-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexternal-secrets.tf
74 lines (67 loc) · 2.62 KB
/
external-secrets.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
resource "helm_release" "external_secrets" {
count = var.enable_external_secrets ? 1 : 0
name = "external-secrets"
repository = "https://charts.external-secrets.io"
chart = "external-secrets"
version = var.external_secrets_version
create_namespace = true
namespace = "external-secrets"
values = [
<<-EOF
replicaCount: 1
podLabels:
azure.workload.identity/use: "true"
installCRDs: true
controllerClass:
serviceAccount:
create: true
annotations:
azure.workload.identity/client-id: ${azurerm_user_assigned_identity.external_secrets[0].client_id}
azure.workload.identity/tenant-id: ${data.azurerm_client_config.current.tenant_id}
name: external-secrets
resources:
requests:
cpu: 0.1
memory: 200Mi
limits:
cpu: 0.3
memory: 400Mi
prometheus:
enabled: false
env:
POLLER_INTERVAL_MILLISECONDS: 10000
EOF
]
}
resource "azurerm_user_assigned_identity" "external_secrets" {
count = var.enable_external_secrets ? 1 : 0
resource_group_name = data.azurerm_kubernetes_cluster.cluster.resource_group_name
name = "external-secrets"
location = var.location
}
// TODO: Review permissions scope
resource "azurerm_role_assignment" "external_secrets" {
count = var.enable_external_secrets ? 1 : 0
scope = data.azurerm_subscription.current.id
principal_id = azurerm_user_assigned_identity.external_secrets[0].principal_id
role_definition_name = "Key Vault Secrets User"
}
resource "azurerm_role_assignment" "external_secrets_certificate" {
count = var.enable_external_secrets ? 1 : 0
scope = data.azurerm_subscription.current.id
principal_id = azurerm_user_assigned_identity.external_secrets[0].principal_id
role_definition_name = "Key Vault Certificate User"
}
resource "azurerm_federated_identity_credential" "external_secrets" {
count = var.enable_external_secrets ? 1 : 0
name = azurerm_user_assigned_identity.external_secrets[0].name
resource_group_name = azurerm_user_assigned_identity.external_secrets[0].resource_group_name
parent_id = azurerm_user_assigned_identity.external_secrets[0].id
audience = ["api://AzureADTokenExchange"]
issuer = data.azurerm_kubernetes_cluster.cluster.oidc_issuer_url
subject = "system:serviceaccount:external-secrets:external-secrets"
depends_on = [
azurerm_role_assignment.external_secrets,
azurerm_role_assignment.external_secrets_certificate
]
}