alekc/secrets.hcl

## secrets.hcl
data "aws_iam_policy_document" "secret-store-csi" {
  statement {
    effect    = "Allow"
    actions   = ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"]
    resources = ["*"]
  }
}

resource "aws_iam_policy" "secret-store-csi" {
  name        = "secret-store-csi-${var.cluster_name}"
  description = "Secrets store access for ${var.cluster_name}"
  policy      = data.aws_iam_policy_document.secret-store-csi.json
}

module "secret-store-csi-aim-role" {
  source                       = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
  version                      = "4.1.0"
  create_role                  = true
  role_name                    = "secret-store-csi-${var.cluster_name}"
  provider_url                 = local.openid_url
  role_policy_arns             = [aws_iam_policy.secret-store-csi.arn]
  oidc_subjects_with_wildcards = ["system:serviceaccount:*:*"]
}

resource "kubernetes_service_account" "example" {
  metadata {
    name = "terraform-example"
    annotations = {
      "eks.amazonaws.com/role-arn" = module.secret-store-csi-aim-role.iam_role_arn
    }
  }
}

#https://secrets-store-csi-driver.sigs.k8s.io/getting-started/installation.html
resource "kubectl_manifest" "argocd-app-secrets-store-csi-driver" {
  count      = var.app_secret_store_csi_driver_enable ? 1 : 0
  depends_on = [kubernetes_manifest.argocd-project-runtime]
  yaml_body = templatefile(
    "${path.module}/templates/argo-helm-app.yaml", merge(local.argocd_default_app_values, {
      name               = var.app_secret_store_csi_driver_helm_chart_name
      namespace          = "runtime"
      project            = "runtime"
      helm_chart         = var.app_secret_store_csi_driver_helm_chart_name
      helm_chart_repoUrl = var.app_secret_store_csi_driver_helm_chart
      helm_chart_version = var.app_secret_store_csi_driver_helm_chart_version
      helm_values        = <<-EOT
syncSecret:
  enabled: false
enableSecretRotation: false #enables secret rotation. Currently in alpha
      EOT
    })
  )
}

resource "kubectl_manifest" "argocd-app-secrets-store-csi-driver-aws" {
  count      = var.app_secret_store_csi_driver_provider_aws_enable ? 1 : 0
  depends_on = [kubernetes_manifest.argocd-project-runtime]
  yaml_body = templatefile(
    "${path.module}/templates/argo-helm-app.yaml", merge(local.argocd_default_app_values, {
      name               = var.app_secret_store_csi_driver_provider_aws_helm_chart_name
      namespace          = "runtime"
      project            = "runtime"
      helm_chart         = var.app_secret_store_csi_driver_provider_aws_helm_chart_name
      helm_chart_repoUrl = var.app_secret_store_csi_driver_provider_aws_helm_chart
      helm_chart_version = var.app_secret_store_csi_driver_provider_aws_helm_chart_version
    })
  )
}
	data "aws_iam_policy_document" "secret-store-csi" {
	statement {
	effect = "Allow"
	actions = ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"]
	resources = ["*"]
	}
	}

	resource "aws_iam_policy" "secret-store-csi" {
	name = "secret-store-csi-${var.cluster_name}"
	description = "Secrets store access for ${var.cluster_name}"
	policy = data.aws_iam_policy_document.secret-store-csi.json
	}

	module "secret-store-csi-aim-role" {
	source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
	version = "4.1.0"
	create_role = true
	role_name = "secret-store-csi-${var.cluster_name}"
	provider_url = local.openid_url
	role_policy_arns = [aws_iam_policy.secret-store-csi.arn]
	oidc_subjects_with_wildcards = ["system:serviceaccount::"]
	}

	resource "kubernetes_service_account" "example" {
	metadata {
	name = "terraform-example"
	annotations = {
	"eks.amazonaws.com/role-arn" = module.secret-store-csi-aim-role.iam_role_arn
	}
	}
	}

	#https://secrets-store-csi-driver.sigs.k8s.io/getting-started/installation.html
	resource "kubectl_manifest" "argocd-app-secrets-store-csi-driver" {
	count = var.app_secret_store_csi_driver_enable ? 1 : 0
	depends_on = [kubernetes_manifest.argocd-project-runtime]
	yaml_body = templatefile(
	"${path.module}/templates/argo-helm-app.yaml", merge(local.argocd_default_app_values, {
	name = var.app_secret_store_csi_driver_helm_chart_name
	namespace = "runtime"
	project = "runtime"
	helm_chart = var.app_secret_store_csi_driver_helm_chart_name
	helm_chart_repoUrl = var.app_secret_store_csi_driver_helm_chart
	helm_chart_version = var.app_secret_store_csi_driver_helm_chart_version
	helm_values = <<-EOT
	syncSecret:
	enabled: false
	enableSecretRotation: false #enables secret rotation. Currently in alpha
	EOT
	})
	)
	}

	resource "kubectl_manifest" "argocd-app-secrets-store-csi-driver-aws" {
	count = var.app_secret_store_csi_driver_provider_aws_enable ? 1 : 0
	depends_on = [kubernetes_manifest.argocd-project-runtime]
	yaml_body = templatefile(
	"${path.module}/templates/argo-helm-app.yaml", merge(local.argocd_default_app_values, {
	name = var.app_secret_store_csi_driver_provider_aws_helm_chart_name
	namespace = "runtime"
	project = "runtime"
	helm_chart = var.app_secret_store_csi_driver_provider_aws_helm_chart_name
	helm_chart_repoUrl = var.app_secret_store_csi_driver_provider_aws_helm_chart
	helm_chart_version = var.app_secret_store_csi_driver_provider_aws_helm_chart_version
	})
	)
	}