feat: Add support for AWS Secrets Manager (#151)

wandb · Nov 13, 2023 · aa64eb1 · aa64eb1
1 parent 837f127
commit aa64eb1
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 1 deletion.
diff --git a/examples/public-dns-external/main.tf b/examples/public-dns-external/main.tf
@@ -87,6 +87,10 @@ module "wandb_app" {
   # If we dont wait, tf will start trying to deploy while the work group is
   # still spinning up
   depends_on = [module.wandb_infra]
+
+  other_wandb_env = merge({
+    "GORILLA_CUSTOMER_SECRET_STORE_SOURCE" = "aws-secretmanager://${var.namespace}?namespace=${var.namespace}"
+  }, var.other_wandb_env)
 }
 
 output "bucket_name" {

diff --git a/examples/public-dns-external/variables.tf b/examples/public-dns-external/variables.tf
@@ -83,3 +83,9 @@ variable "allowed_inbound_ipv6_cidr" {
   nullable = false
   type     = list(string)
 }
+
+variable "other_wandb_env" {
+  type        = map(string)
+  description = "Extra environment variables for W&B"
+  default     = {}
+}
diff --git a/modules/app_eks/iam-policies.tf b/modules/app_eks/iam-policies.tf
@@ -37,4 +37,9 @@ resource "aws_iam_policy" "node_s3" {
   lifecycle {
     create_before_destroy = false
   }
-}
+}
+
+resource "aws_iam_policy" "secrets_manager" {
+  name   = "${var.namespace}-secrets-manager"
+  policy = data.aws_iam_policy_document.secrets_manager.json
+}
diff --git a/modules/app_eks/iam-policy-docs.tf b/modules/app_eks/iam-policy-docs.tf
@@ -57,3 +57,18 @@ data "aws_iam_policy_document" "node_s3" {
     ]
   }
 }
+
+data "aws_iam_policy_document" "secrets_manager" {
+  statement {
+    actions = [
+      "secretsmanager:CreateSecret",
+      "secretsmanager:UpdateSecret",
+      "secretsmanager:DeleteSecret",
+      "secretsmanager:PutSecretValue",
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DeleteSecretVersion"
+    ]
+    effect  = "Allow"
+    resources = ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:${var.namespace}*"]
+  }
+}
diff --git a/modules/app_eks/iam-role-attachments.tf b/modules/app_eks/iam-role-attachments.tf
@@ -42,3 +42,8 @@ resource "aws_iam_role_policy_attachment" "ebs_csi" {
   role       = aws_iam_role.node.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
 }
+
+resource "aws_iam_role_policy_attachment" "node_secrets_manager" {
+  role       = aws_iam_role.node.name
+  policy_arn = aws_iam_policy.secrets_manager.arn
+}
diff --git a/variables.tf b/variables.tf
@@ -331,3 +331,4 @@ variable "elasticache_node_type" {
 #   type        = string
 #   description = "Weights & Biases license key."
 # }
+
Original file line number	Diff line number	Diff line change
Expand Up		@@ -331,3 +331,4 @@ variable "elasticache_node_type" {
		# type = string
		# description = "Weights & Biases license key."
		# }