Use a more restrictive secrets policy

aws-ia · Jun 29, 2022 · dc1d806 · dc1d806
1 parent 869010e
commit dc1d806
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 15 deletions.
diff --git a/examples/external-secrets-kubernetes-addon/README.md b/examples/external-secrets-kubernetes-addon/README.md
@@ -60,7 +60,7 @@ This following command used to update the `kubeconfig` in your local machine whe
     $ aws eks --region <enter-your-region> update-kubeconfig --name <cluster-name>
 
 ### Step 6: List the secret resources in the `external-secrets` namespace
-  
+
     $ kubectl get externalsecrets -n external-secrets
     $ kubectl get secrets -n external-secrets
 

diff --git a/examples/external-secrets-kubernetes-addon/main.tf b/examples/external-secrets-kubernetes-addon/main.tf
@@ -187,7 +187,7 @@ data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 
 #---------------------------------------------------------------
-# External Secrets Operator - Secret 
+# External Secrets Operator - Secret
 #---------------------------------------------------------------
 
 module "cluster_secretstore_role" {
@@ -226,7 +226,7 @@ resource "aws_iam_policy" "cluster_secretstore" {
         "secretsmanager:DescribeSecret",
         "secretsmanager:ListSecretVersionIds"
       ],
-      "Resource": "*"
+      "Resource": "${aws_secretsmanager_secret.secret.arn}"
     },
     {
       "Effect": "Allow",
@@ -244,14 +244,14 @@ resource "kubectl_manifest" "cluster_secretstore" {
   yaml_body  = <<YAML
 apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
-metadata: 
+metadata:
   name: ${local.cluster_secretstore_name}
-spec: 
+spec:
   provider:
-    aws: 
+    aws:
       service: SecretsManager
       region: ${data.aws_region.current.name}
-      auth: 
+      auth:
         jwt:
           serviceAccountRef:
             name: ${local.cluster_secretstore_sa}
@@ -346,15 +346,15 @@ resource "kubectl_manifest" "secretstore" {
   yaml_body  = <<YAML
 apiVersion: external-secrets.io/v1beta1
 kind: SecretStore
-metadata: 
+metadata:
   name: ${local.secretstore_name}
   namespace: ${local.namespace}
-spec: 
+spec:
   provider:
-    aws: 
+    aws:
       service: ParameterStore
       region: ${data.aws_region.current.name}
-      auth: 
+      auth:
         jwt:
           serviceAccountRef:
             name: ${local.secretstore_sa}

diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md
@@ -143,12 +143,8 @@
 | <a name="input_enable_cluster_autoscaler"></a> [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no |
 | <a name="input_enable_coredns_autoscaler"></a> [enable\_coredns\_autoscaler](#input\_enable\_coredns\_autoscaler) | Enable CoreDNS autoscaler add-on | `bool` | `false` | no |
 | <a name="input_enable_crossplane"></a> [enable\_crossplane](#input\_enable\_crossplane) | Enable Crossplane add-on | `bool` | `false` | no |
-<<<<<<< HEAD
 | <a name="input_enable_external_dns"></a> [enable\_external\_dns](#input\_enable\_external\_dns) | External DNS add-on | `bool` | `false` | no |
-=======
-| <a name="input_enable_external_dns"></a> [enable\_external\_dns](#input\_enable\_external\_dns) | External DNS add-on. | `bool` | `false` | no |
 | <a name="input_enable_external_secrets"></a> [enable\_external\_secrets](#input\_enable\_external\_secrets) | Enable External Secrets operator add-on | `bool` | `false` | no |
->>>>>>> 2dd94ce (Support external secrets from the main module)
 | <a name="input_enable_fargate_fluentbit"></a> [enable\_fargate\_fluentbit](#input\_enable\_fargate\_fluentbit) | Enable Fargate FluentBit add-on | `bool` | `false` | no |
 | <a name="input_enable_ingress_nginx"></a> [enable\_ingress\_nginx](#input\_enable\_ingress\_nginx) | Enable Ingress Nginx add-on | `bool` | `false` | no |
 | <a name="input_enable_ipv6"></a> [enable\_ipv6](#input\_enable\_ipv6) | Enable Ipv6 network. Attaches new VPC CNI policy to the IRSA role | `bool` | `false` | no |