Improve readme around SecretStore/ ClusterSecretStore
Opened this issue · 0 comments
Contact Details (optional)
I am attempting to add your terraform module, but found it was unclear what to put into the SecretStore object
Summary
Thanks a lot for open sourcing this terraform code! I finally got it working on my end, but ran into a few gotchas. The first thing I found is if you have your EKS clustername, you don't need to provide the arns as input variables, you could do something like this:
data "aws_eks_cluster" "this" {
name = var.cluster_name
}
data "aws_iam_openid_connect_provider" "this" {
url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
}
# Role
data "aws_iam_policy_document" "external_secrets_assume" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [data.aws_iam_openid_connect_provider.this.arn]
}
condition {
test = "StringEquals"
variable = "${replace(data.aws_eks_cluster.this.identity[0].oidc[0].issuer, "https://", "")}:sub"
values = [
"system:serviceaccount:${var.namespace}:${var.service_account_name}",
]
}
effect = "Allow"
}
}
But thats fairly low priority. The next one that I had to figure out was what to put into the SecretStore/ ExternalSecretStore. Your readme just provides links, which wasn't too clear. Most of those links say to put AWS creds into a secret, which is not what you want to do. I settled on going with this:
terraform {
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
}
}
}
resource "kubectl_manifest" "secret_store" {
depends_on = [helm_release.external_secrets]
yaml_body = <<-EOF
apiVersion: external-secrets.io/v1alpha1
kind: ClusterSecretStore
metadata:
name: aws-store
namespace: ${var.namespace}
spec:
provider:
aws:
service: SecretsManager
region: us-west-2
auth:
jwt:
serviceAccountRef:
name: ${var.service_account_name}
namespace: ${var.namespace}
EOF
}
And that really closed the loop on making everything work because now my developers only have to think about the ExternalSecret resources and point it to this functional ClusterSecretStore.
Motivation
Improve useablilty
Alternatives
No response
Additional Context
No response
Code of Conduct
- I agree to follow this project's Code of Conduct