-
Notifications
You must be signed in to change notification settings - Fork 28
/
secrets.tf
99 lines (84 loc) · 2.74 KB
/
secrets.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
resource "aws_secretsmanager_secret" "kubeconfig_secret" {
name = local.kubeconfig_secret_name
description = "Kubeconfig k8s. Cluster name: ${var.cluster_name}, environment: ${var.environment}"
tags = merge(
local.global_tags,
{
"Name" = lower("${local.kubeconfig_secret_name}")
}
)
}
resource "aws_secretsmanager_secret" "kubeadm_ca" {
name = local.kubeadm_ca_secret_name
description = "Kubeadm CA. Cluster name: ${var.cluster_name}, environment: ${var.environment}"
tags = merge(
local.global_tags,
{
"Name" = lower("${local.kubeadm_ca_secret_name}")
}
)
}
resource "aws_secretsmanager_secret" "kubeadm_token" {
name = local.kubeadm_token_secret_name
description = "Kubeadm token. Cluster name: ${var.cluster_name}, environment: ${var.environment}"
tags = merge(
local.global_tags,
{
"Name" = lower("${local.kubeadm_token_secret_name}")
}
)
}
resource "aws_secretsmanager_secret" "kubeadm_cert" {
name = local.kubeadm_cert_secret_name
description = "Kubeadm cert. Cluster name: ${var.cluster_name}, environment: ${var.environment}"
tags = merge(
local.global_tags,
{
"Name" = lower("${local.kubeadm_cert_secret_name}")
}
)
}
# secret default values
resource "aws_secretsmanager_secret_version" "kubeconfig_secret_default" {
secret_id = aws_secretsmanager_secret.kubeconfig_secret.id
secret_string = var.default_secret_placeholder
}
resource "aws_secretsmanager_secret_version" "kubeadm_ca_default" {
secret_id = aws_secretsmanager_secret.kubeadm_ca.id
secret_string = var.default_secret_placeholder
}
resource "aws_secretsmanager_secret_version" "kubeadm_token_default" {
secret_id = aws_secretsmanager_secret.kubeadm_token.id
secret_string = var.default_secret_placeholder
}
resource "aws_secretsmanager_secret_version" "kubeadm_cert_default" {
secret_id = aws_secretsmanager_secret.kubeadm_cert.id
secret_string = var.default_secret_placeholder
}
# Secret Policies
resource "aws_secretsmanager_secret_policy" "kubeconfig_secret_policy" {
secret_arn = aws_secretsmanager_secret.kubeconfig_secret.arn
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Principal = {
AWS = "${aws_iam_role.k8s_iam_role.arn}"
},
Action = [
"secretsmanager:GetSecretValue",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecrets",
"secretsmanager:CreateSecret",
"secretsmanager:PutSecretValue"
]
Resource = [
"${aws_secretsmanager_secret.kubeconfig_secret.arn}"
]
}
]
})
}