Merge pull request #158 from NetApp/add_secret_rotate

Add an AWS Secret Manager FSxN rotate function

Author: kcantrel

EKS/FSxN-as-PVC-for-EKS/terraform/eks-cluster.tf

@@ -81,7 +81,7 @@ resource "aws_iam_policy" "trident_policy" {
         {
             "Action": "secretsmanager:GetSecretValue",
             "Effect": "Allow",
-            "Resource": aws_secretsmanager_secret_version.fsx_secret_password.arn
+            "Resource": module.svm_rotate_secret.secret_arn
         }
     ],
   })

EKS/FSxN-as-PVC-for-EKS/terraform/fsx.tf

@@ -1,53 +1,40 @@
 #
-# Generate a random password for FSx
-resource "random_string" "fsx_password" {
-  length           = 8
-  min_lower        = 1
-  min_numeric      = 1
-  min_special      = 0
-  min_upper        = 1
-  numeric          = true
-  special          = true
-  override_special = "@$%^&*()_+="
-}
-
-provider "aws" {
-  alias = "secrets_provider"
-  region = var.aws_secrets_region
-}
-#
-# Store the password in AWS Secrets Manager
-resource "aws_secretsmanager_secret" "fsx_secret_password" {
-  provider = aws.secrets_provider
-  name = "${var.fsx_password_secret_name}-${random_id.id.hex}"
-}
-resource "aws_secretsmanager_secret_version" "fsx_secret_password" {
-  provider = aws.secrets_provider
-  secret_id = aws_secretsmanager_secret.fsx_secret_password.id
-  secret_string =  jsonencode({username = "vsadmin", password = random_string.fsx_password.result})
+# Instantiate an AWS secret for the FSx ONTAP file system. It will set the initial password for the file system.
+module "fsxn_rotate_secret" {
+    source = "github.com/Netapp/FSx-ONTAP-samples-scripts/Management-Utilities/fsxn-rotate-secret/terraform"
+    fsx_region = var.aws_region
+    secret_region = var.aws_secrets_region
+    aws_account_id = var.aws_account_id
+    secret_name_prefix = var.secret_name_prefix
+    fsx_id = aws_fsx_ontap_file_system.eksfs.id
 }
 #
-# Note that this allows traffic from both the private and public subnets. However
-# the security groups only allow traffic from the public subnet over port 22 when
-# the source has the jump server SG assigned to it. So, basically, it only allows traffic
-# from the jump server from the public subnet.
+# Create a FSxN file system.
 resource "aws_fsx_ontap_file_system" "eksfs" {
   storage_capacity    = var.fsxn_storage_capacity
   subnet_ids          = module.vpc.private_subnets
   deployment_type     = "MULTI_AZ_1"
   throughput_capacity = var.fsxn_throughput_capacity
   preferred_subnet_id = module.vpc.private_subnets[0]
   security_group_ids  = [aws_security_group.fsx_sg.id]
-  fsx_admin_password = random_string.fsx_password.result
-  route_table_ids    = concat(module.vpc.private_route_table_ids, module.vpc.public_route_table_ids)
+  route_table_ids     = concat(module.vpc.private_route_table_ids, module.vpc.public_route_table_ids)
   tags = {
     Name = var.fsx_name
   }
 }
 #
+# Instantiate an AWS secret for the storage virtual machine. It will set the initial password for the SVM.
+module "svm_rotate_secret" {
+    source = "github.com/Netapp/FSx-ONTAP-samples-scripts/Management-Utilities/fsxn-rotate-secret/terraform"
+    fsx_region = var.aws_region
+    secret_region = var.aws_secrets_region
+    aws_account_id = var.aws_account_id
+    secret_name_prefix = var.secret_name_prefix
+    svm_id = aws_fsx_ontap_storage_virtual_machine.ekssvm.id
+}
+#
 # Create a vserver and assign the 'vsadmin' the same password as fsxadmin.
 resource "aws_fsx_ontap_storage_virtual_machine" "ekssvm" {
   file_system_id = aws_fsx_ontap_file_system.eksfs.id
   name           = "ekssvm"
-  svm_admin_password = random_string.fsx_password.result
 }

EKS/FSxN-as-PVC-for-EKS/terraform/outputs.tf

@@ -1,14 +1,21 @@
 output "region" {
-  description = "AWS region"
   value       = var.aws_region
 }
 
 output "fsx-password-secret-name" {
-   value = aws_secretsmanager_secret.fsx_secret_password.name
+   value = module.fsxn_rotate_secret.secret_name
 }
 
 output "fsx-password-secret-arn" {
-  value = aws_secretsmanager_secret_version.fsx_secret_password.arn
+  value = module.fsxn_rotate_secret.secret_arn
+}
+
+output "svm-password-secret-name" {
+  value = module.svm_rotate_secret.secret_name
+}
+
+output "svm-password-secret-arn" {
+  value = module.svm_rotate_secret.secret_arn
 }
 
 output "fsx-svm-name" {

EKS/FSxN-as-PVC-for-EKS/terraform/variables.tf

@@ -1,35 +1,42 @@
 variable "aws_region" {
-  default = "us-west-2"
-  description = "aws region where you want the resources deployed."
+  description = "The AWS region where you want the resources deployed."
+  type        = string
 }
 
 variable "aws_secrets_region" {
-  default     = "us-west-2"
-  description = "The region where you want the FSxN secret stored within AWS Secrets Manager."
+  description = "The AWS region where you want the FSxN and SVM secrets stored within AWS Secrets Manager."
+  type        = string
+}
+
+variable "aws_account_id" {
+  description = "The AWS account ID. Used to create very specific permissions in the IAM role for the EKS cluster."
+  type       = string
 }
 
 variable "fsx_name" {
-  default     = "eksfs"
   description = "The name you want assigned to the FSxN file system."
+  default     = "eksfs"
 }
 
-variable "fsx_password_secret_name" {
+variable "secret_name_prefix" {
+  description = "The base name of the secrets (FSxN and SVM) to create within the AWS Secrets Manager. A random string will be appended to the end of the secreate name to ensure no name conflict."
   default     = "fsx-eks-secret"
-  description = "The base name of the secret to create within the AWS Secrets Manager that will contain the FSxN password. A random string will be appended to the end of the secreate name to ensure no name conflict."
 }
 
 variable "fsxn_storage_capacity" {
-  default = 1024
   description = "The storage capacity, in GiBs, to be allocated to the FSxN clsuter. Must be at least 1024, and less than 196608."
+  type        = number
+  default     = 1024
   validation {
     condition = var.fsxn_storage_capacity >= 1024 && var.fsxn_storage_capacity < 196608
     error_message = "The storage capacity must be at least 1024, and less than 196608."
   }
 }
 
 variable "fsxn_throughput_capacity" {
-  default = 128
   description = "The throughput capacity to be allocated to the FSxN cluster. Must be 128, 256, 512, 1024, 2048, 4096."
+  type        = string   # Set to a string so it can be used in a "contains()" function.
+  default     = 128
   validation {
     condition = contains([128, 256, 512, 1024, 2048, 4096], var.fsxn_throughput_capacity)
     error_message = "The throughput capacity must be 128, 256, 512, 1024, 2048, or 4096."
@@ -38,34 +45,38 @@ variable "fsxn_throughput_capacity" {
 #
 # Keep in mind that key pairs are regional, so pick one that is in the region specified above.
 variable "key_pair_name" {
-  default = "MUST REPLACE WITH YOUR KEY PAIR NAME"
   description = "The key pair to associate with the jump server."
+  default     = "MUST REPLACE WITH YOUR KEY PAIR NAME"
+  type        = string
   validation {
     condition = var.key_pair_name != "MUST REPLACE WITH YOUR KEY PAIR NAME"
     error_message = "You must specify a key pair name."
   }
 }
 
 variable "secure_ips" {
-  default = ["0.0.0.0/0"]
   description = "List of CIDRs that are allowed to ssh into the jump server."
+  default = ["0.0.0.0/0"]
 }
 
 ################################################################################
 # Don't change any variables below this line.
 ################################################################################
 
 variable "trident_version" {
-  default     = "v24.2.0-eksbuild.1"
   description = "The version of Astra Trident to 'add-on' to the EKS cluster."
+  default     = "v24.2.0-eksbuild.1"
+  type        = string
 }
 
 variable "kubernetes_version" {
-  default     = 1.29
   description = "kubernetes version"
+  default     = 1.29
+  type        = string
 }
 
 variable "vpc_cidr" {
-  default     = "10.0.0.0/16"
   description = "default CIDR range of the VPC"
+  default     = "10.0.0.0/16"
+  type        = string
 }