Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: dda7b4c168
Branches Tags
helm-externa...
/
terraform
/
aws
/
modules
/
cluster
/
irsa.tf

irsa.tf 2.0 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 
  1. locals {
    2. 

  2.   sa_manifest = <<-EOT
    3. 

  3.       apiVersion: v1
    4. 

  4.       kind: ServiceAccount
    5. 

  5.       metadata:
    6. 

  6.         name: ${local.serviceaccount_name}
    7. 

  7.         namespace: ${local.serviceaccount_namespace}
    8. 

  8.         annotations:
    9. 

  9.           eks.amazonaws.com/role-arn: "${aws_iam_role.eso-e2e-irsa.arn}"
    10. 

  10.   EOT
    11. 

  11. }
    12. 

  12. 

  13. data "aws_iam_policy_document" "assume-policy" {
    14. 

  14.   statement {
    15. 

  15.     actions = ["sts:AssumeRoleWithWebIdentity"]
    16. 

  16.     condition {
    17. 

  17.       test     = "StringEquals"
    18. 

  18.       variable = "${trimprefix(module.eks.cluster_oidc_issuer_url, "https://")}:sub"
    19. 

  19. 

  20.       values = [
    21. 

  21.         "system:serviceaccount:${local.serviceaccount_namespace}:${local.serviceaccount_name}"
    22. 

  22.       ]
    23. 

  23.     }
    24. 

  24. 

  25.     principals {
    26. 

  26.       type        = "Federated"
    27. 

  27.       identifiers = [module.eks.oidc_provider_arn]
    28. 

  28.     }
    29. 

  29.   }
    30. 

  30. }
    31. 

  31. 

  32. resource "aws_iam_role" "eso-e2e-irsa" {
    33. 

  33.   name               = "eso-e2e-irsa"
    34. 

  34.   path               = "/"
    35. 

  35.   assume_role_policy = data.aws_iam_policy_document.assume-policy.json
    36. 

  36.   managed_policy_arns = [
    37. 

  37.     "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
    38. 

  38.   ]
    39. 

  39. 

  40.   inline_policy {
    41. 

  41.     name = "aws_ssm_parameterstore"
    42. 

  42. 

  43.     policy = jsonencode({
    44. 

  44.       Version = "2012-10-17"
    45. 

  45.       Statement = [
    46. 

  46.         {
    47. 

  47.           Action = [
    48. 

  48.             "ssm:GetParameter*",
    49. 

  49.             "ssm:PutParameter",
    50. 

  50.             "ssm:DescribeParameters",
    51. 

  51.             "ssm:DeleteParameter*",
    52. 

  52.             "ssm:AddTagsToResource",
    53. 

  53.             "ssm:ListTagsForResource",
    54. 

  54.             "ssm:RemoveTagsFromResource",
    55. 

  55.             "tag:GetResources"
    56. 

  56.           ]
    57. 

  57.           Effect   = "Allow"
    58. 

  58.           Resource = "*"
    59. 

  59.         },
    60. 

  60.       ]
    61. 

  61.     })
    62. 

  62.   }
    63. 

  63. }
    64. 

  64. 

  65. resource "null_resource" "apply_sa" {
    66. 

  66.   triggers = {
    67. 

  67.     kubeconfig = base64encode(local.kubeconfig)
    68. 

  68.     cmd_patch  = <<-EOT
    69. 

  69.       echo '${local.sa_manifest}' | kubectl --kubeconfig <(echo $KUBECONFIG | base64 --decode) apply -f -
    70. 

  70.     EOT
    71. 

  71.   }
    72. 

  72. 

  73.   provisioner "local-exec" {
    74. 

  74.     interpreter = ["/bin/bash", "-c"]
    75. 

  75.     environment = {
    76. 

  76.       KUBECONFIG = self.triggers.kubeconfig
    77. 

  77.     }
    78. 

  78.     command = self.triggers.cmd_patch
    79. 

  79.   }
    80. 

  80. }
    81.