fix: give boot job sa access to ASM (#334)

Signed-off-by: ankitm123 <[email protected]>
jenkins-x · Dec 20, 2021 · 4d03e0a · 4d03e0a
1 parent d755005
commit 4d03e0a
Show file tree

Hide file tree

Showing 7 changed files with 184 additions and 162 deletions.
diff --git a/README.md b/README.md
diff --git a/main.tf b/main.tf
@@ -102,6 +102,7 @@ module "cluster" {
   enable_reports_storage                = var.enable_reports_storage
   enable_repository_storage             = var.enable_repository_storage
   boot_secrets                          = var.boot_secrets
+  use_asm                               = var.use_asm
 }
 
 // ----------------------------------------------------------------------------

diff --git a/modules/cluster/charts.tf b/modules/cluster/charts.tf
@@ -25,6 +25,12 @@ resource "helm_release" "jx-git-operator" {
     name  = "username"
     value = var.jx_bot_username
   }
+
+  set {
+    name  = "bootServiceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
+    value = local.boot_iam_role
+  }
+
   set_sensitive {
     name  = "password"
     value = var.jx_bot_token

diff --git a/modules/cluster/irsa.tf b/modules/cluster/irsa.tf
@@ -396,9 +396,7 @@ data "aws_iam_policy_document" "secrets-manager-policy" {
       "secretsmanager:UpdateSecret",
     ]
     resources = [
-      "arn:${data.aws_partition.current.partition}:secretsmanager:${var.region}:${local.project}:secret:secret/data/lighthouse/*",
-      "arn:${data.aws_partition.current.partition}:secretsmanager:${var.region}:${local.project}:secret:secret/data/jx/*",
-      "arn:${data.aws_partition.current.partition}:secretsmanager:${var.region}:${local.project}:secret:secret/data/nexus/*"
+      "arn:${data.aws_partition.current.partition}:secretsmanager:${var.region}:${local.project}:secret:*"
     ]
   }
   statement {
@@ -424,7 +422,7 @@ module "iam_assumable_role_secrets-secrets-manager" {
   role_name                     = "${local.cluster_trunc}-external-secrets-secrets-manager"
   provider_url                  = local.oidc_provider_url
   role_policy_arns              = [var.create_asm_role ? aws_iam_policy.secrets-manager[0].arn : ""]
-  oidc_fully_qualified_subjects = ["system:serviceaccount:${local.secret-infra-namespace}:kubernetes-external-secrets"]
+  oidc_fully_qualified_subjects = ["system:serviceaccount:${local.secret-infra-namespace}:kubernetes-external-secrets", "system:serviceaccount:${local.git-operator-namespace}:jx-boot-job"]
 }
 // ----------------------------------------------------------------------------
 // External Secrets - Parameter Store

diff --git a/modules/cluster/local.tf b/modules/cluster/local.tf
@@ -13,7 +13,9 @@ locals {
   cluster_trunc          = substr(var.cluster_name, 0, 35)
   cert-manager-namespace = "cert-manager"
   secret-infra-namespace = "secret-infra"
+  git-operator-namespace = "jx-git-operator"
   project                = data.aws_caller_identity.current.account_id
+  boot_iam_role          = var.use_asm ? (var.create_asm_role ? module.iam_assumable_role_secrets-secrets-manager.this_iam_role_arn : var.asm_role) : ""
 
   node_group_defaults = {
     ami_type         = var.node_group_ami

diff --git a/modules/cluster/variables.tf b/modules/cluster/variables.tf
@@ -429,3 +429,15 @@ variable "boot_secrets" {
   }))
   default = []
 }
+
+variable "use_asm" {
+  description = "Flag to specify if AWS Secrets manager is being used"
+  type        = bool
+  default     = false
+}
+
+variable "asm_role" {
+  description = "Specify arn of the ASM role (custom not created by the module)"
+  type        = string
+  default     = ""
+}
diff --git a/variables.tf b/variables.tf
@@ -466,6 +466,12 @@ variable "use_asm" {
   default     = false
 }
 
+variable "asm_role" {
+  description = "Specify arn of the ASM role (custom not created by the module)"
+  type        = string
+  default     = ""
+}
+
 variable "install_kuberhealthy" {
   description = "Flag to specify if kuberhealthy operator should be installed"
   type        = bool