DNXLabs/terraform-aws-eks-external-secrets

Improve readme around SecretStore/ ClusterSecretStore

Opened this issue · 0 comments

domenicbove commented

Contact Details (optional)

I am attempting to add your terraform module, but found it was unclear what to put into the SecretStore object

Summary

Thanks a lot for open sourcing this terraform code! I finally got it working on my end, but ran into a few gotchas. The first thing I found is if you have your EKS clustername, you don't need to provide the arns as input variables, you could do something like this:

data "aws_eks_cluster" "this" {
  name = var.cluster_name
}

data "aws_iam_openid_connect_provider" "this" {
  url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
}

# Role
data "aws_iam_policy_document" "external_secrets_assume" {
  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]

    principals {
      type        = "Federated"
      identifiers = [data.aws_iam_openid_connect_provider.this.arn]
    }

    condition {
      test     = "StringEquals"
      variable = "${replace(data.aws_eks_cluster.this.identity[0].oidc[0].issuer, "https://", "")}:sub"

      values = [
        "system:serviceaccount:${var.namespace}:${var.service_account_name}",
      ]
    }

    effect = "Allow"
  }
}

But thats fairly low priority. The next one that I had to figure out was what to put into the SecretStore/ ExternalSecretStore. Your readme just provides links, which wasn't too clear. Most of those links say to put AWS creds into a secret, which is not what you want to do. I settled on going with this:

terraform {
  required_providers {
    kubectl = {
      source  = "gavinbunney/kubectl"
    }
  }
}

resource "kubectl_manifest" "secret_store" {
  depends_on = [helm_release.external_secrets]

  yaml_body  = <<-EOF
    apiVersion: external-secrets.io/v1alpha1
    kind: ClusterSecretStore
    metadata:
      name: aws-store
      namespace: ${var.namespace}
    spec:
      provider:
        aws:
          service: SecretsManager
          region: us-west-2
          auth:
            jwt:
              serviceAccountRef:
                name: ${var.service_account_name}
                namespace: ${var.namespace}
    EOF
}

And that really closed the loop on making everything work because now my developers only have to think about the ExternalSecret resources and point it to this functional ClusterSecretStore.

Motivation

Improve useablilty

Alternatives

No response

Additional Context

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct