feat: Add variable for adding statement for secretsmanager:CreateSecret (#414)

aschaber1 · bryantbiggs · web-flow · commit 24996cd44357 · 2023-08-23T09:05:48.000-04:00
* feat: Add variable for adding statement for `secretsmanager:CreateSecret`

* fix: Update wrappers to pass CI checks

---------

Co-authored-by: Bryant Biggs &lt;bryantbiggs@gmail.com&gt;
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.81.0
+    rev: v1.82.0
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each
diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf
@@ -155,11 +155,12 @@ module "external_dns_irsa_role" {
 module "external_secrets_irsa_role" {
   source = "../../modules/iam-role-for-service-accounts-eks"
 
-  role_name                             = "external-secrets"
-  attach_external_secrets_policy        = true
-  external_secrets_ssm_parameter_arns   = ["arn:aws:ssm:*:*:parameter/foo"]
-  external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"]
-  external_secrets_kms_key_arns         = ["arn:aws:kms:*:*:key/1234abcd-12ab-34cd-56ef-1234567890ab"]
+  role_name                                          = "external-secrets"
+  attach_external_secrets_policy                     = true
+  external_secrets_ssm_parameter_arns                = ["arn:aws:ssm:*:*:parameter/foo"]
+  external_secrets_secrets_manager_arns              = ["arn:aws:secretsmanager:*:*:secret:bar"]
+  external_secrets_kms_key_arns                      = ["arn:aws:kms:*:*:key/1234abcd-12ab-34cd-56ef-1234567890ab"]
+  external_secrets_secrets_manager_create_permission = false
 
   oidc_providers = {
     ex = {
diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md
@@ -211,6 +211,7 @@ No modules.
 | <a name="input_external_dns_hosted_zone_arns"></a> [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` | <pre>[<br>  "arn:aws:route53:::hostedzone/*"<br>]</pre> | no |
 | <a name="input_external_secrets_kms_key_arns"></a> [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:kms:*:*:key/*"<br>]</pre> | no |
 | <a name="input_external_secrets_secrets_manager_arns"></a> [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:secretsmanager:*:*:secret:*"<br>]</pre> | no |
+| <a name="input_external_secrets_secrets_manager_create_permission"></a> [external\_secrets\_secrets\_manager\_create\_permission](#input\_external\_secrets\_secrets\_manager\_create\_permission) | Determins whether External Secrets may use secretsmanager:CreateSecret | `bool` | `false` | no |
 | <a name="input_external_secrets_ssm_parameter_arns"></a> [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:ssm:*:*:parameter/*"<br>]</pre> | no |
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no |
 | <a name="input_fsx_lustre_csi_service_role_arns"></a> [fsx\_lustre\_csi\_service\_role\_arns](#input\_fsx\_lustre\_csi\_service\_role\_arns) | Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles | `list(string)` | <pre>[<br>  "arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"<br>]</pre> | no |
diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -506,6 +506,16 @@ data "aws_iam_policy_document" "external_secrets" {
     ]
     resources = var.external_secrets_kms_key_arns
   }
+
+  dynamic "statement" {
+    for_each = var.external_secrets_secrets_manager_create_permission ? [1] : []
+    content {
+      actions = [
+        "secretsmanager:CreateSecret"
+      ]
+      resources = var.external_secrets_secrets_manager_arns
+    }
+  }
 }
 
 resource "aws_iam_policy" "external_secrets" {
diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf
@@ -183,6 +183,12 @@ variable "external_secrets_kms_key_arns" {
   default     = ["arn:aws:kms:*:*:key/*"]
 }
 
+variable "external_secrets_secrets_manager_create_permission" {
+  description = "Determins whether External Secrets may use secretsmanager:CreateSecret"
+  type        = bool
+  default     = false
+}
+
 # FSx Lustre CSI
 variable "attach_fsx_lustre_csi_policy" {
   description = "Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role"
diff --git a/wrappers/iam-role-for-service-accounts-eks/main.tf b/wrappers/iam-role-for-service-accounts-eks/main.tf
@@ -32,6 +32,7 @@ module "wrapper" {
   external_secrets_ssm_parameter_arns                             = try(each.value.external_secrets_ssm_parameter_arns, var.defaults.external_secrets_ssm_parameter_arns, ["arn:aws:ssm:*:*:parameter/*"])
   external_secrets_secrets_manager_arns                           = try(each.value.external_secrets_secrets_manager_arns, var.defaults.external_secrets_secrets_manager_arns, ["arn:aws:secretsmanager:*:*:secret:*"])
   external_secrets_kms_key_arns                                   = try(each.value.external_secrets_kms_key_arns, var.defaults.external_secrets_kms_key_arns, ["arn:aws:kms:*:*:key/*"])
+  external_secrets_secrets_manager_create_permission              = try(each.value.external_secrets_secrets_manager_create_permission, var.defaults.external_secrets_secrets_manager_create_permission, false)
   attach_fsx_lustre_csi_policy                                    = try(each.value.attach_fsx_lustre_csi_policy, var.defaults.attach_fsx_lustre_csi_policy, false)
   fsx_lustre_csi_service_role_arns                                = try(each.value.fsx_lustre_csi_service_role_arns, var.defaults.fsx_lustre_csi_service_role_arns, ["arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"])
   attach_karpenter_controller_policy                              = try(each.value.attach_karpenter_controller_policy, var.defaults.attach_karpenter_controller_policy, false)

Original file line number	Diff line number	Diff line change
`@@ -506,6 +506,16 @@ data "aws_iam_policy_document" "external_secrets" {`
`506`	`506`	`]`
`507`	`507`	`resources = var.external_secrets_kms_key_arns`
`508`	`508`	`}`
	`509`	`+`
	`510`	`+ dynamic "statement" {`
	`511`	`+ for_each = var.external_secrets_secrets_manager_create_permission ? [1] : []`
	`512`	`+ content {`
	`513`	`+ actions = [`
	`514`	`+ "secretsmanager:CreateSecret"`
	`515`	`+ ]`
	`516`	`+ resources = var.external_secrets_secrets_manager_arns`
	`517`	`+ }`
	`518`	`+ }`
`509`	`519`	`}`
`510`	`520`
`511`	`521`	`resource "aws_iam_policy" "external_secrets" {`