-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(DMVP-3754): Moved external-secret-store and onepassword-to-secre…
…t-manager modules to this repo
- Loading branch information
1 parent
5588111
commit 94df9e5
Showing
15 changed files
with
420 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| # How to use | ||
|
|
||
| ``` | ||
| module "secret-store" { | ||
| source = "dasmeta/external-secrets/any//modules/external-secret-store" | ||
| name = "store-name" | ||
| } | ||
| ``` | ||
|
|
||
| This is going to create AWS IAM User and restric access to Secret Manager keys starting with store-name (e.g. store-name-\*). | ||
| Any secret created in Secret Manager matching the prefix can be requested via that External Secret Store and be populated as a Secret. | ||
|
|
||
| <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
| ## Requirements | ||
|
|
||
| | Name | Version | | ||
| |------|---------| | ||
| | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 | | ||
| | <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | >= 1.7.0 | | ||
|
|
||
| ## Providers | ||
|
|
||
| | Name | Version | | ||
| |------|---------| | ||
| | <a name="provider_aws"></a> [aws](#provider\_aws) | n/a | | ||
| | <a name="provider_kubectl"></a> [kubectl](#provider\_kubectl) | >= 1.7.0 | | ||
| | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | n/a | | ||
|
|
||
| ## Modules | ||
|
|
||
| | Name | Source | Version | | ||
| |------|--------|---------| | ||
| | <a name="module_iam-user"></a> [iam-user](#module\_iam-user) | terraform-aws-modules/iam/aws//modules/iam-user | 4.6.0 | | ||
|
|
||
| ## Resources | ||
|
|
||
| | Name | Type | | ||
| |------|------| | ||
| | [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | ||
| | [aws_iam_user_policy_attachment.test-attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource | | ||
| | [kubectl_manifest.main](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | ||
| | [kubernetes_secret.store-secret](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | | ||
| | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | ||
| | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | ||
|
|
||
| ## Inputs | ||
|
|
||
| | Name | Description | Type | Default | Required | | ||
| |------|-------------|------|---------|:--------:| | ||
| | <a name="input_aws_access_key_id"></a> [aws\_access\_key\_id](#input\_aws\_access\_key\_id) | The key store will be using to pull secrets from AWS Secret Manager. | `string` | `""` | no | | ||
| | <a name="input_aws_access_secret"></a> [aws\_access\_secret](#input\_aws\_access\_secret) | The secret store will be using to pull secrets from AWS Secret Manager. | `string` | `""` | no | | ||
| | <a name="input_aws_role_arn"></a> [aws\_role\_arn](#input\_aws\_role\_arn) | Role ARN used to pull secrets from Secret Manager. | `string` | `""` | no | | ||
| | <a name="input_controller"></a> [controller](#input\_controller) | Not sure what is this for yet. | `string` | `"dev"` | no | | ||
| | <a name="input_create_user"></a> [create\_user](#input\_create\_user) | Create IAM user to read credentials or aws\_access\_key\_id / aws\_access\_secret combination should be used. | `bool` | `true` | no | | ||
| | <a name="input_name"></a> [name](#input\_name) | Secret store name. | `string` | n/a | yes | | ||
| | <a name="input_namespace"></a> [namespace](#input\_namespace) | n/a | `string` | `"default"` | no | | ||
| | <a name="input_prefix"></a> [prefix](#input\_prefix) | This value is going be used as uniq prefix for secret store AWS resources like iam policy/user as for multi region setups we having collision | `string` | `""` | no | | ||
|
|
||
| ## Outputs | ||
|
|
||
| No outputs. | ||
| <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| data "aws_caller_identity" "current" {} | ||
| data "aws_region" "current" {} | ||
|
|
||
| resource "aws_iam_policy" "policy" { | ||
| count = var.create_user ? 1 : 0 | ||
|
|
||
| name = "${var.prefix}external-secrets-access-policy-for-store-${local.sanitized-name}" | ||
| path = "/" | ||
| description = "Policy gives external secrets store access to ${var.name}* secrets" | ||
|
|
||
| policy = jsonencode({ | ||
| "Version" : "2012-10-17", | ||
| "Statement" : [ | ||
| { | ||
| "Effect" : "Allow", | ||
| "Action" : [ | ||
| "secretsmanager:GetResourcePolicy", | ||
| "secretsmanager:GetSecretValue", | ||
| "secretsmanager:DescribeSecret", | ||
| "secretsmanager:ListSecretVersionIds" | ||
| ], | ||
| "Resource" : [ | ||
| "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:${var.name}*", | ||
| ] | ||
| } | ||
| ] | ||
| }) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| module "iam-user" { | ||
| source = "terraform-aws-modules/iam/aws//modules/iam-user" | ||
| version = "4.6.0" | ||
|
|
||
| name = "${var.prefix}${local.sanitized-name}-secret-manager" | ||
| count = var.create_user ? 1 : 0 | ||
|
|
||
| create_iam_access_key = true | ||
| create_user = true | ||
| create_iam_user_login_profile = false | ||
| upload_iam_user_ssh_key = false | ||
| } | ||
|
|
||
| resource "aws_iam_user_policy_attachment" "test-attach" { | ||
| count = var.create_user ? 1 : 0 | ||
|
|
||
| user = module.iam-user[0].iam_user_name | ||
| policy_arn = aws_iam_policy.policy[0].arn | ||
|
|
||
| depends_on = [ | ||
| module.iam-user | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| locals { | ||
| sanitized-name = replace(var.name, "/", "-") | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| terraform { | ||
| required_version = ">= 0.13" | ||
|
|
||
| required_providers { | ||
| kubectl = { | ||
| source = "gavinbunney/kubectl" | ||
| version = ">= 1.7.0" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| apiVersion: external-secrets.io/v1alpha1 | ||
| kind: SecretStore | ||
| metadata: | ||
| name: ${name} | ||
| namespace: ${namespace} | ||
| spec: | ||
| provider: | ||
| aws: | ||
| service: SecretsManager | ||
| region: ${region} | ||
| auth: | ||
| secretRef: | ||
| accessKeyIDSecretRef: | ||
| name: ${name}-awssm-secret | ||
| key: access-key | ||
| secretAccessKeySecretRef: | ||
| name: ${name}-awssm-secret | ||
| key: secret-access-key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| resource "kubernetes_secret" "store-secret" { | ||
| metadata { | ||
| name = "${local.sanitized-name}-awssm-secret" | ||
| namespace = var.namespace | ||
| } | ||
|
|
||
| data = { | ||
| access-key = var.create_user ? module.iam-user[0].iam_access_key_id : var.aws_access_key_id | ||
| secret-access-key = var.create_user ? module.iam-user[0].iam_access_key_secret : var.aws_access_secret | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| resource "kubectl_manifest" "main" { | ||
| yaml_body = templatefile("${path.module}/secret-store.tmpl", { | ||
| name = local.sanitized-name | ||
| namespace = var.namespace | ||
| region = data.aws_region.current.name | ||
| controller = var.controller | ||
| }) | ||
|
|
||
| depends_on = [ | ||
| module.iam-user | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| variable "name" { | ||
| type = string | ||
| description = "Secret store name." | ||
| } | ||
|
|
||
| variable "controller" { | ||
| type = string | ||
| default = "dev" | ||
| description = "Not sure what is this for yet." | ||
| } | ||
|
|
||
| variable "aws_access_key_id" { | ||
| type = string | ||
| default = "" | ||
| description = "The key store will be using to pull secrets from AWS Secret Manager." | ||
| } | ||
|
|
||
| variable "aws_access_secret" { | ||
| type = string | ||
| default = "" | ||
| description = "The secret store will be using to pull secrets from AWS Secret Manager." | ||
| } | ||
|
|
||
| variable "aws_role_arn" { | ||
| type = string | ||
| default = "" | ||
| description = "Role ARN used to pull secrets from Secret Manager." | ||
| } | ||
|
|
||
| variable "create_user" { | ||
| type = bool | ||
| default = true | ||
| description = "Create IAM user to read credentials or aws_access_key_id / aws_access_secret combination should be used." | ||
| } | ||
|
|
||
| variable "namespace" { | ||
| type = string | ||
| default = "default" | ||
| } | ||
|
|
||
| variable "prefix" { | ||
| type = string | ||
| default = "" | ||
| description = "This value is going be used as uniq prefix for secret store AWS resources like iam policy/user as for multi region setups we having collision" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| ### Use module when you want integrate 1password to AWS Secret manager | ||
| ### The module pull 1password items credential and will create new secrets in AWS | ||
|
|
||
| ## Pre Required | ||
|
|
||
| Install op-cli https://1password.com/downloads/command-line/ | ||
|
|
||
| ## Usage | ||
|
|
||
|
|
||
| ``` | ||
| module "onepassword_to_secret_manager" { | ||
| source = "dasmeta/shared/any//modules/onepassword_to_secret_manager" | ||
| op_email = "devops@dasmeta.com" | ||
| op_password = "************" | ||
| op_secret_key = "A3-**********" | ||
| aws_secret_name = "secret_name" | ||
| data = [ | ||
| { | ||
| op_vault_name = "test" | ||
| op_item = "test-password" | ||
| // Secret key in secret manager | ||
| secret_key = "test" | ||
| }, | ||
| { | ||
| op_vault_name = "test" | ||
| op_item = "test2" | ||
| // Secret key in secret manager | ||
| secret_key = "test2" | ||
| } | ||
| ] | ||
| } | ||
| ``` | ||
| <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
| ## Requirements | ||
|
|
||
| No requirements. | ||
|
|
||
| ## Providers | ||
|
|
||
| No providers. | ||
|
|
||
| ## Modules | ||
|
|
||
| | Name | Source | Version | | ||
| |------|--------|---------| | ||
| | <a name="module_onepass"></a> [onepass](#module\_onepass) | dasmeta/shared/any//modules/onepassword | n/a | | ||
| | <a name="module_secret"></a> [secret](#module\_secret) | dasmeta/modules/aws//modules/secret | n/a | | ||
|
|
||
| ## Resources | ||
|
|
||
| No resources. | ||
|
|
||
| ## Inputs | ||
|
|
||
| | Name | Description | Type | Default | Required | | ||
| |------|-------------|------|---------|:--------:| | ||
| | <a name="input_aws_secret_name"></a> [aws\_secret\_name](#input\_aws\_secret\_name) | AWS Secret name | `string` | n/a | yes | | ||
| | <a name="input_data"></a> [data](#input\_data) | OnePassword vault name and item name object. The Item should be in Vault | `list(any)` | <pre>[<br> {<br> "op_item": "test-password",<br> "op_vault_name": "test",<br> "secret_key": "test"<br> }<br>]</pre> | no | | ||
| | <a name="input_op_account_address"></a> [op\_account\_address](#input\_op\_account\_address) | OnePassword account address | `string` | `"https://my.1password.com"` | no | | ||
| | <a name="input_op_email"></a> [op\_email](#input\_op\_email) | OnePassword user email | `string` | n/a | yes | | ||
| | <a name="input_op_password"></a> [op\_password](#input\_op\_password) | OnePassword user password | `string` | n/a | yes | | ||
| | <a name="input_op_secret_key"></a> [op\_secret\_key](#input\_op\_secret\_key) | OnePassword user secret key | `string` | n/a | yes | | ||
|
|
||
| ## Outputs | ||
|
|
||
| No outputs. | ||
| <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --> |
16 changes: 16 additions & 0 deletions
16
modules/onepassword-to-secret-manager/examples/to-aws/0-setup.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| terraform { | ||
| required_providers { | ||
| test = { | ||
| source = "terraform.io/builtin/test" | ||
| } | ||
|
|
||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = "~> 4.33" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| provider "aws" { | ||
| region = "eu-central-1" | ||
| } |
30 changes: 30 additions & 0 deletions
30
modules/onepassword-to-secret-manager/examples/to-aws/1-example.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| module "onepassword_to_secret_manager" { | ||
| source = "../../" | ||
|
|
||
| op_email = "devops@dasmeta.com" | ||
| op_password = "************" | ||
| op_secret_key = "A3-**********" | ||
|
|
||
| aws_secret_name = "secret_name" | ||
|
|
||
| data = [ | ||
| { | ||
| op_vault_name = "test" | ||
| op_item = "test-password" | ||
| // Secret key in secret manager | ||
| secret_key = "test" | ||
|
|
||
| // By default module use password type , but you use 1password categories (https://support.1password.com/item-categories/) | ||
| op_item_type = "password" | ||
| }, | ||
| { | ||
| op_vault_name = "test" | ||
| op_item = "test2" | ||
| // Secret key in secret manager | ||
| secret_key = "test2" | ||
|
|
||
| // By default module use password type , but you use 1password categories (https://support.1password.com/item-categories/) | ||
| op_item_type = "password" | ||
| } | ||
| ] | ||
| } |
31 changes: 31 additions & 0 deletions
31
modules/onepassword-to-secret-manager/examples/to-aws/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # to-aws | ||
|
|
||
| <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
| ## Requirements | ||
|
|
||
| | Name | Version | | ||
| |------|---------| | ||
| | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.33 | | ||
|
|
||
| ## Providers | ||
|
|
||
| No providers. | ||
|
|
||
| ## Modules | ||
|
|
||
| | Name | Source | Version | | ||
| |------|--------|---------| | ||
| | <a name="module_onepassword_to_secret_manager"></a> [onepassword\_to\_secret\_manager](#module\_onepassword\_to\_secret\_manager) | ../../ | n/a | | ||
|
|
||
| ## Resources | ||
|
|
||
| No resources. | ||
|
|
||
| ## Inputs | ||
|
|
||
| No inputs. | ||
|
|
||
| ## Outputs | ||
|
|
||
| No outputs. | ||
| <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| locals { | ||
| value = { for k, item in var.data : item.secret_key => module.onepass.pass[k] } | ||
| } | ||
|
|
||
|
|
||
| module "onepass" { | ||
| source = "dasmeta/shared/any//modules/onepassword" | ||
|
|
||
| op_email = var.op_email | ||
| op_password = var.op_password | ||
| op_secret_key = var.op_secret_key | ||
|
|
||
| data = var.data | ||
| } | ||
|
|
||
| module "secret" { | ||
| source = "dasmeta/modules/aws//modules/secret" | ||
|
|
||
| name = var.aws_secret_name | ||
| value = local.value | ||
| } |
Oops, something went wrong.