Initial commit

Author: goruha

.github/settings.yml

@@ -1,11 +1,7 @@
 # Upstream changes from _extends are only recognized when modifications are made to this file in the default branch.
 _extends: .github
 repository:
-  name: template
-  description: Template for Terraform Components
+  name: aws-eks-external-secrets-operator
+  description: This component (ESO) is used to create an external `SecretStore` configured to synchronize secrets from AWS SSM Parameter store as Kubernetes Secrets within the cluster
   homepage: https://cloudposse.com/accelerate
   topics: terraform, terraform-component
-
-
-
-

CHANGELOG.md

@@ -0,0 +1,7 @@
+## Components PR [[eks/external-secrets-operator] Set default chart](https://github.com/cloudposse/terraform-aws-components/pull/856)
+
+This is a bug fix and feature enhancement update. No actions necessary to upgrade.
+
+## Fixes
+
+- Set default chart

README.yaml

@@ -0,0 +1,17 @@
+locals {
+  # If you have custom policy statements, override this declaration by creating
+  # a file called `additional-iam-policy-statements_override.tf`.
+  # Then add the custom policy statements to the overridable_additional_iam_policy_statements in that file.
+  overridable_additional_iam_policy_statements = [
+    #  {
+    #    sid    = "UseKMS"
+    #    effect = "Allow"
+    #    actions = [
+    #      "kms:Decrypt"
+    #    ]
+    #    resources = [
+    #      "*"
+    #    ]
+    #  }
+  ]
+}

src/additional-iam-policy-statements.tf

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

src/charts/external-ssm-secrets/.helmignore

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: external-ssm-secrets
+description: This Chart handles deploying custom resource definitions needed to access SSM via  external-secrets-operator
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"

src/charts/external-ssm-secrets/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: "secret-store-parameter-store"
+spec:
+  provider:
+    aws:
+      service: ParameterStore
+      region: {{ .Values.region }}
+      role: {{ .Values.role }} # role is created via helm-release; see `service_account_set_key_path`

src/charts/external-ssm-secrets/templates/ssm-secret-store.yaml

@@ -0,0 +1,24 @@
+# example to fetch all secrets underneath the `/app/` prefix (service).
+# Keys are rewritten within the K8S Secret to be predictable and omit the
+# prefix.
+
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: app-secrets
+spec:
+  refreshInterval: 30s
+  secretStoreRef:
+    name: "secret-store-parameter-store" # Must match name of the Cluster Secret Store created by this component
+    kind: ClusterSecretStore
+  target:
+    creationPolicy: Owner
+    name: app-secrets
+  dataFrom:
+  - find:
+      name:
+        regexp: "^/app/" # Match the path prefix of your service
+    rewrite:
+    - regexp:
+        source: "/app/(.*)" # Remove the path prefix of your service from the name before creating the envars
+        target: "$1"

src/examples/app-secrets.yaml

@@ -0,0 +1,18 @@
+# example to fetch a single secret from our Parameter Store `SecretStore`
+
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: single-secret
+spec:
+  refreshInterval: 30s
+  secretStoreRef:
+    name: "secret-store-parameter-store" # Must match name of the Cluster Secret Store created by this component
+    kind: ClusterSecretStore
+  target:
+    creationPolicy: Owner
+    name: single-secret
+  data:
+  - secretKey: good_secret
+    remoteRef:
+      key: /app/good_secret

src/examples/external-secrets.yaml

@@ -0,0 +1,71 @@
+variable "kubernetes_namespace" {
+  type        = string
+  description = "The namespace to install the release into."
+}
+
+variable "chart_description" {
+  type        = string
+  description = "Set release description attribute (visible in the history)."
+  default     = "External Secrets Operator is a Kubernetes operator that integrates external secret management systems including AWS SSM, Parameter Store, Hasicorp Vault, 1Password Secrets Automation, etc. It reads values from external vaults and injects values as a Kubernetes Secret"
+}
+
+variable "chart_repository" {
+  type        = string
+  description = "Repository URL where to locate the requested chart."
+  default     = "https://charts.external-secrets.io"
+}
+
+variable "chart" {
+  type        = string
+  description = "Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if `repository` is specified. It is also possible to use the `<repository>/<chart>` format here if you are running Terraform on a system that the repository has been added to with `helm repo add` but this is not recommended."
+  default     = "external-secrets"
+}
+
+variable "chart_version" {
+  type        = string
+  description = "Specify the exact chart version to install. If this is not specified, the latest version is installed."
+  default     = "0.6.0-rc1"
+  # using RC to address this bug https://github.com/external-secrets/external-secrets/issues/1511
+}
+
+variable "chart_values" {
+  type        = any
+  description = "Additional values to yamlencode as `helm_release` values."
+  default     = {}
+}
+
+variable "create_namespace" {
+  type        = bool
+  description = "Create the Kubernetes namespace if it does not yet exist"
+  default     = null
+}
+
+variable "verify" {
+  type        = bool
+  description = "Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart"
+  default     = false
+}
+
+variable "wait" {
+  type        = bool
+  description = "Will wait until all resources are in a ready state before marking the release as successful. It will wait for as long as `timeout`. Defaults to `true`."
+  default     = true
+}
+
+variable "atomic" {
+  type        = bool
+  description = "If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used."
+  default     = true
+}
+
+variable "cleanup_on_fail" {
+  type        = bool
+  description = "Allow deletion of new resources created in this upgrade when upgrade fails."
+  default     = true
+}
+
+variable "timeout" {
+  type        = number
+  description = "Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to `300` seconds"
+  default     = null
+}