From d171240e7f12b70ac97391fa0d8712697405f5ec Mon Sep 17 00:00:00 2001 From: Andrew Truong Date: Fri, 3 Nov 2023 01:34:15 -0400 Subject: [PATCH 1/7] test --- main.tf | 1 + modules/app_eks/iam-policies.tf | 8 ++++++++ modules/app_eks/iam-policy-docs.tf | 10 ++++++++++ modules/app_eks/iam-role-attachments.tf | 6 ++++++ modules/app_eks/variables.tf | 5 +++++ variables.tf | 11 +++++++++++ 6 files changed, 41 insertions(+) diff --git a/main.tf b/main.tf index 14187d44..ce77ea3d 100644 --- a/main.tf +++ b/main.tf @@ -141,6 +141,7 @@ module "app_eks" { cluster_endpoint_public_access_cidrs = var.kubernetes_public_access_cidrs eks_policy_arns = var.eks_policy_arns + secret_manager_arn = var.secret_manager_arn } module "app_lb" { diff --git a/modules/app_eks/iam-policies.tf b/modules/app_eks/iam-policies.tf index f0a62b1c..65c4721c 100644 --- a/modules/app_eks/iam-policies.tf +++ b/modules/app_eks/iam-policies.tf @@ -37,4 +37,12 @@ resource "aws_iam_policy" "node_s3" { lifecycle { create_before_destroy = false } +} + +resource "aws_iam_policy" "secrets_manager" { + name = "${var.namespace}-secrets-manager" + policy = data.aws_iam_policy_document.secrets_manager.json + lifecycle { + create_before_destroy = false + } } \ No newline at end of file diff --git a/modules/app_eks/iam-policy-docs.tf b/modules/app_eks/iam-policy-docs.tf index 6b9cd700..2e39e988 100644 --- a/modules/app_eks/iam-policy-docs.tf +++ b/modules/app_eks/iam-policy-docs.tf @@ -57,3 +57,13 @@ data "aws_iam_policy_document" "node_s3" { ] } } + +data "aws_iam_policy_document" "secrets_manager" { + statement { + actions = [ + "secretsmanager:*", + ] + effect = "Allow" + resources = var.secret_manager_arn == "" || var.secret_manager_arn == null ? ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:*"] : [var.secret_manager_arn] + } +} diff --git a/modules/app_eks/iam-role-attachments.tf b/modules/app_eks/iam-role-attachments.tf index 3417a513..a8a15798 100644 --- a/modules/app_eks/iam-role-attachments.tf +++ b/modules/app_eks/iam-role-attachments.tf @@ -42,3 +42,9 @@ resource "aws_iam_role_policy_attachment" "ebs_csi" { role = aws_iam_role.node.name policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" } + + +resource "aws_iam_role_policy_attachment" "node_secrets" { + role = aws_iam_role.node.name + policy_arn = aws_iam_policy.secrets_manager.arn +} diff --git a/modules/app_eks/variables.tf b/modules/app_eks/variables.tf index a1736ccf..ece0843b 100644 --- a/modules/app_eks/variables.tf +++ b/modules/app_eks/variables.tf @@ -111,3 +111,8 @@ variable "service_port" { type = number default = 32543 } + +variable "secret_manager_arn" { + description = "" + type = string +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index a5bea6ec..23aa8243 100644 --- a/variables.tf +++ b/variables.tf @@ -331,3 +331,14 @@ variable "elasticache_node_type" { # type = string # description = "Weights & Biases license key." # } + +variable "secret_manager_arn" { + type = string + description = "" +} + +variable "other_wandb_env" { + type = map(string) + description = "Extra environment variables for W&B" + default = {} +} \ No newline at end of file From 37a2583fa059270799298329d718a3a2115843f7 Mon Sep 17 00:00:00 2001 From: Andrew Truong Date: Fri, 3 Nov 2023 09:58:47 -0400 Subject: [PATCH 2/7] test --- modules/app_eks/iam-policies.tf | 2 +- modules/app_eks/variables.tf | 2 +- variables.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/app_eks/iam-policies.tf b/modules/app_eks/iam-policies.tf index 65c4721c..a4b32878 100644 --- a/modules/app_eks/iam-policies.tf +++ b/modules/app_eks/iam-policies.tf @@ -45,4 +45,4 @@ resource "aws_iam_policy" "secrets_manager" { lifecycle { create_before_destroy = false } -} \ No newline at end of file +} diff --git a/modules/app_eks/variables.tf b/modules/app_eks/variables.tf index ece0843b..73f156e7 100644 --- a/modules/app_eks/variables.tf +++ b/modules/app_eks/variables.tf @@ -115,4 +115,4 @@ variable "service_port" { variable "secret_manager_arn" { description = "" type = string -} \ No newline at end of file +} diff --git a/variables.tf b/variables.tf index 23aa8243..17a8c5b8 100644 --- a/variables.tf +++ b/variables.tf @@ -341,4 +341,4 @@ variable "other_wandb_env" { type = map(string) description = "Extra environment variables for W&B" default = {} -} \ No newline at end of file +} From f7c0c1f2ee8240042c6348759303443e2e9680b3 Mon Sep 17 00:00:00 2001 From: Andrew Truong Date: Fri, 3 Nov 2023 10:21:12 -0400 Subject: [PATCH 3/7] test --- examples/public-dns-external/main.tf | 8 ++++++++ examples/public-dns-external/variables.tf | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/examples/public-dns-external/main.tf b/examples/public-dns-external/main.tf index 72588184..ffb49e9b 100644 --- a/examples/public-dns-external/main.tf +++ b/examples/public-dns-external/main.tf @@ -65,6 +65,10 @@ provider "helm" { } } +locals { + secret_store_source = "aws-secretmanager://wandb-secret?namespace=wandb-secret" +} + module "wandb_app" { source = "wandb/wandb/kubernetes" version = "1.12.0" @@ -87,6 +91,10 @@ module "wandb_app" { # If we dont wait, tf will start trying to deploy while the work group is # still spinning up depends_on = [module.wandb_infra] + + other_wandb_env = merge({ + "GORILLA_CUSTOMER_SECRET_STORE_SOURCE" = local.secret_store_source + }, var.other_wandb_env) } output "bucket_name" { diff --git a/examples/public-dns-external/variables.tf b/examples/public-dns-external/variables.tf index c88dc631..e0712159 100644 --- a/examples/public-dns-external/variables.tf +++ b/examples/public-dns-external/variables.tf @@ -83,3 +83,9 @@ variable "allowed_inbound_ipv6_cidr" { nullable = false type = list(string) } + +variable "other_wandb_env" { + type = map(string) + description = "Extra environment variables for W&B" + default = {} +} From 6969af4707244d2c02ebbdf2c167de7707c44257 Mon Sep 17 00:00:00 2001 From: Andrew Truong Date: Tue, 7 Nov 2023 23:23:03 -0500 Subject: [PATCH 4/7] test --- main.tf | 1 - modules/app_eks/iam-policies.tf | 3 --- modules/app_eks/iam-policy-docs.tf | 2 +- modules/app_eks/iam-role-attachments.tf | 1 - modules/app_eks/variables.tf | 7 ++++--- variables.tf | 10 ---------- 6 files changed, 5 insertions(+), 19 deletions(-) diff --git a/main.tf b/main.tf index 09e08830..4cb49865 100644 --- a/main.tf +++ b/main.tf @@ -143,7 +143,6 @@ module "app_eks" { cluster_endpoint_public_access_cidrs = var.kubernetes_public_access_cidrs eks_policy_arns = var.eks_policy_arns - secret_manager_arn = var.secret_manager_arn } module "app_lb" { diff --git a/modules/app_eks/iam-policies.tf b/modules/app_eks/iam-policies.tf index a4b32878..6b0b11c6 100644 --- a/modules/app_eks/iam-policies.tf +++ b/modules/app_eks/iam-policies.tf @@ -42,7 +42,4 @@ resource "aws_iam_policy" "node_s3" { resource "aws_iam_policy" "secrets_manager" { name = "${var.namespace}-secrets-manager" policy = data.aws_iam_policy_document.secrets_manager.json - lifecycle { - create_before_destroy = false - } } diff --git a/modules/app_eks/iam-policy-docs.tf b/modules/app_eks/iam-policy-docs.tf index 2e39e988..cf99ccf4 100644 --- a/modules/app_eks/iam-policy-docs.tf +++ b/modules/app_eks/iam-policy-docs.tf @@ -64,6 +64,6 @@ data "aws_iam_policy_document" "secrets_manager" { "secretsmanager:*", ] effect = "Allow" - resources = var.secret_manager_arn == "" || var.secret_manager_arn == null ? ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:*"] : [var.secret_manager_arn] + resources = ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:${var.secrets_prefix}-*"] } } diff --git a/modules/app_eks/iam-role-attachments.tf b/modules/app_eks/iam-role-attachments.tf index a8a15798..fa7c0ad8 100644 --- a/modules/app_eks/iam-role-attachments.tf +++ b/modules/app_eks/iam-role-attachments.tf @@ -43,7 +43,6 @@ resource "aws_iam_role_policy_attachment" "ebs_csi" { policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" } - resource "aws_iam_role_policy_attachment" "node_secrets" { role = aws_iam_role.node.name policy_arn = aws_iam_policy.secrets_manager.arn diff --git a/modules/app_eks/variables.tf b/modules/app_eks/variables.tf index eb68796f..00995210 100644 --- a/modules/app_eks/variables.tf +++ b/modules/app_eks/variables.tf @@ -116,7 +116,8 @@ variable "service_port" { default = 32543 } -variable "secret_manager_arn" { - description = "" - type = string +variable "secrets_prefix" { + type = string + description = "(Required) The prefix assigned to all secrets created by W&B users and saved using the AWS Secret Manager" + default = "wandb-secret" } diff --git a/variables.tf b/variables.tf index 17a8c5b8..8d2278d6 100644 --- a/variables.tf +++ b/variables.tf @@ -332,13 +332,3 @@ variable "elasticache_node_type" { # description = "Weights & Biases license key." # } -variable "secret_manager_arn" { - type = string - description = "" -} - -variable "other_wandb_env" { - type = map(string) - description = "Extra environment variables for W&B" - default = {} -} From a7ecae1cb86ffaf0f0d98a6ea0fb6d59521e363b Mon Sep 17 00:00:00 2001 From: Andrew Truong Date: Wed, 8 Nov 2023 00:10:31 -0500 Subject: [PATCH 5/7] test --- examples/public-dns-external/main.tf | 6 +----- examples/public-dns-external/variables.tf | 6 ++++++ modules/app_eks/iam-policy-docs.tf | 9 +++++++-- modules/app_eks/iam-role-attachments.tf | 2 +- 4 files changed, 15 insertions(+), 8 deletions(-) diff --git a/examples/public-dns-external/main.tf b/examples/public-dns-external/main.tf index ffb49e9b..0cdb8409 100644 --- a/examples/public-dns-external/main.tf +++ b/examples/public-dns-external/main.tf @@ -65,10 +65,6 @@ provider "helm" { } } -locals { - secret_store_source = "aws-secretmanager://wandb-secret?namespace=wandb-secret" -} - module "wandb_app" { source = "wandb/wandb/kubernetes" version = "1.12.0" @@ -93,7 +89,7 @@ module "wandb_app" { depends_on = [module.wandb_infra] other_wandb_env = merge({ - "GORILLA_CUSTOMER_SECRET_STORE_SOURCE" = local.secret_store_source + "GORILLA_CUSTOMER_SECRET_STORE_SOURCE" = "aws-secretmanager://${var.secrets_prefix}?namespace=${var.secrets_prefix}" }, var.other_wandb_env) } diff --git a/examples/public-dns-external/variables.tf b/examples/public-dns-external/variables.tf index e0712159..862e5081 100644 --- a/examples/public-dns-external/variables.tf +++ b/examples/public-dns-external/variables.tf @@ -89,3 +89,9 @@ variable "other_wandb_env" { description = "Extra environment variables for W&B" default = {} } + +variable "secrets_prefix" { + type = string + description = "(Required) The prefix assigned to all secrets created by W&B users and saved using the AWS Secret Manager" + default = "wandb-secret" +} diff --git a/modules/app_eks/iam-policy-docs.tf b/modules/app_eks/iam-policy-docs.tf index cf99ccf4..64482854 100644 --- a/modules/app_eks/iam-policy-docs.tf +++ b/modules/app_eks/iam-policy-docs.tf @@ -61,9 +61,14 @@ data "aws_iam_policy_document" "node_s3" { data "aws_iam_policy_document" "secrets_manager" { statement { actions = [ - "secretsmanager:*", + "secretsmanager:CreateSecret", + "secretsmanager:UpdateSecret", + "secretsmanager:DeleteSecret", + "secretsmanager:PutSecretValue", + "secretsmanager:GetSecretValue", + "secretsmanager:DeleteSecretVersion" ] effect = "Allow" - resources = ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:${var.secrets_prefix}-*"] + resources = ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:${var.secrets_prefix}*"] } } diff --git a/modules/app_eks/iam-role-attachments.tf b/modules/app_eks/iam-role-attachments.tf index fa7c0ad8..938ad34b 100644 --- a/modules/app_eks/iam-role-attachments.tf +++ b/modules/app_eks/iam-role-attachments.tf @@ -43,7 +43,7 @@ resource "aws_iam_role_policy_attachment" "ebs_csi" { policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" } -resource "aws_iam_role_policy_attachment" "node_secrets" { +resource "aws_iam_role_policy_attachment" "node_secrets_manager" { role = aws_iam_role.node.name policy_arn = aws_iam_policy.secrets_manager.arn } From ea2fadf62d994fde63e0abbed345bc37028b569a Mon Sep 17 00:00:00 2001 From: Andrew Truong Date: Wed, 8 Nov 2023 11:10:14 -0500 Subject: [PATCH 6/7] test --- examples/public-dns-external/variables.tf | 6 +++++- modules/app_eks/variables.tf | 8 ++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/examples/public-dns-external/variables.tf b/examples/public-dns-external/variables.tf index 862e5081..bd7a611d 100644 --- a/examples/public-dns-external/variables.tf +++ b/examples/public-dns-external/variables.tf @@ -90,8 +90,12 @@ variable "other_wandb_env" { default = {} } +locals { + secrets_prefix_default = var.namespace +} + variable "secrets_prefix" { type = string description = "(Required) The prefix assigned to all secrets created by W&B users and saved using the AWS Secret Manager" - default = "wandb-secret" + default = local.secrets_prefix_default } diff --git a/modules/app_eks/variables.tf b/modules/app_eks/variables.tf index 00995210..b4062e3d 100644 --- a/modules/app_eks/variables.tf +++ b/modules/app_eks/variables.tf @@ -116,8 +116,12 @@ variable "service_port" { default = 32543 } +locals { + secrets_prefix_default = var.namespace +} + variable "secrets_prefix" { type = string description = "(Required) The prefix assigned to all secrets created by W&B users and saved using the AWS Secret Manager" - default = "wandb-secret" -} + default = local.secrets_prefix_default +} \ No newline at end of file From 72cb2168e394420290ce0e4596cd129aa51898ec Mon Sep 17 00:00:00 2001 From: Andrew Truong Date: Wed, 8 Nov 2023 11:22:51 -0500 Subject: [PATCH 7/7] test --- examples/public-dns-external/main.tf | 2 +- examples/public-dns-external/variables.tf | 10 ---------- modules/app_eks/iam-policy-docs.tf | 2 +- modules/app_eks/variables.tf | 10 ---------- 4 files changed, 2 insertions(+), 22 deletions(-) diff --git a/examples/public-dns-external/main.tf b/examples/public-dns-external/main.tf index 0cdb8409..a6b3b6c2 100644 --- a/examples/public-dns-external/main.tf +++ b/examples/public-dns-external/main.tf @@ -89,7 +89,7 @@ module "wandb_app" { depends_on = [module.wandb_infra] other_wandb_env = merge({ - "GORILLA_CUSTOMER_SECRET_STORE_SOURCE" = "aws-secretmanager://${var.secrets_prefix}?namespace=${var.secrets_prefix}" + "GORILLA_CUSTOMER_SECRET_STORE_SOURCE" = "aws-secretmanager://${var.namespace}?namespace=${var.namespace}" }, var.other_wandb_env) } diff --git a/examples/public-dns-external/variables.tf b/examples/public-dns-external/variables.tf index bd7a611d..e0712159 100644 --- a/examples/public-dns-external/variables.tf +++ b/examples/public-dns-external/variables.tf @@ -89,13 +89,3 @@ variable "other_wandb_env" { description = "Extra environment variables for W&B" default = {} } - -locals { - secrets_prefix_default = var.namespace -} - -variable "secrets_prefix" { - type = string - description = "(Required) The prefix assigned to all secrets created by W&B users and saved using the AWS Secret Manager" - default = local.secrets_prefix_default -} diff --git a/modules/app_eks/iam-policy-docs.tf b/modules/app_eks/iam-policy-docs.tf index 64482854..5399aef0 100644 --- a/modules/app_eks/iam-policy-docs.tf +++ b/modules/app_eks/iam-policy-docs.tf @@ -69,6 +69,6 @@ data "aws_iam_policy_document" "secrets_manager" { "secretsmanager:DeleteSecretVersion" ] effect = "Allow" - resources = ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:${var.secrets_prefix}*"] + resources = ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:${var.namespace}*"] } } diff --git a/modules/app_eks/variables.tf b/modules/app_eks/variables.tf index b4062e3d..35ef7701 100644 --- a/modules/app_eks/variables.tf +++ b/modules/app_eks/variables.tf @@ -115,13 +115,3 @@ variable "service_port" { type = number default = 32543 } - -locals { - secrets_prefix_default = var.namespace -} - -variable "secrets_prefix" { - type = string - description = "(Required) The prefix assigned to all secrets created by W&B users and saved using the AWS Secret Manager" - default = local.secrets_prefix_default -} \ No newline at end of file