From aa64eb146622132d9b70083094b3c60a728e6038 Mon Sep 17 00:00:00 2001 From: Andrew Truong Date: Mon, 13 Nov 2023 12:13:23 -0500 Subject: [PATCH] feat: Add support for AWS Secrets Manager (#151) --- examples/public-dns-external/main.tf | 4 ++++ examples/public-dns-external/variables.tf | 6 ++++++ modules/app_eks/iam-policies.tf | 7 ++++++- modules/app_eks/iam-policy-docs.tf | 15 +++++++++++++++ modules/app_eks/iam-role-attachments.tf | 5 +++++ variables.tf | 1 + 6 files changed, 37 insertions(+), 1 deletion(-) diff --git a/examples/public-dns-external/main.tf b/examples/public-dns-external/main.tf index 72588184..a6b3b6c2 100644 --- a/examples/public-dns-external/main.tf +++ b/examples/public-dns-external/main.tf @@ -87,6 +87,10 @@ module "wandb_app" { # If we dont wait, tf will start trying to deploy while the work group is # still spinning up depends_on = [module.wandb_infra] + + other_wandb_env = merge({ + "GORILLA_CUSTOMER_SECRET_STORE_SOURCE" = "aws-secretmanager://${var.namespace}?namespace=${var.namespace}" + }, var.other_wandb_env) } output "bucket_name" { diff --git a/examples/public-dns-external/variables.tf b/examples/public-dns-external/variables.tf index c88dc631..e0712159 100644 --- a/examples/public-dns-external/variables.tf +++ b/examples/public-dns-external/variables.tf @@ -83,3 +83,9 @@ variable "allowed_inbound_ipv6_cidr" { nullable = false type = list(string) } + +variable "other_wandb_env" { + type = map(string) + description = "Extra environment variables for W&B" + default = {} +} diff --git a/modules/app_eks/iam-policies.tf b/modules/app_eks/iam-policies.tf index f0a62b1c..6b0b11c6 100644 --- a/modules/app_eks/iam-policies.tf +++ b/modules/app_eks/iam-policies.tf @@ -37,4 +37,9 @@ resource "aws_iam_policy" "node_s3" { lifecycle { create_before_destroy = false } -} \ No newline at end of file +} + +resource "aws_iam_policy" "secrets_manager" { + name = "${var.namespace}-secrets-manager" + policy = data.aws_iam_policy_document.secrets_manager.json +} diff --git a/modules/app_eks/iam-policy-docs.tf b/modules/app_eks/iam-policy-docs.tf index 6b9cd700..5399aef0 100644 --- a/modules/app_eks/iam-policy-docs.tf +++ b/modules/app_eks/iam-policy-docs.tf @@ -57,3 +57,18 @@ data "aws_iam_policy_document" "node_s3" { ] } } + +data "aws_iam_policy_document" "secrets_manager" { + statement { + actions = [ + "secretsmanager:CreateSecret", + "secretsmanager:UpdateSecret", + "secretsmanager:DeleteSecret", + "secretsmanager:PutSecretValue", + "secretsmanager:GetSecretValue", + "secretsmanager:DeleteSecretVersion" + ] + effect = "Allow" + resources = ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:${var.namespace}*"] + } +} diff --git a/modules/app_eks/iam-role-attachments.tf b/modules/app_eks/iam-role-attachments.tf index 3417a513..938ad34b 100644 --- a/modules/app_eks/iam-role-attachments.tf +++ b/modules/app_eks/iam-role-attachments.tf @@ -42,3 +42,8 @@ resource "aws_iam_role_policy_attachment" "ebs_csi" { role = aws_iam_role.node.name policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" } + +resource "aws_iam_role_policy_attachment" "node_secrets_manager" { + role = aws_iam_role.node.name + policy_arn = aws_iam_policy.secrets_manager.arn +} diff --git a/variables.tf b/variables.tf index a5bea6ec..8d2278d6 100644 --- a/variables.tf +++ b/variables.tf @@ -331,3 +331,4 @@ variable "elasticache_node_type" { # type = string # description = "Weights & Biases license key." # } +