-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathmain.tf
More file actions
124 lines (105 loc) · 3.2 KB
/
main.tf
File metadata and controls
124 lines (105 loc) · 3.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
############################
# Locals
############################
locals {
# IBM module hardcodes ESO SA name in claim rule
service_account_name = "external-secrets"
# In AWS, tp_cluster_crn is reinterpreted as the EKS OIDC provider ARN
# Expected format:
# arn:aws:iam::<account_id>:oidc-provider/oidc.eks.<region>.amazonaws.com/id/<hash>
oidc_issuer_host = regex(
"oidc-provider/(.*)",
var.tp_cluster_crn
)[0]
}
############################
# IAM Role (Trusted Profile equivalent)
############################
resource "aws_iam_role" "trusted_profile" {
name = var.trusted_profile_name
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Federated = var.tp_cluster_crn
}
Action = "sts:AssumeRoleWithWebIdentity"
Condition = {
StringEquals = {
"${local.oidc_issuer_host}:sub" = "system:serviceaccount:${var.tp_namespace}:${local.service_account_name}"
}
}
}
]
})
}
############################################
# IAM Policy — Secrets Manager access
############################################
# Case 1:
# No secrets_manager_arns provided
# → Equivalent to IBM: access to entire Secrets Manager instance
resource "aws_iam_policy" "secrets_reader_all" {
count = length(var.secrets_manager_arns) == 0 ? 1 : 0
name = "${var.trusted_profile_name}-secrets-reader-all"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
]
Resource = "*"
}
]
})
}
# Case 2:
# One or more secrets_manager_arns values provided
# → Interpreted as explicit Secrets Manager ARNs or ARN patterns
resource "aws_iam_policy" "secrets_reader_scoped" {
count = length(var.secrets_manager_arns) > 0 ? 1 : 0
name = "${var.trusted_profile_name}-secrets-reader-scoped"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
]
Resource = var.secrets_manager_arns
}
]
})
}
############################################
# Attach IAM policy to role
############################################
resource "aws_iam_role_policy_attachment" "attach_all" {
count = length(var.secrets_manager_arns) == 0 ? 1 : 0
role = aws_iam_role.trusted_profile.name
policy_arn = aws_iam_policy.secrets_reader_all[0].arn
}
resource "aws_iam_role_policy_attachment" "attach_scoped" {
count = length(var.secrets_manager_arns) > 0 ? 1 : 0
role = aws_iam_role.trusted_profile.name
policy_arn = aws_iam_policy.secrets_reader_scoped[0].arn
}
############################################
# Kubernetes ServiceAccount (IRSA binding)
############################################
resource "kubernetes_service_account" "external_secrets" {
metadata {
name = local.service_account_name
namespace = var.tp_namespace
annotations = {
"eks.amazonaws.com/role-arn" = aws_iam_role.trusted_profile.arn
}
}
}