ClusterSecretStore configuration

.gitignore

@@ -1,17 +1,46 @@
+# Created by https://www.toptal.com/developers/gitignore/api/vim,visualstudiocode,terraform
+# Edit at https://www.toptal.com/developers/gitignore?templates=vim,visualstudiocode,terraform
 
-# Created by https://www.gitignore.io/api/vim,code
-# Edit at https://www.gitignore.io/?templates=vim,code
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
 
-### Code ###
-.vscode/*
-!.vscode/settings.json
-!.vscode/tasks.json
-!.vscode/launch.json
-!.vscode/extensions.json
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
 
 ### Vim ###
 # Swap
 [._]*.s[a-v][a-z]
+!*.svg  # comment out if you don't need vector files
 [._]*.sw[a-p]
 [._]s[a-rt-v][a-z]
 [._]ss[a-gi-z]
@@ -24,19 +53,30 @@ Sessionx.vim
 # Temporary
 .netrwhist
 *~
-
 # Auto-generated tag files
 tags
-
 # Persistent undo
 [._]*.un~
 
-# Coc configuration directory
-.vim
+### VisualStudioCode ###
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+!.vscode/*.code-snippets
 
-# End of https://www.gitignore.io/api/vim,code
-.env
-kubectl/
+# Local History for Visual Studio Code
+.history/
+
+# Built Visual Studio Code Extensions
+*.vsix
+
+### VisualStudioCode Patch ###
+# Ignore all local history of files
+.history
+.ionide
+
+# End of https://www.toptal.com/developers/gitignore/api/vim,visualstudiocode,terraform
 build/
-.nfs/
 !.gitkeep

kustomize/bases/prometheus/prometheus.yaml

@@ -5,7 +5,7 @@ metadata:
 spec:
   serviceAccountName: prometheus
   retention: 28d
-  retentionSize: 9GB
+  retentionSize: 8GB
   ruleSelector:
     matchLabels:
       monitor: prometheus

kustomize/namespaces/kube-system/clustersecretstore.yaml

@@ -0,0 +1,19 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: aws-parameters-store
+spec:
+  provider:
+    aws:
+      service: ParameterStore
+      region: ca-central-1
+      auth:
+        secretRef:
+          accessKeyIDSecretRef:
+            name: aws-parameters-external-secrets-access-key
+            key: access-key
+            namespace: kube-system
+          secretAccessKeySecretRef:
+            name: aws-parameters-external-secrets-access-key
+            key: secret-access-key
+            namespace: kube-system

kustomize/namespaces/kube-system/kustomization.yaml

@@ -1,4 +1,5 @@
 resources:
   - ../../bases/traefik
   - ../../bases/prometheus-operator
-  - ../../bases/external-secrets
+  - ../../bases/external-secrets
+  - clustersecretstore.yaml

terraform/.terraform.lock.hcl

@@ -0,0 +1,43 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version = "4.55.0"
+  hashes = [
+    "h1:VHfmrKCb4oTW/+rWGKKqipoMOPd4tPxlGwMp0/Flx/s=",
+    "zh:0866f25575bad3b9c313cd778c94fc65e79d335af2d20a3480f79d7731d93b7b",
+    "zh:2c05c16155cbc054622cf83e4b6614fef35935b00b238e4c21ee225e6c896770",
+    "zh:2efba66649fb12af0492c6cce4e2361fe9139df648734264f61a9a1ef754df53",
+    "zh:3c60bb53e3b65d7f86699fae0797a55a9aa41b8ba377aaff4daf23d1661393a9",
+    "zh:41f6dcd90b54b623d523df8fb4a30779cfe22e9ab59516bc05b29291a7af0946",
+    "zh:4b8330b154e9e2d035dd5488abcac25efec1fa6055d3a70894a8c0384f0579d6",
+    "zh:595f263706cf1fb6b8447e2ec343638de4360841a15e6bff6ccbb0ff86c7ce74",
+    "zh:5dfc5b858a43cf45fde5542eb673f6104c14cdc3d73843d1b87a9e44545cbad4",
+    "zh:7bbe05cf30521f0110603bb84995a4025ce7810626010276600e4b402143df27",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:a490e68c63504d3301d6dcb700c95778d93bb2baa6632a46c5a1d62862a7067c",
+    "zh:c4f9f6659148528375c8a822163925c9aae490ccce2e6301cefbbab009531971",
+    "zh:ef66070f957408f1c924ddfd5dbd0d34bce16efd9e36ccecbf699de72beb131f",
+    "zh:f7ba5e3e62a2b51b24e326797a89fdd86bafaea7d1912738d514c9903c14d7f2",
+    "zh:ffc20b7d9f7bd331fb6451d0fc92c68196383d7115e69380de6566cc268cb9b9",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version = "2.18.0"
+  hashes = [
+    "h1:42iWPnVHQYjopA83W35BxsWmhBnfycUZV3ThuAVmP4s=",
+    "zh:38f24011d5ee8479ed4758c66cad336509ec02b55c1188ce0ec4b826943aaf0a",
+    "zh:7d34901f2aff2f46748e81e3d4bbc1aeacc1cc78c2c7da34a84311633ccc8458",
+    "zh:854339357839a8944df9571eb10f2feaa28cdbe1b7198aba2e94574474f8b304",
+    "zh:872ea16f2634d29da9772bb5bdc2202f56e35371acccc31fab060bb9cfc13a8b",
+    "zh:8da9e4c95c160aa58de81a3da5a5a43ea09869e79aa7a27303a1d5a107a8b486",
+    "zh:9200d32e7c9a75365bcd5a48b29ec8c9bbd3329549bc8d04b14e739abcf843e0",
+    "zh:980f576019d1acb404647c9d7a71ee826e6e046f84c3796c6dc098899fc89033",
+    "zh:dcd84e89fdbb815dade604543c6ce2b5aa518debc413d627de08c7e6f3d3c075",
+    "zh:ddbbb7d16d3eff671c2251d6777fcb6fb92843e2b74441c2d4ad43a82a4291c6",
+    "zh:e50185efe88499bfbb22fc421315f658c9a7ccfee68e6b66cf0f8eb19b879028",
+    "zh:ed8e76ccb2b0266ee94ab90d76d311509b2cc90e5d9f5aa294dd92e1f676adf0",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}

terraform/main.tf

@@ -0,0 +1,17 @@
+terraform {
+    backend "kubernetes" {
+        secret_suffix = "state"
+        config_path = "~/.kube/config"
+        labels = {
+            "app.kubernetes.io/managed-by": "terraform"
+        }
+    }
+}
+
+provider "kubernetes" {
+  config_path    = "~/.kube/config"
+}
+
+module "aws-parameters-external-secrets" {
+    source = "./modules/aws-parameters-external-secrets"
+}

terraform/modules/aws-parameters-external-secrets/iam-policies/parameters-external-secrets-policy.json

@@ -0,0 +1,14 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "ssm:GetParameterWithContext",
+          "ssm:ListTagsForResourceWithContext",
+          "ssm:DescribeParametersWithContext"
+        ],
+        "Resource": "*"
+      }
+    ]
+  }

terraform/modules/aws-parameters-external-secrets/main.tf

@@ -0,0 +1,33 @@
+resource "aws_iam_user" "default" {
+    name = "${var.name}-user"
+}
+
+resource "aws_iam_policy" "parameters_external_secrets_policy" {
+    name = "${var.name}-parameters-external-secrets-policy"
+    policy = file("${path.module}/iam-policies/parameters-external-secrets-policy.json")
+}
+
+resource "aws_iam_policy_attachment" "parameters_external_secrets_attachment" {
+    name = "${var.name}-parameters-external-secrets-attachment"
+    users = [aws_iam_user.default.name]
+    policy_arn = aws_iam_policy.parameters_external_secrets_policy.arn
+}
+
+resource "aws_iam_access_key" "default" {
+    user = aws_iam_user.default.name
+}
+
+resource "kubernetes_secret" "default" {
+    metadata {
+        name = "${var.name}-access-key"
+        namespace = "kube-system"
+        labels = {
+            "app.kubernetes.io/managed-by": "terraform"
+        }
+    }
+
+    data = {
+        access-key = aws_iam_access_key.default.id
+        secret-access-key = aws_iam_access_key.default.secret
+    }
+}

terraform/modules/aws-parameters-external-secrets/variables.tf

@@ -0,0 +1,5 @@
+variable "name" {
+    type = string
+    description = "The name of the terraform deployment"
+    default = "aws-parameters-external-secrets"
+}