Added support to the rotate secrets module to handle updating a SVM password; Allowing the secret to be in a different region than the default; Used friendly variables names.

Author: kcantrel

EKS/FSxN-as-PVC-for-EKS/terraform/eks-cluster.tf

@@ -81,7 +81,7 @@ resource "aws_iam_policy" "trident_policy" {
         {
             "Action": "secretsmanager:GetSecretValue",
             "Effect": "Allow",
-            "Resource": aws_secretsmanager_secret_version.fsx_secret_password.arn
+            "Resource": module.svm_rotate_secret.secret_arn
         }
     ],
   })

EKS/FSxN-as-PVC-for-EKS/terraform/fsx.tf

@@ -1,53 +1,40 @@
 #
-# Generate a random password for FSx
-resource "random_string" "fsx_password" {
-  length           = 8
-  min_lower        = 1
-  min_numeric      = 1
-  min_special      = 0
-  min_upper        = 1
-  numeric          = true
-  special          = true
-  override_special = "@$%^&*()_+="
-}
-
-provider "aws" {
-  alias = "secrets_provider"
-  region = var.aws_secrets_region
-}
-#
-# Store the password in AWS Secrets Manager
-resource "aws_secretsmanager_secret" "fsx_secret_password" {
-  provider = aws.secrets_provider
-  name = "${var.fsx_password_secret_name}-${random_id.id.hex}"
-}
-resource "aws_secretsmanager_secret_version" "fsx_secret_password" {
-  provider = aws.secrets_provider
-  secret_id = aws_secretsmanager_secret.fsx_secret_password.id
-  secret_string =  jsonencode({username = "vsadmin", password = random_string.fsx_password.result})
+# Instantiate an AWS secret for the FSx ONTAP file system. It will set the initial password for the file system.
+module "fsxn_rotate_secret" {
+    source = "../DevelopersAdocacy/FSx-ONTAP-samples-scripts/Management-Utilities/fsxn-rotate-secret/terraform"
+    fsx_region = var.aws_region
+    secret_region = var.aws_secrets_region
+    aws_account_id = var.aws_account_id
+    secret_name_prefix = var.secret_name_prefix
+    fsx_id = aws_fsx_ontap_file_system.eksfs.id
 }
 #
-# Note that this allows traffic from both the private and public subnets. However
-# the security groups only allow traffic from the public subnet over port 22 when
-# the source has the jump server SG assigned to it. So, basically, it only allows traffic
-# from the jump server from the public subnet.
+# Create a FSxN file system.
 resource "aws_fsx_ontap_file_system" "eksfs" {
   storage_capacity    = var.fsxn_storage_capacity
   subnet_ids          = module.vpc.private_subnets
   deployment_type     = "MULTI_AZ_1"
   throughput_capacity = var.fsxn_throughput_capacity
   preferred_subnet_id = module.vpc.private_subnets[0]
   security_group_ids  = [aws_security_group.fsx_sg.id]
-  fsx_admin_password = random_string.fsx_password.result
-  route_table_ids    = concat(module.vpc.private_route_table_ids, module.vpc.public_route_table_ids)
+  route_table_ids     = concat(module.vpc.private_route_table_ids, module.vpc.public_route_table_ids)
   tags = {
     Name = var.fsx_name
   }
 }
 #
+# Instantiate an AWS secret for the storage virtual machine. It will set the initial password for the SVM.
+module "svm_rotate_secret" {
+    source = "../DevelopersAdocacy/FSx-ONTAP-samples-scripts/Management-Utilities/fsxn-rotate-secret/terraform"
+    fsx_region = var.aws_region
+    secret_region = var.aws_secrets_region
+    aws_account_id = var.aws_account_id
+    secret_name_prefix = var.secret_name_prefix
+    svm_id = aws_fsx_ontap_storage_virtual_machine.ekssvm.id
+}
+#
 # Create a vserver and assign the 'vsadmin' the same password as fsxadmin.
 resource "aws_fsx_ontap_storage_virtual_machine" "ekssvm" {
   file_system_id = aws_fsx_ontap_file_system.eksfs.id
   name           = "ekssvm"
-  svm_admin_password = random_string.fsx_password.result
 }

EKS/FSxN-as-PVC-for-EKS/terraform/outputs.tf

@@ -1,14 +1,21 @@
 output "region" {
-  description = "AWS region"
   value       = var.aws_region
 }
 
 output "fsx-password-secret-name" {
-   value = aws_secretsmanager_secret.fsx_secret_password.name
+   value = module.fsxn_rotate_secret.secret_name
 }
 
 output "fsx-password-secret-arn" {
-  value = aws_secretsmanager_secret_version.fsx_secret_password.arn
+  value = module.fsxn_rotate_secret.secret_arn
+}
+
+output "svm-password-secret-name" {
+  value = module.svm_rotate_secret.secret_name
+}
+
+output "svm-password-secret-arn" {
+  value = module.svm_rotate_secret.secret_arn
 }
 
 output "fsx-svm-name" {

EKS/FSxN-as-PVC-for-EKS/terraform/variables.tf

@@ -1,35 +1,42 @@
 variable "aws_region" {
-  default = "us-west-2"
-  description = "aws region where you want the resources deployed."
+  description = "The AWS region where you want the resources deployed."
+  type        = string
 }
 
 variable "aws_secrets_region" {
-  default     = "us-west-2"
-  description = "The region where you want the FSxN secret stored within AWS Secrets Manager."
+  description = "The AWS region where you want the FSxN and SVM secrets stored within AWS Secrets Manager."
+  type        = string
+}
+
+variable "aws_account_id" {
+  description = "The AWS account ID. Used to create very specific permissions in the IAM role for the EKS cluster."
+  type       = string
 }
 
 variable "fsx_name" {
-  default     = "eksfs"
   description = "The name you want assigned to the FSxN file system."
+  default     = "eksfs"
 }
 
-variable "fsx_password_secret_name" {
+variable "secret_name_prefix" {
+  description = "The base name of the secrets (FSxN and SVM) to create within the AWS Secrets Manager. A random string will be appended to the end of the secreate name to ensure no name conflict."
   default     = "fsx-eks-secret"
-  description = "The base name of the secret to create within the AWS Secrets Manager that will contain the FSxN password. A random string will be appended to the end of the secreate name to ensure no name conflict."
 }
 
 variable "fsxn_storage_capacity" {
-  default = 1024
   description = "The storage capacity, in GiBs, to be allocated to the FSxN clsuter. Must be at least 1024, and less than 196608."
+  type        = number
+  default     = 1024
   validation {
     condition = var.fsxn_storage_capacity >= 1024 && var.fsxn_storage_capacity < 196608
     error_message = "The storage capacity must be at least 1024, and less than 196608."
   }
 }
 
 variable "fsxn_throughput_capacity" {
-  default = 128
   description = "The throughput capacity to be allocated to the FSxN cluster. Must be 128, 256, 512, 1024, 2048, 4096."
+  type        = string   # Set to a string so it can be used in a "contains()" function.
+  default     = 128
   validation {
     condition = contains([128, 256, 512, 1024, 2048, 4096], var.fsxn_throughput_capacity)
     error_message = "The throughput capacity must be 128, 256, 512, 1024, 2048, or 4096."
@@ -38,34 +45,38 @@ variable "fsxn_throughput_capacity" {
 #
 # Keep in mind that key pairs are regional, so pick one that is in the region specified above.
 variable "key_pair_name" {
-  default = "MUST REPLACE WITH YOUR KEY PAIR NAME"
   description = "The key pair to associate with the jump server."
+  default     = "MUST REPLACE WITH YOUR KEY PAIR NAME"
+  type        = string
   validation {
     condition = var.key_pair_name != "MUST REPLACE WITH YOUR KEY PAIR NAME"
     error_message = "You must specify a key pair name."
   }
 }
 
 variable "secure_ips" {
-  default = ["0.0.0.0/0"]
   description = "List of CIDRs that are allowed to ssh into the jump server."
+  default = ["0.0.0.0/0"]
 }
 
 ################################################################################
 # Don't change any variables below this line.
 ################################################################################
 
 variable "trident_version" {
-  default     = "v24.2.0-eksbuild.1"
   description = "The version of Astra Trident to 'add-on' to the EKS cluster."
+  default     = "v24.2.0-eksbuild.1"
+  type        = string
 }
 
 variable "kubernetes_version" {
-  default     = 1.29
   description = "kubernetes version"
+  default     = 1.29
+  type        = string
 }
 
 variable "vpc_cidr" {
-  default     = "10.0.0.0/16"
   description = "default CIDR range of the VPC"
+  default     = "10.0.0.0/16"
+  type        = string
 }

Management-Utilities/fsxn-rotate-secret/README.md

@@ -1,8 +1,9 @@
 # Rotate FSxN File System Passwords
 
 ## Introduction
-This sample provides a way to rotate a Secrets Manager secret that is used to manage FSxN file system.
-It is a Lambda function that is expected to be triggered by the Secrets Manager rotation feature.
+This sample provides a way to rotate a Secrets Manager secret that is used to hold the
+password assigned to an FSxN file system or a FSxN Storage Virtual Machine.
+It is a Lambda function that is expected to be invoked by the Secrets Manager rotation feature.
 The Secrets Manager should invoke the function four times, each time with the `stage` field, in the `event` dictionary passed in, set to one of the following values:
 
 | Stage      | Description |
@@ -28,6 +29,7 @@ relationship with the AWS Lambda service.
 | secretsManager:DescribeSecret | \<secretARN> | \<secretARN> is the AWS ARN of the secret to rotate. |
 | secretsmanager:GetRandomPassword | \* | The scope doesn't matter, since this function doesn't have anything to do with any AWS resources. |
 | fsx:UpdateFileSystem | \<fileSystemARN> | \<fileSystemARN> is the AWS ARN of the FSxN file system to manage. |
+| fsx:UpdateStorageVirtualMachine | \<svmARN> | \<svmARN> is the AWS ARN of the Storage Virtual Machine to manage. |
 | logs:CreateLogGroup | arn:aws:logs:\<region>:\<accountID>:\* | This allows the Lambda function to create a log group in CloudWatch. This is optional but allows you to get diagnostic information from the Lambda function. |
 | logs:CreateLogStream | arn:aws:logs:\<region>:\<accountID>:log-group:/aws/lambda/\<Lambda_function_name>:\* | This allows the Lambda function to create a log stream in CloudWatch. This is optional but allows you to get diagnostic information from the function.|
 | logs:PutLogEvents | arn:aws:logs:\<region>:\<accountID>:log-group:/aws/lambda/\<Lambda_function_name>:\* | This allows the Lambda function to write log events to a log stream in CloudWatch. This is optional but allows you to get diagnostic information from the function.|
@@ -53,11 +55,25 @@ secretsmanager AWS service to invoke the Lambda function. Do that do the followi
 - The principal should already be set to `secretsmanager.amazonaws.com`
 - Set action to `lambda:InvokeFunction`
 
-##### Step 2.4 - Enable Secrets Manager Rotation
-To enable rotation of the secret, you will need to go to the Secrets Manager console and
-select the secret you want to rotate. Click on the "Edit rotation" button and select the
-Lambda function you created above. You can also set the rotation schedule to whatever you
-want. The default is 30 days.
+#### Step 3 - Enable Secrets Manager Rotation
+To enable the rotation of the secret, go will need to the Secrets Manager page of the AWS console
+and click on the secret you want to rotate, then:
+##### Step 3.1 - Set the tags
+The way Lambda function knows which FSxN file system, or which SVM, to update the password on is 
+via the tags associated with the secret. The following are the tags that the program looks for:
+|Tag Key|Tag Value|Description|
+|:------|:--------|:----------|
+|region|\<region\>|The region the FSxN file system resides in.|
+|fsx_id|\<file-System-id\>|The FSxN file system id.|
+|svm_id|\<svm-id\>|The Storage Virtual Machine id.|
+Note that the Lambda function can only manage one password, so either set the value for the `fsx_id` or the `svm_id` tag, both not both.
+:warning: **Warning:** If both the `fsx_id` and `svm_id` tags are set, the `svm_id` tag will be used and the fsx_id will be silently ignored.
+
+##### Step 3.2 - Enable rotation feature
+Click on the Rotation tab and then click on the "Edit rotation" button. That should bring up a 
+pop-up window. Click on the "Automatic rotation" slider to enable the feature and then configure
+the rotation schedule you want. The last step is to
+select the rotation function that you created in the steps above and click on the "Save" button.
 
 ### Terraform Method
 The Terraform module provided in the `terraform` directory can be used to create the Secrets Manager
@@ -128,13 +144,43 @@ Make sure to replace all values within `< >` with your own variables.
 module "fsxn_rotate_secret" {
     source = "github.com/NetApp/FSx-ONTAP-samples-scripts/Management-Utilities/fsxn-rotate-secret/terraform"
 
-    region = <region>
-    awsAccountId = <aws_account_id>
-    fsxId = <fsx_id>
+    fsx_region = <region>              # The region the FSxN file system resides in.
+    secret_region = <region>           # The region the secret resides in.
+    aws_account_id = <aws_account_id>  # The AWS account id that the FSxN file system resides in.
+    fsx_id = <fsx_id>
+    svm_id = <svm_id>
     secretNamePrefix = "fsx_admin_secret"
+    rotationFrequency = "rate(30 days)"
 }
 ```
-That's all there is to it!
+Note that the Lambda function can only manage one password, so either set the value for the `fsxId` or the `svmId` tag, both not both.
+:warning: **Warning:** If both the `fsxId` and `svmId` tags are set, the `svmId` tag will be used and the fsxId will be silently ignored.
+
+At this point, you can run `terraform init` and `terraform apply` to create the secret that will automatically rotate
+the password for the FSxN file system or SVM.
+
+#### Inputs
+The following are the inputs for the module:
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| fsx_region | The region where the FSxN file system resides in. | string | | yes |
+| secret_region | The region where the secret will resides in. | string | | yes |
+| aws_account_id | The AWS account id that the FSxN file system resides in. Used to create roles with least privilege. | string |\*| no |
+| fsx_id | The FSxN file system id. Note that either fsxId or svmId must be provided, but not both | string | | no |
+| svm_id | The Storage Virtual Machine id. Note that either fsxId or svmId must be provided, but not both | string | | no |
+| secret_name_prefix | The prefix to use for the secret name. | string | fsxn-secret | no |
+| rotation_frequency | The frequency to rotate the password in AWS's "rate" or "cron" notation. | string | rate(30 days) | yes |
+
+#### Outputs
+The following are the outputs for the module:
+| Name | Description |
+|------|-------------|
+| secret_arn | The ARN of the secret created. |
+| secret_name | The name of the secret created. |
+| lambda_arn | The ARN of the Lambda function created. |
+| lambda_name | The name of the Lambda function created. |
+| role_arn | The ARN of the IAM role created. |
+| role_name | The name of the IAM role created. |
 
 ## Author Information
 

Management-Utilities/fsxn-rotate-secret/fsxn_rotate_secret.py

@@ -13,7 +13,7 @@
 charactersToExcludeInPassword = '/"\'\\'
 
 ################################################################################
-# THis function is used to get the value of a tag from a list of tags.
+# This function is used to get the value of a tag from a list of tags.
 ################################################################################
 def getTagValue(tags, key):
     for tag in tags:
@@ -67,20 +67,27 @@ def set_secret(secretsClient, arn, token):
 
     password = secretValueResponse['SecretString']
     #
-    # Get the FSx file system ID and region from the secret's tags.
+    # Get the FSx file system ID, SVM ID and region from the secret's tags.
     secretMetadata = secretsClient.describe_secret(SecretId=arn)
     tags = secretMetadata['Tags']
-    fsxId = getTagValue(tags, 'fsxId')
+    fsxId = getTagValue(tags, 'fsx_id')
     fsxRegion = getTagValue(tags, 'region')
-    if fsxId is None or fsxRegion is None:
-        message=f"Unable to retrieve the FSx file system ID ('fsxId') or region ('region') tags from secret {arn}."
+    svmId = getTagValue(tags, 'svm_id')
+    logging.info(f"fsxId={fsxId}, svmId={svmId}, fsxRegion={fsxRegion}")
+
+    if (fsxId is None and svmId is None) or fsxRegion is None:
+        message=f"Error, tags 'fsxId' or 'svmId' and the 'region' have to be set on the secret's ({arn}) resource."
         logger.error(message)
         raise Exception(message)   # Signal to the Secrets Manager that the rotation failed.
     #
-    # Update the FSx file system with the new password.
+    # Update the FSx file system, or SVM, with the new password.
     fsxClient = boto3.client(service_name='fsx', region_name=fsxRegion)
-    fsxClient.update_file_system(OntapConfiguration={"FsxAdminPassword": password}, FileSystemId=fsxId)
-    logger.info(f"Successfully set the FSxN ({fsxId}) password to secret stored in {arn} with a VersionStage = 'AWSPENDING'.")
+    if svmId is None or svmId == "":
+        fsxClient.update_file_system(OntapConfiguration={"FsxAdminPassword": password}, FileSystemId=fsxId)
+        logger.info(f"Successfully set the FSxN ({fsxId}) password to secret stored in {arn} with a VersionStage = 'AWSPENDING'.")
+    else:
+        fsxClient.update_storage_virtual_machine(StorageVirtualMachineId=svmId, SvmAdminPassword=password)
+        logger.info(f"Successfully set the SVM ({svmId}) password to secret stored in {arn} with a VersionStage = 'AWSPENDING'.")
 
 ################################################################################
 # Usually this function would be used to test that the service has been updated
@@ -142,7 +149,7 @@ def lambda_handler(event, context):
     # Set the logging level higher for these noisy modules to mute thier messages.
     logging.getLogger("boto3").setLevel(logging.WARNING)
     logging.getLogger("botocore").setLevel(logging.WARNING)
-    
+
     logger.info(f'arn={arn}, token={token}, step={step}.')
     #
     # Create a client to the secrets manager service.

Management-Utilities/fsxn-rotate-secret/terraform/fsxn_rotate_secret.py

@@ -0,0 +1 @@
+../fsxn_rotate_secret.py