-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathkubernetes-secret.tf
41 lines (34 loc) · 1.63 KB
/
kubernetes-secret.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
data "aws_ssm_parameter" "regcred_username" {
for_each = {
for regcred in var.registry_credentials : "${regcred.name}-${regcred.namespace}" => regcred
if regcred.secrets_store == "ssm"
}
name = each.value.docker_username
}
data "aws_ssm_parameter" "regcred_password" {
for_each = {
for regcred in var.registry_credentials : "${regcred.name}-${regcred.namespace}" => regcred
if regcred.secrets_store == "ssm"
}
name = each.value.docker_password
}
resource "kubernetes_secret" "regcred" {
for_each = { for regcred in var.registry_credentials : "${regcred.name}-${regcred.namespace}" => regcred }
metadata {
name = each.value.name
namespace = each.value.namespace
}
data = {
".dockerconfigjson" = sensitive(jsonencode({
auths = {
"${each.value.docker_server}" = {
"username" = each.value.secrets_store != "ssm" ? each.value.docker_username : data.aws_ssm_parameter.regcred_username["${each.value.name}-${each.value.namespace}"].value
"password" = each.value.secrets_store != "ssm" ? each.value.docker_password : data.aws_ssm_parameter.regcred_password["${each.value.name}-${each.value.namespace}"].value
"email" = each.value.docker_email
"auth" = base64encode("${each.value.secrets_store != "ssm" ? each.value.username : data.aws_ssm_parameter.regcred_username["${each.value.name}-${each.value.namespace}"].value}:${each.value.secrets_store != "ssm" ? each.value.docker_password : data.aws_ssm_parameter.regcred_password["${each.value.name}-${each.value.namespace}"].value}")
}
}
}))
}
type = "kubernetes.io/dockerconfigjson"
}