create policy an role for secrets manager access from EKS

Author: eddiewebb

core-env/aws/outputs.tf

@@ -0,0 +1,6 @@
+output "demo_operator_role_arn" {
+  value = aws_iam_role.demo_role.arn
+}
+output "demo_pipeline_role_arn" {
+  value = aws_iam_role.demo_gha_role.arn
+}

core-env/aws/templates/secrets_policy.json.tpl

@@ -0,0 +1,25 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action" : [
+        "secretsmanager:ListSecrets",
+        "secretsmanager:BatchGetSecretValue"
+      ],
+      "Effect" : "Allow",
+      "Resource" : "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:GetResourcePolicy",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:ListSecretVersionIds"
+      ],
+      "Resource": [
+        "arn:aws:secretsmanager:us-west-2:${AWS_ACCOUNT_ID}:secret:kargo-*"
+      ]
+    }
+  ]
+}

core-env/aws/templates/secrets_role.json.tpl

@@ -0,0 +1,16 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "pods.eks.amazonaws.com"
+            },
+            "Action": [
+                "sts:AssumeRole",
+                "sts:TagSession"
+            ]
+        }
+    ]
+}