This repository has been archived by the owner on Jul 15, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam.tf
56 lines (53 loc) · 2.06 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
module "external_secrets_irsa" {
source = "git::[email protected]:CMS-Enterprise/batcave-tf-irsa.git//.?ref=1.1.1"
role_name = "${var.cluster_name}-external-secrets"
role_path = var.iam_path
role_permissions_boundary_arn = var.permissions_boundary
app_name = "External_Secrets_Operator"
asm_secret_arns = local.secret_arns
attach_secretsmanager_policy = true
oidc_providers = {
main = {
provider_arn = var.oidc_provider_arn
namespace_service_accounts = var.external_secrets_service_accounts
}
}
}
locals {
secret_arns = [ for name in local.all_secret_names : "arn:aws:secretsmanager:${var.aws_region}:${var.aws_id}:secret:${name}*" ]
secret_names = [
"private-registry",
"batcave/registry-credentials",
"batcave/argocd-config",
"batcave/grafana-secret",
"batcave/sso-secret",
"batcave/istio-secret",
"batcave/sonar-registry-credentials",
"batcave/sonar-agent-api-key",
"batcave/kiali",
"batcave/alertmanager-secret",
"batcave/loki-write-keys",
"gitlab/access_token/flux_read_argo"
]
gitlab_secret_names = [
"batcave/gitlab-rails-secret-s3",
"batcave/gitlab-secret",
"batcave/gitlab-rails-secret-backup"
]
defectdojo_secret_names = [
"batcave/defectdojo",
"batcave/defectdojo-oauth-secret",
"batcave/defectdojo-postgresql-specific",
"batcave/defectdojo-rabbitmq-specific",
"batcave/defectdojo-redis-specific"
]
include_gitlab_secrets = var.enable_gitlab_secret_arns == true ? concat(local.secret_names, local.gitlab_secret_names) : local.secret_names
all_secret_names = (
var.enable_defectdojo_secret_arns == true ?
concat(local.include_gitlab_secrets, local.defectdojo_secret_names, var.additional_secret_names) :
concat(local.include_gitlab_secrets, var.additional_secret_names)
)
}
output "secret_arns"{
value = local.secret_arns
}