Secrets manager: list of secrets to allow to retrieve should be configurable

Question

Secrets manager: list of secrets to allow to retrieve should be configurable

babadofar opened this issue 3 years ago · 2 comments

The list of secrets to allow to retrieve from the secrets manager is currently fixed. This makes it hard to use with custom pre-existing secrets. Should be configurable.

https://github.com/jenkins-x/terraform-aws-eks-jx/blob/master/modules/cluster/irsa.tf#L399

 resources = [
      "arn:${data.aws_partition.current.partition}:secretsmanager:${var.region}:${local.project}:secret:secret/data/lighthouse/*",
      "arn:${data.aws_partition.current.partition}:secretsmanager:${var.region}:${local.project}:secret:secret/data/jx/*",
      "arn:${data.aws_partition.current.partition}:secretsmanager:${var.region}:${local.project}:secret:secret/data/nexus/*"
    ]

Answer 1 · 2021-08-23T03:26:13.000Z

Can't u set create_asm_role to false, and use your own custom role? That way, u can use customized roles (for example add cross account access etc ...)

Answer 2 · 2021-08-23T13:26:25.000Z

Yes, that would be a nice option. But then again, it complicates things somewhat.