Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add support for AWS Secrets Manager #151

Merged
merged 8 commits into from
Nov 13, 2023
Merged

feat: Add support for AWS Secrets Manager #151

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
d171240
test
andrewtruong Nov 3, 2023
37a2583
test
andrewtruong Nov 3, 2023
86fda1d
Merge branch 'main' into andrew/secrets
andrewtruong Nov 3, 2023
f7c0c1f
test
andrewtruong Nov 3, 2023
6969af4
test
andrewtruong Nov 8, 2023
a7ecae1
test
andrewtruong Nov 8, 2023
ea2fadf
test
andrewtruong Nov 8, 2023
72cb216
test
andrewtruong Nov 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions examples/public-dns-external/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,10 @@ provider "helm" {
}
}

locals {
secret_store_source = "aws-secretmanager://wandb-secret?namespace=wandb-secret"
andrewtruong marked this conversation as resolved.
Show resolved Hide resolved
}

module "wandb_app" {
source = "wandb/wandb/kubernetes"
version = "1.12.0"
Expand All @@ -87,6 +91,10 @@ module "wandb_app" {
# If we dont wait, tf will start trying to deploy while the work group is
# still spinning up
depends_on = [module.wandb_infra]

other_wandb_env = merge({
"GORILLA_CUSTOMER_SECRET_STORE_SOURCE" = local.secret_store_source
}, var.other_wandb_env)
andrewtruong marked this conversation as resolved.
Show resolved Hide resolved
}

output "bucket_name" {
Expand Down
6 changes: 6 additions & 0 deletions examples/public-dns-external/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,3 +83,9 @@ variable "allowed_inbound_ipv6_cidr" {
nullable = false
type = list(string)
}

variable "other_wandb_env" {
type = map(string)
description = "Extra environment variables for W&B"
default = {}
}
elainaRenee marked this conversation as resolved.
Show resolved Hide resolved
1 change: 1 addition & 0 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,7 @@ module "app_eks" {
cluster_endpoint_public_access_cidrs = var.kubernetes_public_access_cidrs

eks_policy_arns = var.eks_policy_arns
secret_manager_arn = var.secret_manager_arn
}

module "app_lb" {
Expand Down
10 changes: 9 additions & 1 deletion modules/app_eks/iam-policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,4 +37,12 @@ resource "aws_iam_policy" "node_s3" {
lifecycle {
create_before_destroy = false
}
}
}

resource "aws_iam_policy" "secrets_manager" {
name = "${var.namespace}-secrets-manager"
policy = data.aws_iam_policy_document.secrets_manager.json
lifecycle {
create_before_destroy = false
andrewtruong marked this conversation as resolved.
Show resolved Hide resolved
}
}
10 changes: 10 additions & 0 deletions modules/app_eks/iam-policy-docs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,3 +57,13 @@ data "aws_iam_policy_document" "node_s3" {
]
}
}

data "aws_iam_policy_document" "secrets_manager" {
statement {
actions = [
"secretsmanager:*",
]
effect = "Allow"
resources = var.secret_manager_arn == "" || var.secret_manager_arn == null ? ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:*"] : [var.secret_manager_arn]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of checking for an empty string or null, we should be checking for the appropriate ARN pattern using a regex. This is done in the variable declaration in a validation block. Although validation is not appropriate for some cases, here it is preferred to the proposed solutions because ARNs are of a static and known format. An empty string won't meet the format requirement, which means we only need to check for null.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

modified to just do the regex check with prefix

}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm is there a better default here than allowing access to all secret managers? It looks like the default we are setting for the other policies is ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.node.name}"]

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think limitations are based on the secret, not the secret manager (you can think of the secret manager as some service you can't control)

Our secrets are prefixed, so maybe we can change to:

"arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:${prefix}-*"

from:

"arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:*"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it. Yeah we need some way to make this a no-op so that we don't give installs access to all secrets. Maybe just put in some junk for the prefix? cc: @gls4 if you have any better ideas here. It be nice to refactor this at some point to not provision the policy at all in the case that no secret manager arn is present.

Copy link
Contributor Author

@andrewtruong andrewtruong Nov 7, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For simplicity, maybe we can just enforce that the prefix is non-null (or hardcode it as wandb-secret)

I don't think we use the Secret Manager for anything else atm, but maybe in future?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not correct. Please see https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html.

Access to SECRETS needs to be scoped to the cluster, and only for PUT, GET, UPDATE, DELETE operations. There is no need to provide the additional permissions. Moreover, we cannot allow one customer's cluster to read the secrets from another customer, so permissions have got to be scoped correctly from the start.

As for not provisioning the policy in the absence of the arn -- we need to do that now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

modified permission to be more tightly scoped

}
6 changes: 6 additions & 0 deletions modules/app_eks/iam-role-attachments.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,9 @@ resource "aws_iam_role_policy_attachment" "ebs_csi" {
role = aws_iam_role.node.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
}


resource "aws_iam_role_policy_attachment" "node_secrets" {
andrewtruong marked this conversation as resolved.
Show resolved Hide resolved
role = aws_iam_role.node.name
policy_arn = aws_iam_policy.secrets_manager.arn
}
5 changes: 5 additions & 0 deletions modules/app_eks/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,3 +115,8 @@ variable "service_port" {
type = number
default = 32543
}

variable "secret_manager_arn" {
description = ""
andrewtruong marked this conversation as resolved.
Show resolved Hide resolved
type = string
}
11 changes: 11 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -331,3 +331,14 @@ variable "elasticache_node_type" {
# type = string
# description = "Weights & Biases license key."
# }

variable "secret_manager_arn" {
type = string
description = ""
andrewtruong marked this conversation as resolved.
Show resolved Hide resolved
}
andrewtruong marked this conversation as resolved.
Show resolved Hide resolved
andrewtruong marked this conversation as resolved.
Show resolved Hide resolved

variable "other_wandb_env" {
type = map(string)
description = "Extra environment variables for W&B"
default = {}
}
Loading