create policy an role for secrets manager access from EKS

eddiewebb · eddiewebb · commit 86f8894407cb · 2025-11-07T15:42:43.000-05:00
diff --git a/akuity-bootstrap/main.tf b/akuity-bootstrap/main.tf
@@ -119,3 +119,13 @@ resource "akp_cluster" "kargo-cluster" {
   depends_on = [akp_kargo_instance.kargo-instance, akp_instance.se-demo-iac]
 }
 
+resource "aws_route53_record" "records" {
+
+  zone_id = data.terraform_remote_state.eks_clusters.outputs.root_zone_id
+  name    = "argo.${data.terraform_remote_state.eks_clusters.outputs.demo_domain}"
+  type    = "CNAME"
+  ttl     = 5
+
+  records    = [output.argo_server_url]
+  depends_on = [akp_instance.se-demo-iac]
+}
diff --git a/core-env/aws/main.tf b/core-env/aws/main.tf
@@ -103,9 +103,50 @@ resource "aws_iam_role_policy_attachment" "gha_attachment" {
   policy_arn = aws_iam_policy.demo_gha_policy.arn
 }
 
-output "demo_operator_role_arn" {
-  value = aws_iam_role.demo_role.arn
+
+
+#
+# Secrets Manager for ESO
+#
+
+
+# Specific role for GHA via OIDC to assume (can also be assumed by team)
+resource "aws_iam_policy" "demo_secrets_policy" {
+  name        = var.priviledged_assumed_role
+  description = "Policy to grant demo cluster access to secrets via ESO"
+
+  policy = templatefile(
+    "${path.module}/templates/secrets_policy.json.tpl",
+    {
+      AWS_ACCOUNT_ID = data.aws_caller_identity.current.id
+    }
+  )
+
+  tags = var.common_tags
+  lifecycle {
+    create_before_destroy = true
+  }
 }
-output "demo_pipeline_role_arn" {
-  value = aws_iam_role.demo_gha_role.arn
+
+# Specific role for GHA via OIDC to assume (can also be assumed by team)
+resource "aws_iam_role" "secrets_role" {
+  name        = var.priviledged_assumed_role
+  description = "Role grants access to secrets policy for ESO"
+
+  assume_role_policy = templatefile(
+    "${path.module}/templates/secrets_role.json.tpl",
+    {
+
+    }
+  )
+
+  tags = var.common_tags
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "secrets_attachment" {
+  role       = aws_iam_role.secrets_role.name
+  policy_arn = aws_iam_policy.demo_secrets_policy.arn
 }
diff --git a/core-env/aws/variables.tf b/core-env/aws/variables.tf
@@ -13,13 +13,6 @@ variable "common_tags" {
   }
 }
 
-
-variable "demo_domain" {
-  description = "Domain apps will be exposed via ingress"
-  type        = string
-  default     = "demoapps.akuity.io"
-}
-
 variable "email_usernames" {
   description = "Who can act as operator on ARAD resources, by assume operator role."
   default = [
diff --git a/core-env/eks-clusters/outputs.tf b/core-env/eks-clusters/outputs.tf
@@ -6,4 +6,11 @@ output "primary_cluster_endpoint" {
 }
 output "primary_cluster_ca" {
     value = module.eks.cluster_certificate_authority_data
+}
+output "demo_domain" {
+    value = var.root_domain_name
+}
+
+output "root_zone_id" {
+    value = data.aws_route53_zone.root_demo_domain_zone.id
 }

Original file line number	Diff line number	Diff line change
`@@ -13,13 +13,6 @@ variable "common_tags" {`
`13`	`13`	`}`
`14`	`14`	`}`
`15`	`15`
`16`		`-`
`17`		`-variable "demo_domain" {`
`18`		`- description = "Domain apps will be exposed via ingress"`
`19`		`- type = string`
`20`		`- default = "demoapps.akuity.io"`
`21`		`-}`
`22`		`-`
`23`	`16`	`variable "email_usernames" {`
`24`	`17`	`description = "Who can act as operator on ARAD resources, by assume operator role."`
`25`	`18`	`default = [`
Original file line number	Diff line number	Diff line change
`@@ -6,4 +6,11 @@ output "primary_cluster_endpoint" {`
`6`	`6`	`}`
`7`	`7`	`output "primary_cluster_ca" {`
`8`	`8`	`value = module.eks.cluster_certificate_authority_data`
	`9`	`+}`
	`10`	`+output "demo_domain" {`
	`11`	`+ value = var.root_domain_name`
	`12`	`+}`
	`13`	`+`
	`14`	`+output "root_zone_id" {`
	`15`	`+ value = data.aws_route53_zone.root_demo_domain_zone.id`
`9`	`16`	`}`