Mahira Technology Private Limited's Blog
Terraform Mastery: Conquer External Secrets Operator Deployment on AWS EKS

Photo by Growtika on Unsplash

Terraform Mastery: Conquer External Secrets Operator Deployment on AWS EKS

Mahira Technology Private Limited's photo
Mahira Technology Private Limited
·

4 min read

Overview :-

In today’s cloud-native landscape, managing secrets securely is crucial for maintaining the integrity and security of your applications. The External #Secrets Operator #(ESO) is a powerful tool that helps you manage and use secrets from external secret management systems in your Kubernetes clusters. This blog post will guide you through deploying the External #Secrets Operator on an Amazon EKS cluster using Terraform.

Pre-requisites :-

Before we dive into the deployment process, make sure you have the following prerequisites in place:

  1. #An AWS account with appropriate permissions

  2. ##Terraform installed on your local machine

  3. #AWS CLI configured with your credentials

  4. #kubectl installed and configured to interact with your EKS cluster

  5. Basic knowledge of Kubernetes and Terraform concepts

  6. An Eks cluster should be deployed on your Aws Account

Tip: If you’re new to Terraform or EKS, it’s recommended to familiarize yourself with these technologies before proceeding with this guide.

Procedure :-

Let’s break down the process of deploying the External Secrets Operator on AWS EKS using Terraform into manageable steps:

Step 1: Set up your #Terraform configuration

Create a new directory for your Terraform project and with in the directory create one more directory with name #helm and secrets_operator.

mkdir external_secrets

Step 2: Define the Terraform provider

Create a file named providers.tf and add the following content:

terraform {
  required_providers {
    helm = {
     source = "hashicorp/helm"
     version = "2.15.0"
    }
    aws = {
     source = "hashicorp/aws"
     version = "5.0.1"
    }
    kubernetes = {
     source = "hashicorp/kubernetes"
     version = "2.14.0"
    }
  }
}

Step 3: Create the resource configuration in main.tf

In your main.tf file, add the following resource to create a namespace for the #External Secrets Operator and helm release for external secret.

data "aws_eks_cluster" "default" {
  name = "mahira-eks-cluster"
}

data "aws_eks_cluster_auth" "default" {
  name = "mahira-eks-cluster"
}

provider "kubernetes" {
  host                   = data.aws_eks_cluster.default.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.default.certificate_authority.0.data)
  token                  = data.aws_eks_cluster_auth.default.token
}

provider "helm" {
  kubernetes {
    host                   = data.aws_eks_cluster.default.endpoint
    cluster_ca_certificate = base64decode(data.aws_eks_cluster.default.certificate_authority.0.data)
    token                  = data.aws_eks_cluster_auth.default.token
  }
}

provider "aws" {
  kubernetes {
    host                   = data.aws_eks_cluster.default.endpoint
    cluster_ca_certificate = base64decode(data.aws_eks_cluster.default.certificate_authority.0.data)
    token                  = data.aws_eks_cluster_auth.default.token
  }
}
locals {
  external_values = templatefile("./data/values.yaml.tftpl", {
    fullnameOverride = "external-secrets"
    })  
}

resource "kubernetes_namespace" "external_secrets" {
    metadata {
    name = "external-secrets"
  }
}

resource "helm_release" "external_secret" {
  name       = "external-secrets"
  repository = "https://charts.external-secrets.io"
  chart      = "external-secrets"
  namespace  = kubernetes_namespace.external_secrets.metadata[0].name
  version    = "v0.9.20"
  values = [local.external_values]
}

Step 5: Create an IAM role and Configure AWS Secrets Manager access

To allow the #External Secrets Operator to access AWS Secrets Manager, you’ll need to create an #IAM role and attach the necessary policies. Add the following resources to your main.tf:

data "aws_iam_policy_document" "eso_assume_role" {
  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]
    effect  = "Allow"
    principals {
      type        = "Federated"
      identifiers = [module.eks.oidc_provider_arn]
    }
    condition {
      test     = "StringEquals"
      variable = "${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}:sub"
      values   = ["system:serviceaccount:${kubernetes_namespace.eso.metadata[0].name}:external-secrets"]
    }
  }
}
resource "aws_iam_role" "eso" {
  name               = "eks-external-secrets-operator"
  assume_role_policy = data.aws_iam_policy_document.eso_assume_role.json
  managed_policy_arns = [
   "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
  ]
}

Step 6: Create a Kubernetes service account

Create a Kubernetes service account for the External Secrets Operator:

resource "kubernetes_service_account" "external_secrets_operator" {
  metadata {
    name      = "external-secrets-operator"
    namespace = "external-secrets"
    annotations = {
      "eks.amazonaws.com/role-arn" = "THE ABOVE CREATED IAM SECRETS ACCESS role_arn"
    }
  }
}

resource "kubernetes_manifest" "secret_store" {
  manifest = {
    "apiVersion" = "external-secrets.io/v1beta1"
    "kind"       = "SecretStore"
    "metadata" = {
      "name"      = "token-secret-store"
      "namespace" = "external-secrets"
    }
    "spec" = {
      "provider" = {
        "aws" = {
          "service" = "SecretsManager"
          "region"  = "us-east-1"
          "auth" = {
            "jwt" = {
              "serviceAccountRef" = {
                "name" = "${kubernetes_service_account.external_secrets_operator.metadata[0].name}"
              }
            }
          }
        }
      }
    }
  }
}

resource "kubernetes_manifest" "external_secret" {
  manifest = {
    "apiVersion" = "external-secrets.io/v1beta1"
    "kind"       = "ExternalSecret"
    "metadata" = {
      "name"      = "token"
      "namespace" = "external-secrets"
    }
    "spec" = {
      "refreshInterval" = "5s"
      "secretStoreRef" = {
        "name" = "${kubernetes_manifest.secret_store.manifest["metadata"]["name"]}"
        "kind" = "SecretStore"
      }
      "target" = {
        "name"           = "token"
        "creationPolicy" = "Owner"
      }
     "data" = [
        {
          "secretKey" = "token"
          "remoteRef" = {
            "key"      = "example-secret"
            "property" = "token"
          }
        },
        {
          "secretKey" = "created_at"
          "remoteRef" = {
            "key"      = "example-secret"
            "property" = "created_at"
          }
        },
      ]
    }
  }
}

Step-7:- Here is the terraform code for the variables.tf file.

variable "env_name" {
  type        = string
  description = "Type of environment ex: dev, stage or prod"
}

variable "eks_cluster_name" {
  type        = string
  description = "name of eks cluster"
}

Step 8: Apply the Terraform configuration

Run the following commands to apply your Terraform configuration and check the external secrets operator is being deployed or not on your cluster.

terraform plan
terraform apply
  • Run the below command to check the external-secrets operator deployment.
kubectl get secret secrets-manager-secret -n external-secrets

Conclusion :-

By following this guide, you’ve successfully deployed the External Secrets Operator on your #AWS EKS cluster using Terraform. This setup allows you to securely manage and use secrets from #AWS Secrets Manager in your Kubernetes applications.

Remember to regularly update your #External Secrets Operator and review your #IAM policies to maintain the security of your cluster. Happy secret managing!

Kubernetesexternal-secretsDevopsAWSbest practicescontainer orchestrationTerraformEKS