update external-secrets example

Signed-off-by: Carlos Santana <csantana23@gmail.com>

Author: csantanapr

argocd/iac/terraform/examples/eks/external-secrets/bootstrap/addons.yaml

@@ -1,19 +1,32 @@
+---
 apiVersion: argoproj.io/v1alpha1
-kind: Application
+kind: ApplicationSet
 metadata:
   name: bootstrap-addons
-  namespace: 'argocd'
 spec:
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: 'argocd'
-  project: default
-  source:
-    path: ${path}
-    repoURL: ${repoURL}
-    targetRevision: ${targetRevision}
-    directory:
-      recurse: true
-      exclude: exclude/*
   syncPolicy:
-    automated: {}
+    preserveResourcesOnDeletion: true
+  generators:
+    - clusters:
+        selector:
+          matchExpressions:
+            - key: akuity.io/argo-cd-cluster-name
+              operator: NotIn
+              values: [in-cluster]
+  template:
+    metadata:
+      name: 'bootstrap-addons'
+    spec:
+      project: default
+      source:
+        repoURL: '{{metadata.annotations.gitops_bridge_repo_url}}'
+        path: '{{metadata.annotations.gitops_bridge_repo_path}}'
+        targetRevision: '{{metadata.annotations.gitops_bridge_repo_revision}}'
+        directory:
+          recurse: true
+          exclude: exclude/*
+      destination:
+        namespace: 'argocd'
+        name: '{{name}}'
+      syncPolicy:
+        automated: {}

argocd/iac/terraform/examples/eks/external-secrets/bootstrap/workloads.yaml

@@ -1,20 +1,44 @@
+---
 apiVersion: argoproj.io/v1alpha1
-kind: Application
+kind: ApplicationSet
 metadata:
-  name: bootstrap-workloads
-  namespace: 'argocd'
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
+  name: external-secrets-example
 spec:
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: 'guestbook'
-  project: default
-  source:
-    path: helm-guestbook
-    repoURL: git@github.com:argoproj/argocd-example-apps.git
-    targetRevision: HEAD
   syncPolicy:
-    automated: {}
-    syncOptions:
-    - CreateNamespace=true
+    preserveResourcesOnDeletion: true
+  generators:
+    - clusters:
+        selector:
+          matchExpressions:
+            - key: akuity.io/argo-cd-cluster-name
+              operator: NotIn
+              values: [in-cluster]
+  template:
+    metadata:
+      name: 'external-secrets-example'
+    spec:
+      project: default
+      source:
+        repoURL: '{{metadata.annotations.workload_repo_url}}'
+        path: '{{metadata.annotations.workload_repo_path}}'
+        targetRevision: '{{metadata.annotations.workload_repo_revision}}'
+        helm:
+          releaseName: 'external-secrets-example'
+          values: |
+            region: '{{metadata.annotations.aws_region}}'
+            externalSecret:
+              clusterSecretStore:
+                secret: '{{metadata.annotations.workload_sm_secret}}'
+              secretStore:
+                secret: '{{metadata.annotations.workload_pm_secret}}'
+      destination:
+        namespace: '{{metadata.annotations.external_secrets_namespace}}'
+        name: '{{name}}'
+      syncPolicy:
+        automated:
+        retry:
+          backoff:
+            duration: 1m
+          limit: 10
+        syncOptions:
+          - CreateNamespace=true

argocd/iac/terraform/examples/eks/external-secrets/k8s/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: resources
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.0.0"

argocd/iac/terraform/examples/eks/external-secrets/k8s/templates/secrets.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: cluster-secretstore-sm
+spec:
+  provider:
+    aws:
+      service: SecretsManager
+      region: {{ .Values.region }}
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: external-secrets-sm
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: cluster-secretstore-sm
+    kind: ClusterSecretStore
+  dataFrom:
+  - extract:
+      key: {{ .Values.externalSecret.clusterSecretStore.secret }}
+---
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: secretstore-ps
+spec:
+  provider:
+    aws:
+      service: ParameterStore
+      region: {{ .Values.region }}
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: external-secrets-ps
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: secretstore-ps
+    kind: SecretStore
+  dataFrom:
+  - extract:
+      key: {{ .Values.externalSecret.secretStore.secret }}

argocd/iac/terraform/examples/eks/external-secrets/k8s/values.yaml

@@ -0,0 +1,6 @@
+region: us-west-2
+externalSecret:
+  clusterSecretStore:
+    secret: secret
+  secretStore:
+    secret: /external-secrets/secret

argocd/iac/terraform/examples/eks/external-secrets/main.tf

@@ -43,16 +43,26 @@ provider "kubernetes" {
 }
 
 locals {
-  name            = "ex-${replace(basename(path.cwd), "_", "-")}"
-  environment     = "dev"
-  region          = "us-west-2"
-  cluster_version = "1.27"
-  gitops_url      = var.gitops_url
-  gitops_revision = var.gitops_revision
-  gitops_path     = var.gitops_path
+  name                   = "ex-${replace(basename(path.cwd), "_", "-")}"
+  environment            = "dev"
+  region                 = "us-west-2"
+  cluster_version        = "1.27"
+  gitops_addons_org      = var.gitops_addons_org
+  gitops_addons_repo     = var.gitops_addons_repo
+  gitops_addons_path     = var.gitops_addons_path
+  gitops_addons_revision = var.gitops_addons_revision
+  gitops_addons_url      = "${local.gitops_addons_org}/${local.gitops_addons_repo}"
+
+  gitops_workload_org      = var.gitops_workload_org
+  gitops_workload_repo     = var.gitops_workload_repo
+  gitops_workload_path     = var.gitops_workload_path
+  gitops_workload_revision = var.gitops_workload_revision
+  gitops_workload_url      = "${local.gitops_workload_org}/${local.gitops_workload_repo}"
+
+  # Secret names in AWS
+  workload_sm_secret = local.name
+  workload_pm_secret = "/${local.name}/secret"
 
-  aws_secret_manager_secret_name = "argocd-ssh-key"
-  git_private_ssh_key = "~/.ssh/id_rsa" # Update with the git ssh key to be used by ArgoCD
 
   aws_addons = {
     enable_cert_manager = true
@@ -62,7 +72,7 @@ locals {
     #enable_aws_privateca_issuer                  = true
     #enable_cluster_autoscaler                    = true
     #enable_external_dns                          = true
-    enable_external_secrets                      = true
+    enable_external_secrets = true
     #enable_aws_load_balancer_controller          = true
     #enable_fargate_fluentbit                     = true
     #enable_aws_for_fluentbit                     = true
@@ -99,18 +109,24 @@ locals {
       aws_vpc_id       = module.vpc.vpc_id
     },
     {
-      gitops_bridge_repo_url      = local.gitops_url
-      gitops_bridge_repo_revision = local.gitops_revision
+      gitops_bridge_repo_url      = local.gitops_addons_url
+      gitops_bridge_repo_path     = local.gitops_addons_path
+      gitops_bridge_repo_revision = local.gitops_addons_revision
+    },
+    {
+      workload_repo_url      = local.gitops_addons_url
+      workload_repo_path     = local.gitops_addons_path
+      workload_repo_revision = local.gitops_addons_revision
+    },
+    {
+      workload_sm_secret = aws_ssm_parameter.secret_parameter.name
+      workload_pm_secret = aws_secretsmanager_secret.secret.name
     }
   )
 
   argocd_bootstrap_app_of_apps = {
-    addons = templatefile("${path.module}/bootstrap/addons.yaml", {
-      repoURL        = local.gitops_url
-      targetRevision = local.gitops_revision
-      path           = local.gitops_path
-    })
-    workloads = file("${path.module}/bootstrap/workloads.yaml")
+    addons = file("${path.module}/bootstrap/addons.yaml")
+    addons = file("${path.module}/bootstrap/workloads.yaml")
   }
 
   vpc_cidr = "10.0.0.0/16"
@@ -122,6 +138,35 @@ locals {
   }
 }
 
+################################################################################
+# Secret Manager & Parameter Store
+################################################################################
+resource "aws_kms_key" "secrets" {
+  enable_key_rotation = true
+}
+resource "aws_secretsmanager_secret" "secret" {
+  name                    = local.workload_sm_secret
+  recovery_window_in_days = 0
+  kms_key_id              = aws_kms_key.secrets.arn
+}
+resource "aws_secretsmanager_secret_version" "secret" {
+  secret_id = aws_secretsmanager_secret.secret.id
+  secret_string = jsonencode({
+    username = "secretuser",
+    password = "secretpassword"
+  })
+}
+resource "aws_ssm_parameter" "secret_parameter" {
+  name = local.workload_pm_secret
+  type = "SecureString"
+  value = jsonencode({
+    username = "secretuser",
+    password = "secretpassword"
+  })
+  key_id = aws_kms_key.secrets.arn
+}
+
+
 ################################################################################
 # GitOps Bridge: Metadata
 ################################################################################
@@ -144,20 +189,6 @@ module "gitops_bridge_bootstrap" {
   argocd_bootstrap_app_of_apps = local.argocd_bootstrap_app_of_apps
 }
 
-################################################################################
-# AWS Secret Manager
-################################################################################
-#tfsec:ignore:aws-ssm-secret-use-customer-key
-resource "aws_secretsmanager_secret" "git_ssh_key" {
-  name                    = local.aws_secret_manager_secret_name
-  recovery_window_in_days = 0 # Set to zero for this example to force delete during Terraform destroy
-}
-resource "aws_secretsmanager_secret_version" "git_ssh_key" {
-  secret_id     = aws_secretsmanager_secret.git_ssh_key.id
-  secret_string = file(pathexpand(local.git_private_ssh_key))
-}
-
-
 ################################################################################
 # EKS Blueprints Addons
 ################################################################################

argocd/iac/terraform/examples/eks/external-secrets/variables.tf

@@ -1,12 +1,33 @@
-variable "gitops_url" {
+variable "gitops_addons_org" {
+  description = "Git repository org/user contains for addons"
+  default     = "https://github.com/gitops-bridge-dev"
+}
+variable "gitops_addons_repo" {
   description = "Git repository contains for addons"
-  default     = "https://github.com/gitops-bridge-dev/gitops-bridge-argocd-control-plane-template"
+  default     = "gitops-bridge-argocd-control-plane-template"
 }
-variable "gitops_revision" {
+variable "gitops_addons_path" {
+  description = "Git repository path for addons"
+  default     = "bootstrap/control-plane/addons"
+}
+variable "gitops_addons_revision" {
   description = "Git repository revision/branch/ref for addons"
   default     = "HEAD"
 }
-variable "gitops_path" {
-  description = "Git repository path for addons"
-  default     = "bootstrap/control-plane/addons"
+
+variable "gitops_workload_org" {
+  description = "Git repository org/user contains for workload"
+  default     = "https://github.com/gitops-bridge-dev"
+}
+variable "gitops_workload_repo" {
+  description = "Git repository contains for workload"
+  default     = "gitops-bridge"
+}
+variable "gitops_workload_path" {
+  description = "Git repository path for workload"
+  default     = "argocd/iac/terraform/examples/eks/external-secrets/k8s"
+}
+variable "gitops_workload_revision" {
+  description = "Git repository revision/branch/ref for workload"
+  default     = "HEAD"
 }