
			
 
				+  value       = module.eks.cluster_iam_role_arn
			
 
				+}
			
 
				+
			
 
				+output "cluster_certificate_authority_data" {
			
 
				+  description = "Base64 encoded certificate data required to communicate with the cluster"
			
 
				+  value       = module.eks.cluster_certificate_authority_data
			
 
				+}
			
 
				+
			
 
				+output "oidc_provider_arn" {
			
 
				+  description = "The ARN of the OIDC Provider if enabled"
			
 
				+  value       = module.eks.oidc_provider_arn
			
 
				+}
			
 
				+
			
 
				+output "cluster_primary_security_group_id" {
			
 
				+  description = "Cluster security group that was created by Amazon EKS for the cluster"
			
 
				+  value       = module.eks.cluster_primary_security_group_id
			
 
				+}
			
--- a/terraform/aws/infrastructure/modules/cluster/provider.tf
+++ b/terraform/aws/infrastructure/modules/cluster/provider.tf
@@ -0,0 +1,31 @@
 
				+terraform {
			
 
				+  required_version = ">= 0.13"
			
 
				+
			
 
				+  required_providers {
			
 
				+    aws = {
			
 
				+      source  = "hashicorp/aws"
			
 
				+      version = "~> 6.0"
			
 
				+    }
			
 
				+    kubernetes = {
			
 
				+      source  = "hashicorp/kubernetes"
			
 
				+      version = "~> 2.0"
			
 
				+    }
			
 
				+  }
			
 
				+}
			
 
				+
			
 
				+provider "aws" {
			
 
				+  region = local.region
			
 
				+  default_tags {
			
 
				+    tags = var.tags
			
 
				+  }
			
 
				+}
			
 
				+
			
 
				+provider "kubernetes" {
			
 
				+  host                   = module.eks.cluster_endpoint
			
 
				+  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
			
 
				+  token                  = data.aws_eks_cluster_auth.this.token
			
 
				+}
			
 
				+
			
 
				+data "aws_eks_cluster_auth" "this" {
			
 
				+  name = module.eks.cluster_name
			
 
				+}
			
--- a/terraform/aws/infrastructure/modules/cluster/variables.tf
+++ b/terraform/aws/infrastructure/modules/cluster/variables.tf
@@ -14,3 +14,8 @@ variable "irsa_sa_namespace" {
 
				 variable "cluster_region" {
			
 
				   type = string
			
 
				 }
			
 
				+
			
 
				+variable "tags" {
			
 
				+  type    = map(string)
			
 
				+  default = {}
			
 
				+}
			
--- a/terraform/aws/infrastructure/provider.tf
+++ b/terraform/aws/infrastructure/provider.tf
@@ -0,0 +1,9 @@
 
				+terraform {
			
 
				+  required_version = ">= 0.13"
			
 
				+
			
 
				+  backend "s3" {
			
 
				+    bucket = "eso-tfstate-e2e-managed"
			
 
				+    key    = "aws-tfstate"
			
 
				+    region = "eu-central-1"
			
 
				+  }
			
 
				+}
			
--- a/terraform/aws/infrastructure/variables.tf
+++ b/terraform/aws/infrastructure/variables.tf
@@ -1,15 +1,15 @@
 
				 variable "AWS_SA_NAME" {
			
 
				-  type    = string
			
 
				+  type = string
			
 
				 }
			
 
				 
			
 
				 variable "AWS_SA_NAMESPACE" {
			
 
				-  type    = string
			
 
				+  type = string
			
 
				 }
			
 
				 
			
 
				 variable "AWS_REGION" {
			
 
				-  type    = string
			
 
				+  type = string
			
 
				 }
			
 
				 
			
 
				 variable "AWS_CLUSTER_NAME" {
			
 
				-  type    = string
			
 
				+  type = string
			
 
				 }
			
--- a/terraform/aws/kubernetes/main.tf
+++ b/terraform/aws/kubernetes/main.tf
@@ -0,0 +1,14 @@
 
				+// must match IAM Role in infrastructure/modules/cluster 
			
 
				+data "aws_iam_role" "eso-e2e-irsa" {
			
 
				+  name = "eso-e2e-irsa"
			
 
				+}
			
 
				+
			
 
				+resource "kubernetes_service_account" "this" {
			
 
				+  metadata {
			
 
				+    name      = var.AWS_SA_NAME
			
 
				+    namespace = AWS_SA_NAMESPACE
			
 
				+    annotations = {
			
 
				+      "eks.amazonaws.com/role-arn" = aws_iam_role.eso-e2e-irsa.arn
			
 
				+    }
			
 
				+  }
			
 
				+}
			
--- a/terraform/aws/kubernetes/provider.tf
+++ b/terraform/aws/kubernetes/provider.tf
@@ -0,0 +1,31 @@
 
				+terraform {
			
 
				+  required_version = ">= 0.13"
			
 
				+
			
 
				+  required_providers {
			
 
				+    aws = {
			
 
				+      source  = "hashicorp/aws"
			
 
				+      version = "~> 6.0"
			
 
				+    }
			
 
				+    kubernetes = {
			
 
				+      source  = "hashicorp/kubernetes"
			
 
				+      version = "~> 2.0"
			
 
				+    }
			
 
				+  }
			
 
				+}
			
 
				+
			
 
				+provider "aws" {
			
 
				+  region = var.AWS_REGION
			
 
				+}
			
 
				+
			
 
				+provider "kubernetes" {
			
 
				+  host                   = data.aws_eks_cluster.this.endpoint
			
 
				+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority_data)
			
 
				+  token                  = data.aws_eks_cluster_auth.this.token
			
 
				+}
			
 
				+
			
 
				+data "aws_eks_cluster_auth" "this" {
			
 
				+  name = var.AWS_CLUSTER_NAME
			
 
				+}
			
 
				+data "aws_eks_cluster" "this" {
			
 
				+  name = var.AWS_CLUSTER_NAME
			
 
				+}
			
--- a/terraform/aws/kubernetes/variables.tf
+++ b/terraform/aws/kubernetes/variables.tf
@@ -0,0 +1,15 @@
 
				+variable "AWS_SA_NAME" {
			
 
				+  type = string
			
 
				+}
			
 
				+
			
 
				+variable "AWS_SA_NAMESPACE" {
			
 
				+  type = string
			
 
				+}
			
 
				+
			
 
				+variable "AWS_REGION" {
			
 
				+  type = string
			
 
				+}
			
 
				+
			
 
				+variable "AWS_CLUSTER_NAME" {
			
 
				+  type = string
			
 
				+}
			
--- a/terraform/aws/modules/cluster/auth.tf
+++ b/terraform/aws/modules/cluster/auth.tf
@@ -1,60 +0,0 @@
 
				-
			
 
				-data "aws_eks_cluster_auth" "this" {
			
 
				-  name = module.eks.cluster_id
			
 
				-}
			
 
				-
			
 
				-data "aws_caller_identity" "current" {}
			
 
				-
			
 
				-locals {
			
 
				-  kubeconfig = yamlencode({
			
 
				-    apiVersion      = "v1"
			
 
				-    kind            = "Config"
			
 
				-    current-context = "terraform"
			
 
				-    clusters = [{
			
 
				-      name = module.eks.cluster_id
			
 
				-      cluster = {
			
 
				-        certificate-authority-data = module.eks.cluster_certificate_authority_data
			
 
				-        server                     = module.eks.cluster_endpoint
			
 
				-      }
			
 
				-    }]
			
 
				-    contexts = [{
			
 
				-      name = "terraform"
			
 
				-      context = {
			
 
				-        cluster = module.eks.cluster_id
			
 
				-        user    = "terraform"
			
 
				-      }
			
 
				-    }]
			
 
				-    users = [{
			
 
				-      name = "terraform"
			
 
				-      user = {
			
 
				-        token = data.aws_eks_cluster_auth.this.token
			
 
				-      }
			
 
				-    }]
			
 
				-  })
			
 
				-
			
 
				-  # we have to allow the root account to access the api
			
 
				-  aws_auth_configmap_yaml = <<-EOT
			
 
				-  ${chomp(module.eks.aws_auth_configmap_yaml)}
			
 
				-      - rolearn: arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/admin
			
 
				-        username: system:aws:root
			
 
				-        groups:
			
 
				-          - system:masters
			
 
				-  EOT
			
 
				-}
			
 
				-
			
 
				-resource "null_resource" "patch_cm" {
			
 
				-  triggers = {
			
 
				-    kubeconfig = base64encode(local.kubeconfig)
			
 
				-    cmd_patch  = <<-EOT
			
 
				-      kubectl patch configmap/aws-auth --patch "${local.aws_auth_configmap_yaml}" -n kube-system --kubeconfig <(echo $KUBECONFIG | base64 --decode)
			
 
				-    EOT
			
 
				-  }
			
 
				-
			
 
				-  provisioner "local-exec" {
			
 
				-    interpreter = ["/bin/bash", "-c"]
			
 
				-    environment = {
			
 
				-      KUBECONFIG = self.triggers.kubeconfig
			
 
				-    }
			
 
				-    command = self.triggers.cmd_patch
			
 
				-  }
			
 
				-}
			
--- a/terraform/aws/modules/cluster/irsa.tf
+++ b/terraform/aws/modules/cluster/irsa.tf
@@ -1,80 +0,0 @@
 
				-locals {
			
 
				-  sa_manifest = <<-EOT
			
 
				-      apiVersion: v1
			
 
				-      kind: ServiceAccount
			
 
				-      metadata:
			
 
				-        name: ${local.serviceaccount_name}
			
 
				-        namespace: ${local.serviceaccount_namespace}
			
 
				-        annotations:
			
 
				-          eks.amazonaws.com/role-arn: "${aws_iam_role.eso-e2e-irsa.arn}"
			
 
				-  EOT
			
 
				-}
			
 
				-
			
 
				-data "aws_iam_policy_document" "assume-policy" {
			
 
				-  statement {
			
 
				-    actions = ["sts:AssumeRoleWithWebIdentity"]
			
 
				-    condition {
			
 
				-      test     = "StringEquals"
			
 
				-      variable = "${trimprefix(module.eks.cluster_oidc_issuer_url, "https://")}:sub"
			
 
				-
			
 
				-      values = [
			
 
				-        "system:serviceaccount:${local.serviceaccount_namespace}:${local.serviceaccount_name}"
			
 
				-      ]
			
 
				-    }
			
 
				-
			
 
				-    principals {
			
 
				-      type        = "Federated"
			
 
				-      identifiers = [module.eks.oidc_provider_arn]
			
 
				-    }
			
 
				-  }
			
 
				-}
			
 
				-
			
 
				-resource "aws_iam_role" "eso-e2e-irsa" {
			
 
				-  name               = "eso-e2e-irsa"
			
 
				-  path               = "/"
			
 
				-  assume_role_policy = data.aws_iam_policy_document.assume-policy.json
			
 
				-  managed_policy_arns = [
			
 
				-    "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
			
 
				-  ]
			
 
				-
			
 
				-  inline_policy {
			
 
				-    name = "aws_ssm_parameterstore"
			
 
				-
			
 
				-    policy = jsonencode({
			
 
				-      Version = "2012-10-17"
			
 
				-      Statement = [
			
 
				-        {
			
 
				-          Action = [
			
 
				-            "ssm:GetParameter*",
			
 
				-            "ssm:PutParameter",
			
 
				-            "ssm:DescribeParameters",
			
 
				-            "ssm:DeleteParameter*",
			
 
				-            "ssm:AddTagsToResource",
			
 
				-            "ssm:ListTagsForResource",
			
 
				-            "ssm:RemoveTagsFromResource",
			
 
				-            "tag:GetResources"
			
 
				-          ]
			
 
				-          Effect   = "Allow"
			
 
				-          Resource = "*"
			
 
				-        },
			
 
				-      ]
			
 
				-    })
			
 
				-  }
			
 
				-}
			
 
				-
			
 
				-resource "null_resource" "apply_sa" {
			
 
				-  triggers = {
			
 
				-    kubeconfig = base64encode(local.kubeconfig)
			
 
				-    cmd_patch  = <<-EOT
			
 
				-      echo '${local.sa_manifest}' | kubectl --kubeconfig <(echo $KUBECONFIG | base64 --decode) apply -f -
			
 
				-    EOT
			
 
				-  }
			
 
				-
			
 
				-  provisioner "local-exec" {
			
 
				-    interpreter = ["/bin/bash", "-c"]
			
 
				-    environment = {
			
 
				-      KUBECONFIG = self.triggers.kubeconfig
			
 
				-    }
			
 
				-    command = self.triggers.cmd_patch
			
 
				-  }
			
 
				-}
			
--- a/terraform/aws/modules/cluster/main.tf
+++ b/terraform/aws/modules/cluster/main.tf
@@ -1,145 +0,0 @@
 
				-provider "aws" {
			
 
				-  region = local.region
			
 
				-}
			
 
				-
			
 
				-locals {
			
 
				-  name            = var.cluster_name
			
 
				-  cluster_version = "1.27"
			
 
				-  region          = var.cluster_region
			
 
				-
			
 
				-  serviceaccount_name      = var.irsa_sa_name
			
 
				-  serviceaccount_namespace = var.irsa_sa_namespace
			
 
				-
			
 
				-  tags = {
			
 
				-    Example    = local.name
			
 
				-    GithubRepo = "external-secrets"
			
 
				-    GithubOrg  = "external-secrets"
			
 
				-  }
			
 
				-}
			
 
				-
			
 
				-module "eks" {
			
 
				-  source = "git::https://github.com/terraform-aws-modules/terraform-aws-eks?ref=v18.2.0"
			
 
				-
			
 
				-  cluster_name                    = local.name
			
 
				-  cluster_version                 = local.cluster_version
			
 
				-  cluster_endpoint_private_access = true
			
 
				-  cluster_endpoint_public_access  = true
			
 
				-
			
 
				-  cluster_addons = {
			
 
				-    coredns = {
			
 
				-      resolve_conflicts = "OVERWRITE"
			
 
				-    }
			
 
				-    kube-proxy = {}
			
 
				-    vpc-cni = {
			
 
				-      resolve_conflicts = "OVERWRITE"
			
 
				-    }
			
 
				-
			
 
				-  }
			
 
				-
			
 
				-  vpc_id      = module.vpc.vpc_id
			
 
				-  subnet_ids  = module.vpc.private_subnets
			
 
				-  enable_irsa = true
			
 
				-
			
 
				-  # EKS Managed Node Group(s)
			
 
				-  eks_managed_node_group_defaults = {
			
 
				-    ami_type               = "AL2_x86_64"
			
 
				-    disk_size              = 50
			
 
				-    instance_types         = ["t3.large"]
			
 
				-    vpc_security_group_ids = [aws_security_group.additional.id]
			
 
				-  }
			
 
				-
			
 
				-
			
 
				-  eks_managed_node_groups = {
			
 
				-    example = {
			
 
				-      desired_size = 2
			
 
				-
			
 
				-      instance_types = ["t3.large"]
			
 
				-      tags           = local.tags
			
 
				-
			
 
				-    }
			
 
				-  }
			
 
				-
			
 
				-  tags = local.tags
			
 
				-}
			
 
				-
			
 
				-################################################################################
			
 
				-# Supporting resources
			
 
				-################################################################################
			
 
				-
			
 
				-module "vpc" {
			
 
				-  source  = "terraform-aws-modules/vpc/aws"
			
 
				-  version = "~> 3.14"
			
 
				-
			
 
				-  name = local.name
			
 
				-  cidr = "10.0.0.0/16"
			
 
				-
			
 
				-  azs             = ["${local.region}a", "${local.region}b", "${local.region}c"]
			
 
				-  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
			
 
				-  public_subnets  = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
			
 
				-
			
 
				-  enable_nat_gateway   = true
			
 
				-  single_nat_gateway   = true
			
 
				-  enable_dns_hostnames = true
			
 
				-
			
 
				-  enable_flow_log                      = false
			
 
				-  create_flow_log_cloudwatch_iam_role  = false
			
 
				-  create_flow_log_cloudwatch_log_group = false
			
 
				-
			
 
				-  public_subnet_tags = {
			
 
				-    "kubernetes.io/cluster/${local.name}" = "shared"
			
 
				-    "kubernetes.io/role/elb"              = 1
			
 
				-  }
			
 
				-
			
 
				-  private_subnet_tags = {
			
 
				-    "kubernetes.io/cluster/${local.name}" = "shared"
			
 
				-    "kubernetes.io/role/internal-elb"     = 1
			
 
				-  }
			
 
				-
			
 
				-  tags = local.tags
			
 
				-}
			
 
				-
			
 
				-resource "aws_security_group" "additional" {
			
 
				-  name_prefix = "${local.name}-additional"
			
 
				-  vpc_id      = module.vpc.vpc_id
			
 
				-
			
 
				-  ingress {
			
 
				-    from_port = 22
			
 
				-    to_port   = 22
			
 
				-    protocol  = "tcp"
			
 
				-    cidr_blocks = [
			
 
				-      "10.0.0.0/8",
			
 
				-      "172.16.0.0/12",
			
 
				-      "192.168.0.0/16",
			
 
				-    ]
			
 
				-  }
			
 
				-
			
 
				-  # allow control-plane to access webhook
			
 
				-  ingress {
			
 
				-    from_port        = 9443
			
 
				-    to_port          = 9443
			
 
				-    protocol         = "tcp"
			
 
				-    cidr_blocks      = ["0.0.0.0/0"]
			
 
				-    ipv6_cidr_blocks = ["::/0"]
			
 
				-  }
			
 
				-
			
 
				-  ingress {
			
 
				-    from_port        = 443
			
 
				-    to_port          = 443
			
 
				-    protocol         = "tcp"
			
 
				-    cidr_blocks      = ["0.0.0.0/0"]
			
 
				-    ipv6_cidr_blocks = ["::/0"]
			
 
				-  }
			
 
				-
			
 
				-
			
 
				-  # 443, 53, 123 is already allowed
			
 
				-  egress {
			
 
				-    from_port        = 80
			
 
				-    to_port          = 80
			
 
				-    protocol         = "tcp"
			
 
				-    cidr_blocks      = ["0.0.0.0/0"]
			
 
				-    ipv6_cidr_blocks = ["::/0"]
			
 
				-  }
			
 
				-
			
 
				-
			
 
				-  tags = local.tags
			
 
				-}
			
--- a/terraform/aws/modules/cluster/outputs.tf
+++ b/terraform/aws/modules/cluster/outputs.tf
--- a/terraform/aws/modules/cluster/provider.tf
+++ b/terraform/aws/modules/cluster/provider.tf
@@ -1,10 +0,0 @@
 
				-terraform {
			
 
				-  required_version = ">= 0.13"
			
 
				-
			
 
				-  required_providers {
			
 
				-    aws = {
			
 
				-      source  = "hashicorp/aws"
			
 
				-      version = "~> 3.0"
			
 
				-    }
			
 
				-  }
			
 
				-}
			
--- a/terraform/aws/outputs.tf
+++ b/terraform/aws/outputs.tf
--- a/terraform/aws/provider.tf
+++ b/terraform/aws/provider.tf
@@ -1,24 +0,0 @@
 
				-terraform {
			
 
				-  required_version = ">= 0.13"
			
 
				-
			
 
				-  backend "s3" {
			
 
				-    bucket = "eso-tfstate-e2e-managed"
			
 
				-    key    = "aws-tfstate"
			
 
				-    region = "eu-central-1"
			
 
				-  }
			
 
				-
			
 
				-  required_providers {}
			
 
				-}
			
 
				-
			
 
				-provider "aws" {
			
 
				-  region = "eu-central-1"
			
 
				-
			
 
				-  default_tags {
			
 
				-    tags = {
			
 
				-      Environment = "development"
			
 
				-      Owner       = "external-secrets"
			
 
				-      Repository  = "external-secrets"
			
 
				-      Purpose     = "managed e2e tests"
			
 
				-    }
			
 
				-  }
			
 
				-}
			
--- a/terraform/azure/infrastructure/aks/main.tf
+++ b/terraform/azure/infrastructure/aks/main.tf
@@ -12,6 +12,12 @@ resource "azurerm_kubernetes_cluster" "current" {
 
				     name       = var.default_node_pool_name
			
 
				     node_count = var.default_node_pool_node_count
			
 
				     vm_size    = var.default_node_pool_vm_size
			
 
				+
			
 
				+    upgrade_settings {
			
 
				+      drain_timeout_in_minutes      = 10
			
 
				+      max_surge                     = "33%"
			
 
				+      node_soak_duration_in_minutes = 10
			
 
				+    }
			
 
				   }
			
 
				 
			
 
				   identity {
			
--- a/terraform/azure/infrastructure/aks/output.tf
+++ b/terraform/azure/infrastructure/aks/output.tf
--- a/terraform/azure/infrastructure/aks/variables.tf
+++ b/terraform/azure/infrastructure/aks/variables.tf
@@ -39,7 +39,6 @@ variable "default_node_pool_node_count" {
 
				 variable "default_node_pool_vm_size" {
			
 
				   type        = string
			
 
				   description = " The SKU which should be used for the Virtual Machines used in this Node Pool"
			
 
				-
			
 
				 }
			
 
				 
			
 
				 variable "cluster_tags" {
			
--- a/terraform/azure/infrastructure/key-vault/main.tf
+++ b/terraform/azure/infrastructure/key-vault/main.tf
--- a/terraform/azure/infrastructure/key-vault/output.tf
+++ b/terraform/azure/infrastructure/key-vault/output.tf
--- a/terraform/azure/infrastructure/key-vault/variables.tf
+++ b/terraform/azure/infrastructure/key-vault/variables.tf
--- a/terraform/azure/infrastructure/main.tf
+++ b/terraform/azure/infrastructure/main.tf
@@ -2,15 +2,19 @@ data "azurerm_client_config" "current" {}
 
				 
			
 
				 data "azurerm_subscription" "primary" {}
			
 
				 
			
 
				+locals {
			
 
				+  resource_group_name = "external-secrets-e2e"
			
 
				+}
			
 
				+
			
 
				 resource "azurerm_resource_group" "current" {
			
 
				-  name     = var.resource_group_name
			
 
				+  name     = local.resource_group_name
			
 
				   location = var.resource_group_location
			
 
				 }
			
 
				 
			
 
				 module "test_sp" {
			
 
				   source = "./service-principal"
			
 
				 
			
 
				-  application_display_name = var.application_display_name
			
 
				+  application_display_name = "managed-e2e-suite-external-secrets-operator"
			
 
				   application_owners       = [data.azurerm_client_config.current.object_id]
			
 
				   issuer                   = module.test_aks.cluster_issuer_url
			
 
				   subject                  = "system:serviceaccount:${var.sa_namespace}:${var.sa_name}"
			
@@ -23,7 +27,7 @@ module "test_sp" {
 
				 module "e2e_sp" {
			
 
				   source = "./service-principal"
			
 
				 
			
 
				-  application_display_name = var.application_display_name
			
 
				+  application_display_name = "managed-e2e-suite-external-secrets-e2e"
			
 
				   application_owners       = [data.azurerm_client_config.current.object_id]
			
 
				   issuer                   = module.test_aks.cluster_issuer_url
			
 
				   subject                  = "system:serviceaccount:default:external-secrets-e2e"
			
@@ -34,7 +38,7 @@ module "test_key_vault" {
 
				 
			
 
				   key_vault_display_name  = var.key_vault_display_name
			
 
				   resource_group_location = var.resource_group_location
			
 
				-  resource_group_name     = var.resource_group_name
			
 
				+  resource_group_name     = local.resource_group_name
			
 
				   tenant_id               = data.azurerm_client_config.current.tenant_id
			
 
				   client_object_id        = data.azurerm_client_config.current.object_id
			
 
				   eso_sp_object_id        = module.test_sp.sp_object_id
			
@@ -45,19 +49,12 @@ module "test_key_vault" {
 
				   ]
			
 
				 }
			
 
				 
			
 
				-module "test_workload_identity" {
			
 
				-  source = "./workload-identity"
			
 
				-
			
 
				-  tenant_id = data.azurerm_client_config.current.tenant_id
			
 
				-  tags      = var.cluster_tags
			
 
				-
			
 
				-}
			
 
				 
			
 
				 module "test_aks" {
			
 
				   source = "./aks"
			
 
				 
			
 
				   cluster_name                 = var.cluster_name
			
 
				-  resource_group_name          = var.resource_group_name
			
 
				+  resource_group_name          = local.resource_group_name
			
 
				   resource_group_location      = var.resource_group_location
			
 
				   default_node_pool_node_count = var.default_node_pool_node_count
			
 
				   default_node_pool_vm_size    = var.default_node_pool_vm_size
			
@@ -77,41 +74,3 @@ resource "azurerm_role_assignment" "current" {
 
				     azurerm_resource_group.current
			
 
				   ]
			
 
				 }
			
 
				-
			
 
				-resource "kubernetes_namespace" "eso" {
			
 
				-  metadata {
			
 
				-    name = "external-secrets-operator"
			
 
				-  }
			
 
				-}
			
 
				-
			
 
				-// the `e2e` pod itself runs with workload identity and
			
 
				-// does not rely on client credentials.
			
 
				-resource "kubernetes_service_account" "e2e" {
			
 
				-  metadata {
			
 
				-    name      = "external-secrets-e2e"
			
 
				-    namespace = "default"
			
 
				-    annotations = {
			
 
				-      "azure.workload.identity/client-id" = module.e2e_sp.application_id
			
 
				-      "azure.workload.identity/tenant-id" = data.azurerm_client_config.current.tenant_id
			
 
				-    }
			
 
				-    labels = {
			
 
				-      "azure.workload.identity/use" = "true"
			
 
				-    }
			
 
				-  }
			
 
				-  depends_on = [module.test_aks, kubernetes_namespace.eso]
			
 
				-}
			
 
				-
			
 
				-resource "kubernetes_service_account" "current" {
			
 
				-  metadata {
			
 
				-    name      = "external-secrets-operator"
			
 
				-    namespace = "external-secrets-operator"
			
 
				-    annotations = {
			
 
				-      "azure.workload.identity/client-id" = module.test_sp.application_id
			
 
				-      "azure.workload.identity/tenant-id" = data.azurerm_client_config.current.tenant_id
			
 
				-    }
			
 
				-    labels = {
			
 
				-      "azure.workload.identity/use" = "true"
			
 
				-    }
			
 
				-  }
			
 
				-  depends_on = [module.test_aks, kubernetes_namespace.eso]
			
 
				-}
			
--- a/terraform/azure/infrastructure/providers.tf
+++ b/terraform/azure/infrastructure/providers.tf
@@ -0,0 +1,26 @@
 
				+terraform {
			
 
				+  required_providers {
			
 
				+    azuread = {
			
 
				+      source  = "hashicorp/azuread"
			
 
				+      version = "~> 2.0"
			
 
				+    }
			
 
				+    azurerm = {
			
 
				+      source  = "hashicorp/azurerm"
			
 
				+      version = "~> 3.0"
			
 
				+    }
			
 
				+    helm = {
			
 
				+      source  = "hashicorp/helm"
			
 
				+      version = "~> 3.0"
			
 
				+    }
			
 
				+    kubernetes = {
			
 
				+      source  = "hashicorp/kubernetes"
			
 
				+      version = "~> 2.0"
			
 
				+    }
			
 
				+  }
			
 
				+}
			
 
				+
			
 
				+provider "azurerm" {
			
 
				+  features {}
			
 
				+  # set this to false when running locally
			
 
				+  use_oidc = false
			
 
				+}
			
--- a/terraform/azure/infrastructure/service-principal/main.tf
+++ b/terraform/azure/infrastructure/service-principal/main.tf
@@ -4,7 +4,7 @@ resource "azuread_application" "current" {
 
				 }
			
 
				 
			
 
				 resource "azuread_service_principal" "current" {
			
 
				-  application_id               = azuread_application.current.application_id
			
 
				+  client_id                    = azuread_application.current.client_id
			
 
				   app_role_assignment_required = false
			
 
				   owners                       = var.application_owners
			
 
				   feature_tags {
			
@@ -18,9 +18,9 @@ resource "azuread_service_principal_password" "current" {
 
				 }
			
 
				 
			
 
				 resource "azuread_application_federated_identity_credential" "example" {
			
 
				-  application_object_id = azuread_application.current.object_id
			
 
				-  display_name          = var.application_display_name
			
 
				-  audiences             = var.audiences
			
 
				-  issuer                = var.issuer
			
 
				-  subject               = var.subject
			
 
				+  application_id = "/applications/${azuread_application.current.object_id}"
			
 
				+  display_name   = var.application_display_name
			
 
				+  audiences      = var.audiences
			
 
				+  issuer         = var.issuer
			
 
				+  subject        = var.subject
			
 
				 }
			
--- a/terraform/azure/infrastructure/service-principal/output.tf
+++ b/terraform/azure/infrastructure/service-principal/output.tf
@@ -1,5 +1,5 @@
 
				-output "application_id" {
			
 
				-  value = azuread_application.current.application_id
			
 
				+output "client_id" {
			
 
				+  value = azuread_application.current.client_id
			
 
				 }
			
 
				 output "sp_id" {
			
 
				   value = azuread_service_principal.current.id
			
--- a/terraform/azure/infrastructure/service-principal/variables.tf
+++ b/terraform/azure/infrastructure/service-principal/variables.tf
--- a/terraform/azure/infrastructure/variables.tf
+++ b/terraform/azure/infrastructure/variables.tf
@@ -15,11 +15,6 @@ variable "resource_group_location" {
 
				   description = "The Azure Region where the Resource Group should exist"
			
 
				   default     = "westeurope"
			
 
				 }
			
 
				-variable "application_display_name" {
			
 
				-  type        = string
			
 
				-  description = "Metadata name to use."
			
 
				-  default     = "external-secrets-operator"
			
 
				-}
			
 
				 
			
 
				 variable "dns_prefix" {
			
 
				   type        = string
			
--- a/terraform/azure/kubernetes/main.tf
+++ b/terraform/azure/kubernetes/main.tf
@@ -0,0 +1,47 @@
 
				+resource "kubernetes_namespace" "eso" {
			
 
				+  metadata {
			
 
				+    name = "external-secrets-operator"
			
 
				+  }
			
 
				+}
			
 
				+
			
 
				+data "azurerm_client_config" "current" {}
			
 
				+
			
 
				+data "azuread_application" "eso" {
			
 
				+  display_name = "managed-e2e-suite-external-secrets-operator"
			
 
				+}
			
 
				+
			
 
				+data "azuread_application" "e2e" {
			
 
				+  display_name = "managed-e2e-suite-external-secrets-e2e"
			
 
				+}
			
 
				+
			
 
				+// the `e2e` pod itself runs with workload identity and
			
 
				+// does not rely on client credentials.
			
 
				+resource "kubernetes_service_account" "e2e" {
			
 
				+  metadata {
			
 
				+    name      = "external-secrets-e2e"
			
 
				+    namespace = "default"
			
 
				+    annotations = {
			
 
				+      "azure.workload.identity/client-id" = data.azuread_application.e2e.client_id
			
 
				+      "azure.workload.identity/tenant-id" = data.azurerm_client_config.current.tenant_id
			
 
				+    }
			
 
				+    labels = {
			
 
				+      "azure.workload.identity/use" = "true"
			
 
				+    }
			
 
				+  }
			
 
				+  depends_on = [kubernetes_namespace.eso]
			
 
				+}
			
 
				+
			
 
				+resource "kubernetes_service_account" "current" {
			
 
				+  metadata {
			
 
				+    name      = "external-secrets-operator"
			
 
				+    namespace = "external-secrets-operator"
			
 
				+    annotations = {
			
 
				+      "azure.workload.identity/client-id" = data.azuread_application.eso.client_id
			
 
				+      "azure.workload.identity/tenant-id" = data.azurerm_client_config.current.tenant_id
			
 
				+    }
			
 
				+    labels = {
			
 
				+      "azure.workload.identity/use" = "true"
			
 
				+    }
			
 
				+  }
			
 
				+  depends_on = [kubernetes_namespace.eso]
			
 
				+}
			
--- a/terraform/azure/kubernetes/provider.tf
+++ b/terraform/azure/kubernetes/provider.tf
@@ -0,0 +1,49 @@
 
				+terraform {
			
 
				+  required_version = ">= 0.13"
			
 
				+
			
 
				+  required_providers {
			
 
				+    aws = {
			
 
				+      source  = "hashicorp/aws"
			
 
				+      version = "~> 6.0"
			
 
				+    }
			
 
				+    kubernetes = {
			
 
				+      source  = "hashicorp/kubernetes"
			
 
				+      version = "~> 2.0"
			
 
				+    }
			
 
				+    helm = {
			
 
				+      source  = "hashicorp/helm"
			
 
				+      version = "~> 3.0"
			
 
				+    }
			
 
				+  }
			
 
				+}
			
 
				+
			
 
				+
			
 
				+provider "azurerm" {
			
 
				+  features {}
			
 
				+  subscription_id = "9cb8d43c-2ed5-40e7-aec8-76a177c32c15"
			
 
				+}
			
 
				+
			
 
				+
			
 
				+data "azurerm_kubernetes_cluster" "this" {
			
 
				+  name                = var.cluster_name
			
 
				+  resource_group_name = "external-secrets-e2e"
			
 
				+}
			
 
				+
			
 
				+provider "helm" {
			
 
				+  kubernetes = {
			
 
				+    host                   = data.azurerm_kubernetes_cluster.this.kube_config[0].host
			
 
				+    username               = data.azurerm_kubernetes_cluster.this.kube_config[0].username
			
 
				+    password               = data.azurerm_kubernetes_cluster.this.kube_config[0].password
			
 
				+    client_certificate     = base64decode(data.azurerm_kubernetes_cluster.this.kube_config[0].client_certificate)
			
 
				+    client_key             = base64decode(data.azurerm_kubernetes_cluster.this.kube_config[0].client_key)
			
 
				+    cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.this.kube_config[0].cluster_ca_certificate)
			
 
				+  }
			
 
				+}
			
 
				+provider "kubernetes" {
			
 
				+  host                   = data.azurerm_kubernetes_cluster.this.kube_config[0].host
			
 
				+  username               = data.azurerm_kubernetes_cluster.this.kube_config[0].username
			
 
				+  password               = data.azurerm_kubernetes_cluster.this.kube_config[0].password
			
 
				+  client_certificate     = base64decode(data.azurerm_kubernetes_cluster.this.kube_config[0].client_certificate)
			
 
				+  client_key             = base64decode(data.azurerm_kubernetes_cluster.this.kube_config[0].client_key)
			
 
				+  cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.this.kube_config[0].cluster_ca_certificate)
			
 
				+}
			
--- a/terraform/azure/kubernetes/variables.tf
+++ b/terraform/azure/kubernetes/variables.tf
@@ -0,0 +1,5 @@
 
				+variable "cluster_name" {
			
 
				+  type        = string
			
 
				+  description = "The name of the Managed Kubernetes Cluster to create"
			
 
				+  default     = "eso-cluster"
			
 
				+}
			
--- a/terraform/azure/kubernetes/workload_identity.tf
+++ b/terraform/azure/kubernetes/workload_identity.tf
@@ -3,8 +3,7 @@ resource "kubernetes_namespace" "azure-workload-identity-system" {
 
				     annotations = {
			
 
				       name = "azure-workload-identity-system"
			
 
				     }
			
 
				-    name   = "azure-workload-identity-system"
			
 
				-    labels = var.tags
			
 
				+    name = "azure-workload-identity-system"
			
 
				   }
			
 
				 }
			
 
				 
			
@@ -16,8 +15,8 @@ resource "helm_release" "azure-workload-identity-system" {
 
				   wait       = true
			
 
				   depends_on = [kubernetes_namespace.azure-workload-identity-system]
			
 
				 
			
 
				-  set {
			
 
				+  set = [{
			
 
				     name  = "azureTenantID"
			
 
				-    value = var.tenant_id
			
 
				-  }
			
 
				+    value = data.azurerm_client_config.current.tenant_id
			
 
				+  }]
			
 
				 }
			
--- a/terraform/azure/providers.tf
+++ b/terraform/azure/providers.tf
@@ -1,35 +0,0 @@
 
				-terraform {
			
 
				-  required_providers {
			
 
				-    azuread = {
			
 
				-      source = "hashicorp/azuread"
			
 
				-    }
			
 
				-  }
			
 
				-}
			
 
				-
			
 
				-provider "azurerm" {
			
 
				-  features {}
			
 
				-  # set this to false when running locally
			
 
				-  use_oidc = true 
			
 
				-}
			
 
				-
			
 
				-data "azurerm_kubernetes_cluster" "default" {
			
 
				-  depends_on          = [module.test_aks] # refresh cluster state before reading
			
 
				-  name                = var.cluster_name
			
 
				-  resource_group_name = var.resource_group_name
			
 
				-}
			
 
				-
			
 
				-provider "helm" {
			
 
				-  kubernetes {
			
 
				-    host                   = data.azurerm_kubernetes_cluster.default.kube_config.0.host
			
 
				-    client_certificate     = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.client_certificate)
			
 
				-    client_key             = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.client_key)
			
 
				-    cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)
			
 
				-  }
			
 
				-}
			
 
				-
			
 
				-provider "kubernetes" {
			
 
				-  host                   = data.azurerm_kubernetes_cluster.default.kube_config.0.host
			
 
				-  client_certificate     = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.client_certificate)
			
 
				-  client_key             = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.client_key)
			
 
				-  cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)
			
 
				-}
			
--- a/terraform/azure/workload-identity/variables.tf
+++ b/terraform/azure/workload-identity/variables.tf
@@ -1,7 +0,0 @@
 
				-variable "tags" {
			
 
				-  type = map(string)
			
 
				-}
			
 
				-variable "tenant_id" {
			
 
				-  type        = string
			
 
				-  description = "Azure Tenant ID"
			
 
				-}
			
--- a/terraform/gcp/eso_gcp_modules/gke/main.tf
+++ b/terraform/gcp/eso_gcp_modules/gke/main.tf
@@ -1,80 +0,0 @@
 
				-resource "google_service_account" "default" {
			
 
				-  project    = var.project_id
			
 
				-  account_id = var.GCP_GSA_NAME
			
 
				-}
			
 
				-
			
 
				-resource "google_project_iam_member" "secretadmin" {
			
 
				-  project = var.project_id
			
 
				-  role    = "roles/secretmanager.admin"
			
 
				-  member  = "serviceAccount:${google_service_account.default.email}"
			
 
				-}
			
 
				-
			
 
				-resource "google_project_iam_member" "service_account_token_creator" {
			
 
				-  project = var.project_id
			
 
				-  role    = "roles/iam.serviceAccountTokenCreator"
			
 
				-  member  = "serviceAccount:${google_service_account.default.email}"
			
 
				-}
			
 
				-
			
 
				-resource "google_service_account_iam_member" "pod_identity" {
			
 
				-  role               = "roles/iam.workloadIdentityUser"
			
 
				-  member             = "serviceAccount:${var.project_id}.svc.id.goog[default/${var.GCP_KSA_NAME}]"
			
 
				-  service_account_id = google_service_account.default.name
			
 
				-}
			
 
				-
			
 
				-resource "google_service_account_iam_member" "pod_identity_e2e" {
			
 
				-  role               = "roles/iam.workloadIdentityUser"
			
 
				-  member             = "serviceAccount:${var.project_id}.svc.id.goog[default/external-secrets-e2e]"
			
 
				-  service_account_id = google_service_account.default.name
			
 
				-}
			
 
				-
			
 
				-resource "google_container_cluster" "primary" {
			
 
				-  project                  = var.project_id
			
 
				-  name                     = "${var.env}-cluster"
			
 
				-  location                 = var.zone
			
 
				-  remove_default_node_pool = true
			
 
				-  initial_node_count       = var.initial_node_count
			
 
				-  network                  = var.network
			
 
				-  subnetwork               = var.subnetwork
			
 
				-  deletion_protection      = false
			
 
				-  ip_allocation_policy {}
			
 
				-  workload_identity_config {
			
 
				-    workload_pool = "${var.project_id}.svc.id.goog"
			
 
				-  }
			
 
				-  resource_labels = {
			
 
				-    "example" = "value"
			
 
				-  }
			
 
				-}
			
 
				-
			
 
				-resource "google_container_node_pool" "nodes" {
			
 
				-  project    = var.project_id
			
 
				-  name       = "${google_container_cluster.primary.name}-node-pool"
			
 
				-  location   = google_container_cluster.primary.location
			
 
				-  cluster    = google_container_cluster.primary.name
			
 
				-  node_count = var.node_count
			
 
				-
			
 
				-  node_config {
			
 
				-    preemptible     = var.preemptible
			
 
				-    machine_type    = "n1-standard-2"
			
 
				-    service_account = google_service_account.default.email
			
 
				-    oauth_scopes = [
			
 
				-      "https://www.googleapis.com/auth/cloud-platform"
			
 
				-    ]
			
 
				-  }
			
 
				-}
			
 
				-
			
 
				-provider "kubernetes" {
			
 
				-  host                   = "https://${google_container_cluster.primary.endpoint}"
			
 
				-  token                  = data.google_client_config.default.access_token
			
 
				-  cluster_ca_certificate = base64decode(google_container_cluster.primary.master_auth.0.cluster_ca_certificate)
			
 
				-}
			
 
				-
			
 
				-data "google_client_config" "default" {}
			
 
				-
			
 
				-resource "kubernetes_service_account" "test" {
			
 
				-  metadata {
			
 
				-    name = var.GCP_KSA_NAME
			
 
				-    annotations = {
			
 
				-      "iam.gke.io/gcp-service-account" : "${var.GCP_GSA_NAME}@${var.project_id}.iam.gserviceaccount.com"
			
 
				-    }
			
 
				-  }
			
 
				-}
			
--- a/terraform/gcp/eso_gcp_modules/gke/variable.tf
+++ b/terraform/gcp/eso_gcp_modules/gke/variable.tf
@@ -1,48 +0,0 @@
 
				-variable "project_id" {
			
 
				-  default = "my-project-1475718618821"
			
 
				-}
			
 
				-variable "env" {
			
 
				-  default = "dev"
			
 
				-}
			
 
				-variable "region" {
			
 
				-  default = "europe-west1"
			
 
				-}
			
 
				-variable "zone" {
			
 
				-  default = "europe-west1-b"
			
 
				-}
			
 
				-variable "zones" {
			
 
				-  default = ["europe-west1-a", "europe-west1-b", "europe-west1-c"]
			
 
				-}
			
 
				-variable "network" {
			
 
				-  default = "dev-vpc"
			
 
				-}
			
 
				-variable "subnetwork" {
			
 
				-  default = "dev-subnetwork"
			
 
				-}
			
 
				-variable "ip_pod_range" {
			
 
				-  default = "dev-pod-ip-range"
			
 
				-}
			
 
				-variable "ip_service_range" {
			
 
				-  default = "dev-service-ip-range"
			
 
				-}
			
 
				-variable "horizontal_pod_autoscaling" {
			
 
				-  default = false
			
 
				-}
			
 
				-variable "node_count" {
			
 
				-  default = 2
			
 
				-}
			
 
				-variable "node_min_count" {
			
 
				-  default = 2
			
 
				-}
			
 
				-variable "node_max_count" {
			
 
				-  default = 2
			
 
				-}
			
 
				-variable "initial_node_count" {
			
 
				-  default = 2
			
 
				-}
			
 
				-variable "preemptible" {
			
 
				-  default = true
			
 
				-}
			
 
				-
			
 
				-variable "GCP_GSA_NAME" {type = string}
			
 
				-variable "GCP_KSA_NAME" {type = string}
			
--- a/terraform/gcp/eso_gcp_modules/network/main.tf
+++ b/terraform/gcp/eso_gcp_modules/network/main.tf
@@ -1,29 +0,0 @@
 
				-resource "google_compute_network" "env-vpc" {
			
 
				-  project                 = var.project_id
			
 
				-  name                    = "${var.env}-vpc"
			
 
				-  auto_create_subnetworks = false
			
 
				-}
			
 
				-
			
 
				-resource "google_compute_subnetwork" "env-subnet" {
			
 
				-  project       = var.project_id
			
 
				-  name          = "${google_compute_network.env-vpc.name}-subnet"
			
 
				-  region        = var.region
			
 
				-  network       = google_compute_network.env-vpc.name
			
 
				-  ip_cidr_range = "10.10.0.0/24"
			
 
				-}
			
 
				-
			
 
				-output "vpc-name" {
			
 
				-  value = google_compute_network.env-vpc.name
			
 
				-}
			
 
				-output "vpc-id" {
			
 
				-  value = google_compute_network.env-vpc.id
			
 
				-}
			
 
				-output "vpc-object" {
			
 
				-  value = google_compute_network.env-vpc.self_link
			
 
				-}
			
 
				-output "subnet-name" {
			
 
				-  value = google_compute_subnetwork.env-subnet.name
			
 
				-}
			
 
				-output "subnet-ip_cidr_range" {
			
 
				-  value = google_compute_subnetwork.env-subnet.ip_cidr_range
			
 
				-}
			
--- a/terraform/gcp/eso_gcp_modules/network/variable.tf
+++ b/terraform/gcp/eso_gcp_modules/network/variable.tf
@@ -1,18 +0,0 @@
 
				-variable "env" {
			
 
				-  default = "dev"
			
 
				-}
			
 
				-variable "ip_cidr_range" {
			
 
				-  default = "10.69.0.0/16"
			
 
				-}
			
 
				-variable "ip_pod_range" {
			
 
				-  default = "10.70.0.0/16"
			
 
				-}
			
 
				-variable "ip_service_range" {
			
 
				-  default = "10.71.0.0/16"
			
 
				-}
			
 
				-variable "region" {
			
 
				-  default = "europe-west1"
			
 
				-}
			
 
				-variable "project_id" {
			
 
				-  type = string
			
 
				-}
			
--- a/terraform/gcp/infrastructure/main.tf
+++ b/terraform/gcp/infrastructure/main.tf
@@ -0,0 +1,20 @@
 
				+locals {
			
 
				+  credentials_path = "secrets/gcloud-service-account-key.json"
			
 
				+  region           = "europe-west1"
			
 
				+}
			
 
				+
			
 
				+module "network" {
			
 
				+  source     = "./modules/network"
			
 
				+  region     = local.region
			
 
				+  project_id = var.GCP_PROJECT_ID
			
 
				+}
			
 
				+
			
 
				+module "cluster" {
			
 
				+  source       = "./modules/gke"
			
 
				+  project_id   = var.GCP_PROJECT_ID
			
 
				+  region       = local.region
			
 
				+  network      = module.network.network_name
			
 
				+  subnetwork   = module.network.subnetwork_name
			
 
				+  GCP_GSA_NAME = var.GCP_GSA_NAME
			
 
				+  GCP_KSA_NAME = var.GCP_KSA_NAME
			
 
				+}
			
--- a/terraform/gcp/infrastructure/modules/gke/main.tf
+++ b/terraform/gcp/infrastructure/modules/gke/main.tf
@@ -0,0 +1,43 @@
 
				+resource "google_service_account" "default" {
			
 
				+  project    = var.project_id
			
 
				+  account_id = var.GCP_GSA_NAME
			
 
				+}
			
 
				+
			
 
				+resource "google_project_iam_member" "secretadmin" {
			
 
				+  project = var.project_id
			
 
				+  role    = "roles/secretmanager.admin"
			
 
				+  member  = "serviceAccount:${google_service_account.default.email}"
			
 
				+}
			
 
				+
			
 
				+resource "google_project_iam_member" "service_account_token_creator" {
			
 
				+  project = var.project_id
			
 
				+  role    = "roles/iam.serviceAccountTokenCreator"
			
 
				+  member  = "serviceAccount:${google_service_account.default.email}"
			
 
				+}
			
 
				+
			
 
				+resource "google_service_account_iam_member" "pod_identity" {
			
 
				+  role               = "roles/iam.workloadIdentityUser"
			
 
				+  member             = "serviceAccount:${var.project_id}.svc.id.goog[default/${var.GCP_KSA_NAME}]"
			
 
				+  service_account_id = google_service_account.default.name
			
 
				+}
			
 
				+
			
 
				+resource "google_service_account_iam_member" "pod_identity_e2e" {
			
 
				+  role               = "roles/iam.workloadIdentityUser"
			
 
				+  member             = "serviceAccount:${var.project_id}.svc.id.goog[default/external-secrets-e2e]"
			
 
				+  service_account_id = google_service_account.default.name
			
 
				+}
			
 
				+
			
 
				+resource "google_container_cluster" "primary" {
			
 
				+  project            = var.project_id
			
 
				+  name               = "e2e"
			
 
				+  initial_node_count = 1
			
 
				+  network            = var.network
			
 
				+  subnetwork         = var.subnetwork
			
 
				+  location           = var.region
			
 
				+
			
 
				+  ip_allocation_policy {}
			
 
				+  workload_identity_config {
			
 
				+    workload_pool = "${var.project_id}.svc.id.goog"
			
 
				+  }
			
 
				+}
			
 
				+
			
--- a/terraform/gcp/infrastructure/modules/gke/variable.tf
+++ b/terraform/gcp/infrastructure/modules/gke/variable.tf
@@ -0,0 +1,18 @@
 
				+variable "project_id" {
			
 
				+  type = string
			
 
				+}
			
 
				+variable "region" {
			
 
				+  type = string
			
 
				+}
			
 
				+variable "network" {
			
 
				+  type = string
			
 
				+}
			
 
				+variable "subnetwork" {
			
 
				+  type = string
			
 
				+}
			
 
				+variable "GCP_GSA_NAME" {
			
 
				+  type = string
			
 
				+}
			
 
				+variable "GCP_KSA_NAME" {
			
 
				+  type = string
			
 
				+}
			
--- a/terraform/gcp/infrastructure/modules/network/main.tf
+++ b/terraform/gcp/infrastructure/modules/network/main.tf
@@ -0,0 +1,14 @@
 
				+resource "google_compute_network" "vpc" {
			
 
				+  project                 = var.project_id
			
 
				+  name                    = "e2e"
			
 
				+  auto_create_subnetworks = false
			
 
				+}
			
 
				+
			
 
				+resource "google_compute_subnetwork" "subnet" {
			
 
				+  project       = var.project_id
			
 
				+  name          = "${google_compute_network.vpc.name}-subnet"
			
 
				+  region        = var.region
			
 
				+  network       = google_compute_network.vpc.name
			
 
				+  ip_cidr_range = "10.10.0.0/24"
			
 
				+}
			
 
				+
			
--- a/terraform/gcp/infrastructure/modules/network/output.tf
+++ b/terraform/gcp/infrastructure/modules/network/output.tf
@@ -0,0 +1,7 @@
 
				+output "network_name" {
			
 
				+  value = google_compute_network.vpc.name
			
 
				+}
			
 
				+
			
 
				+output "subnetwork_name" {
			
 
				+  value = google_compute_subnetwork.subnet.name
			
 
				+}
			
--- a/terraform/gcp/infrastructure/modules/network/variable.tf
+++ b/terraform/gcp/infrastructure/modules/network/variable.tf
@@ -0,0 +1,6 @@
 
				+variable "region" {
			
 
				+  type = string
			
 
				+}
			
 
				+variable "project_id" {
			
 
				+  type = string
			
 
				+}
			
--- a/terraform/gcp/infrastructure/provider.tf
+++ b/terraform/gcp/infrastructure/provider.tf
@@ -0,0 +1,35 @@
 
				+terraform {
			
 
				+  backend "gcs" {
			
 
				+    bucket      = "eso-infra-state"
			
 
				+    prefix      = "eso-infra-state/state"
			
 
				+    # TODO above bucket/prefix configuration is valid for the old account
			
 
				+    # the new account w/ identity federation should use the below bucket.
			
 
				+    #bucket      = "eso-e2e-tfstate"
			
 
				+    credentials = "../secrets/gcloud-service-account-key.json"
			
 
				+  }
			
 
				+
			
 
				+  required_providers {
			
 
				+    google = {
			
 
				+      source  = "hashicorp/google"
			
 
				+      version = "~> 3.5"
			
 
				+    }
			
 
				+    google-beta = {
			
 
				+      source  = "hashicorp/google-beta"
			
 
				+      version = "~> 3.5"
			
 
				+    }
			
 
				+  }
			
 
				+}
			
 
				+
			
 
				+provider "google" {
			
 
				+  project     = "external-secrets-operator"
			
 
				+  region      = "europe-west1"
			
 
				+  zone        = "europe-west1-b"
			
 
				+  credentials = file("../secrets/gcloud-service-account-key.json")
			
 
				+}
			
 
				+
			
 
				+provider "google-beta" {
			
 
				+  project     = "external-secrets-operator"
			
 
				+  region      = "europe-west1"
			
 
				+  zone        = "europe-west1-b"
			
 
				+  credentials = file("../secrets/gcloud-service-account-key.json")
			
 
				+}
			
--- a/terraform/gcp/infrastructure/variable.tf
+++ b/terraform/gcp/infrastructure/variable.tf
@@ -0,0 +1,9 @@
 
				+variable "GCP_PROJECT_ID" {
			
 
				+  type = string
			
 
				+}
			
 
				+variable "GCP_GSA_NAME" {
			
 
				+  type = string
			
 
				+}
			
 
				+variable "GCP_KSA_NAME" {
			
 
				+  type = string
			
 
				+}
			
--- a/terraform/gcp/kubernetes/main.tf
+++ b/terraform/gcp/kubernetes/main.tf
@@ -0,0 +1,8 @@
 
				+resource "kubernetes_service_account" "test" {
			
 
				+  metadata {
			
 
				+    name = var.GCP_KSA_NAME
			
 
				+    annotations = {
			
 
				+      "iam.gke.io/gcp-service-account" : "${var.GCP_GSA_NAME}@${var.GCP_PROJECT_ID}.iam.gserviceaccount.com"
			
 
				+    }
			
 
				+  }
			
 
				+}
			
--- a/terraform/gcp/kubernetes/provider.tf
+++ b/terraform/gcp/kubernetes/provider.tf
@@ -0,0 +1,42 @@
 
				+terraform {
			
 
				+  required_providers {
			
 
				+    google = {
			
 
				+      source  = "hashicorp/google"
			
 
				+      version = "~> 3.5"
			
 
				+    }
			
 
				+    google-beta = {
			
 
				+      source  = "hashicorp/google-beta"
			
 
				+      version = "~> 3.5"
			
 
				+    }
			
 
				+  }
			
 
				+}
			
 
				+
			
 
				+provider "google" {
			
 
				+  project     = "external-secrets-operator"
			
 
				+  region      = "europe-west1"
			
 
				+  zone        = "europe-west1-b"
			
 
				+  credentials = file("../secrets/gcloud-service-account-key.json")
			
 
				+}
			
 
				+
			
 
				+provider "google-beta" {
			
 
				+  project     = "external-secrets-operator"
			
 
				+  region      = "europe-west1"
			
 
				+  zone        = "europe-west1-b"
			
 
				+  credentials = file("../secrets/gcloud-service-account-key.json")
			
 
				+}
			
 
				+
			
 
				+
			
 
				+data "google_client_config" "default" {}
			
 
				+
			
 
				+provider "kubernetes" {
			
 
				+  host                   = "https://${data.google_container_cluster.this.endpoint}"
			
 
				+  token                  = data.google_client_config.default.access_token
			
 
				+  cluster_ca_certificate = base64decode(data.google_container_cluster.this.master_auth.0.cluster_ca_certificate)
			
 
				+}
			
 
				+
			
 
				+
			
 
				+data "google_container_cluster" "this" {
			
 
				+  project  = var.GCP_PROJECT_ID
			
 
				+  location = "europe-west1-b" # must match ../infrastructure
			
 
				+  name     = "e2e"
			
 
				+}
			
--- a/terraform/gcp/kubernetes/variables.tf
+++ b/terraform/gcp/kubernetes/variables.tf
@@ -0,0 +1,9 @@
 
				+variable "GCP_PROJECT_ID" {
			
 
				+  type = string
			
 
				+}
			
 
				+variable "GCP_GSA_NAME" {
			
 
				+  type = string
			
 
				+}
			
 
				+variable "GCP_KSA_NAME" {
			
 
				+  type = string
			
 
				+}
			
--- a/terraform/gcp/main.tf
+++ b/terraform/gcp/main.tf
@@ -1,29 +0,0 @@
 
				-terraform {
			
 
				-  backend "gcs" {
			
 
				-    bucket      = "eso-infra-state"
			
 
				-    prefix      = "eso-infra-state/state"
			
 
				-    credentials = "secrets/gcloud-service-account-key.json"
			
 
				-  }
			
 
				-}
			
 
				-
			
 
				-module "test-network" {
			
 
				-  source        = "./eso_gcp_modules/network"
			
 
				-  env           = var.env
			
 
				-  region        = var.region
			
 
				-  ip_cidr_range = var.ip_cidr_range
			
 
				-  project_id    = var.GCP_PROJECT_ID
			
 
				-}
			
 
				-
			
 
				-module "test-cluster" {
			
 
				-  source             = "./eso_gcp_modules/gke"
			
 
				-  project_id         = var.GCP_PROJECT_ID
			
 
				-  env                = var.env
			
 
				-  region             = var.region
			
 
				-  network            = module.test-network.vpc-object
			
 
				-  subnetwork         = module.test-network.subnet-name
			
 
				-  node_count         = var.node_count
			
 
				-  initial_node_count = var.initial_node_count
			
 
				-  preemptible        = true
			
 
				-  GCP_GSA_NAME       = var.GCP_GSA_NAME
			
 
				-  GCP_KSA_NAME       = var.GCP_KSA_NAME
			
 
				-}
			
--- a/terraform/gcp/provider.tf
+++ b/terraform/gcp/provider.tf
@@ -1,13 +0,0 @@
 
				-provider "google" {
			
 
				-  project = "external-secrets-operator"
			
 
				-  region = "europe-west1"
			
 
				-  zone = "europe-west1-b"
			
 
				-  credentials = file(var.credentials_path)
			
 
				-}
			
 
				-
			
 
				-provider "google-beta" {
			
 
				-  project = "external-secrets-operator"
			
 
				-  region = "europe-west1"
			
 
				-  zone = "europe-west1-b"
			
 
				-  credentials = file(var.credentials_path)
			
 
				-}
			
--- a/terraform/gcp/provider_variables.tf
+++ b/terraform/gcp/provider_variables.tf
@@ -1,3 +0,0 @@
 
				-variable "credentials_path" {
			
 
				-  default = "secrets/gcloud-service-account-key.json"
			
 
				-}
			
--- a/terraform/gcp/variable.tf
+++ b/terraform/gcp/variable.tf
@@ -1,16 +0,0 @@
 
				-variable "env" { default = "test" }
			
 
				-variable "region" { default = "europe-west1" }
			
 
				-variable "zone" { default = "europe-west1-b" }
			
 
				-variable "horizontal_pod_autoscaling" { default = false }
			
 
				-variable "node_count" { default = 2 }
			
 
				-variable "node_min_count" { default = 2 }
			
 
				-variable "node_max_count" { default = 2 }
			
 
				-variable "initial_node_count" { default = 2 }
			
 
				-variable "max_scale" { default = "10" }
			
 
				-variable "ip_cidr_range" { default = "10.69.0.0/16" }
			
 
				-variable "ip-pod-range" { default = "10.70.0.0/16" }
			
 
				-variable "ip_service_range" { default = "10.71.0.0/16" }
			
 
				-variable "preemptible" { default = true }
			
 
				-variable "GCP_PROJECT_ID" {type = string}
			
 
				-variable "GCP_GSA_NAME" {type = string}
			
 
				-variable "GCP_KSA_NAME" {type = string}