From 24996cd443573c216cc97c9984acb6183f0a6321 Mon Sep 17 00:00:00 2001 From: Alexander Schaber Date: Wed, 23 Aug 2023 15:05:48 +0200 Subject: [PATCH] feat: Add variable for adding statement for `secretsmanager:CreateSecret` (#414) * feat: Add variable for adding statement for `secretsmanager:CreateSecret` * fix: Update wrappers to pass CI checks --------- Co-authored-by: Bryant Biggs --- .pre-commit-config.yaml | 2 +- examples/iam-role-for-service-accounts-eks/main.tf | 11 ++++++----- modules/iam-role-for-service-accounts-eks/README.md | 1 + modules/iam-role-for-service-accounts-eks/policies.tf | 10 ++++++++++ .../iam-role-for-service-accounts-eks/variables.tf | 6 ++++++ wrappers/iam-role-for-service-accounts-eks/main.tf | 1 + 6 files changed, 25 insertions(+), 6 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e79e67b2..bce3622f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.81.0 + rev: v1.82.0 hooks: - id: terraform_fmt - id: terraform_wrapper_module_for_each diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf index b7583241..5c4a0e8b 100644 --- a/examples/iam-role-for-service-accounts-eks/main.tf +++ b/examples/iam-role-for-service-accounts-eks/main.tf @@ -155,11 +155,12 @@ module "external_dns_irsa_role" { module "external_secrets_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" - role_name = "external-secrets" - attach_external_secrets_policy = true - external_secrets_ssm_parameter_arns = ["arn:aws:ssm:*:*:parameter/foo"] - external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"] - external_secrets_kms_key_arns = ["arn:aws:kms:*:*:key/1234abcd-12ab-34cd-56ef-1234567890ab"] + role_name = "external-secrets" + attach_external_secrets_policy = true + external_secrets_ssm_parameter_arns = ["arn:aws:ssm:*:*:parameter/foo"] + external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"] + external_secrets_kms_key_arns = ["arn:aws:kms:*:*:key/1234abcd-12ab-34cd-56ef-1234567890ab"] + external_secrets_secrets_manager_create_permission = false oidc_providers = { ex = { diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index cd5cbbd9..aff61eda 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -211,6 +211,7 @@ No modules. | [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` | 
[
  "arn:aws:route53:::hostedzone/*"
]
| no | | [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` | 
[
  "arn:aws:kms:*:*:key/*"
]
| no | | [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | 
[
  "arn:aws:secretsmanager:*:*:secret:*"
]
| no | +| [external\_secrets\_secrets\_manager\_create\_permission](#input\_external\_secrets\_secrets\_manager\_create\_permission) | Determins whether External Secrets may use secretsmanager:CreateSecret | `bool` | `false` | no | | [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | 
[
  "arn:aws:ssm:*:*:parameter/*"
]
| no | | [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no | | [fsx\_lustre\_csi\_service\_role\_arns](#input\_fsx\_lustre\_csi\_service\_role\_arns) | Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles | `list(string)` | 
[
  "arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"
]
| no | diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index cf1ff557..69dbca14 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -506,6 +506,16 @@ data "aws_iam_policy_document" "external_secrets" { ] resources = var.external_secrets_kms_key_arns } + + dynamic "statement" { + for_each = var.external_secrets_secrets_manager_create_permission ? [1] : [] + content { + actions = [ + "secretsmanager:CreateSecret" + ] + resources = var.external_secrets_secrets_manager_arns + } + } } resource "aws_iam_policy" "external_secrets" { diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf index c01c902d..99087a7b 100644 --- a/modules/iam-role-for-service-accounts-eks/variables.tf +++ b/modules/iam-role-for-service-accounts-eks/variables.tf @@ -183,6 +183,12 @@ variable "external_secrets_kms_key_arns" { default = ["arn:aws:kms:*:*:key/*"] } +variable "external_secrets_secrets_manager_create_permission" { + description = "Determins whether External Secrets may use secretsmanager:CreateSecret" + type = bool + default = false +} + # FSx Lustre CSI variable "attach_fsx_lustre_csi_policy" { description = "Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role" diff --git a/wrappers/iam-role-for-service-accounts-eks/main.tf b/wrappers/iam-role-for-service-accounts-eks/main.tf index 5c0badf8..3c3d8294 100644 --- a/wrappers/iam-role-for-service-accounts-eks/main.tf +++ b/wrappers/iam-role-for-service-accounts-eks/main.tf @@ -32,6 +32,7 @@ module "wrapper" { external_secrets_ssm_parameter_arns = try(each.value.external_secrets_ssm_parameter_arns, var.defaults.external_secrets_ssm_parameter_arns, ["arn:aws:ssm:*:*:parameter/*"]) external_secrets_secrets_manager_arns = try(each.value.external_secrets_secrets_manager_arns, var.defaults.external_secrets_secrets_manager_arns, ["arn:aws:secretsmanager:*:*:secret:*"]) external_secrets_kms_key_arns = try(each.value.external_secrets_kms_key_arns, var.defaults.external_secrets_kms_key_arns, ["arn:aws:kms:*:*:key/*"]) + external_secrets_secrets_manager_create_permission = try(each.value.external_secrets_secrets_manager_create_permission, var.defaults.external_secrets_secrets_manager_create_permission, false) attach_fsx_lustre_csi_policy = try(each.value.attach_fsx_lustre_csi_policy, var.defaults.attach_fsx_lustre_csi_policy, false) fsx_lustre_csi_service_role_arns = try(each.value.fsx_lustre_csi_service_role_arns, var.defaults.fsx_lustre_csi_service_role_arns, ["arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"]) attach_karpenter_controller_policy = try(each.value.attach_karpenter_controller_policy, var.defaults.attach_karpenter_controller_policy, false)