Replacing Secrets Manager to SSM to store Grafana API Key (#178)

* Fixing SSM

* Fixing SSM

* Replacing Secrets Manager with SSM

* Replacing Secrets Manager with SSM

docs/eks/index.md

@@ -231,18 +231,13 @@ export GO_AMG_API_KEY=$(aws grafana create-workspace-api-key \
   --output text)
 ```
 
-- Next, lets grab the Grafana API key secret name from AWS Secrets Manager. The keyname should start with `terraform-..`
-
-```bash
-aws secretsmanager list-secrets
-```
-
 - Finally, update the Grafana API key secret in AWS Secrets Manager using the above new Grafana API key:
 
 ```bash
-aws secretsmanager update-secret \
-    --secret-id  <Your Secret Name> \
-    --secret-string "{\"GF_SECURITY_ADMIN_APIKEY\": \"${GO_AMG_API_KEY}\"}" \
+aws aws ssm put-parameter \
+    --name "/terraform-accelerator/grafana-api-key" \
+    --type "SecureString" \
+    --value "{\"GF_SECURITY_ADMIN_APIKEY\": \"${GO_AMG_API_KEY}\"}" \
     --region <Your AWS Region>
 ```
 

modules/eks-monitoring/add-ons/external-secrets/README.md

@@ -32,8 +32,7 @@ This deploys an EKS Cluster with the External Secrets Operator. The cluster is p
 |------|------|
 | [aws_iam_policy.cluster_secretstore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_kms_key.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_secretsmanager_secret.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
-| [aws_secretsmanager_secret_version.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [aws_ssm_parameter.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [kubectl_manifest.cluster_secretstore](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.secret](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |

modules/eks-monitoring/add-ons/external-secrets/main.tf

@@ -36,12 +36,13 @@ resource "aws_iam_policy" "cluster_secretstore" {
     {
       "Effect": "Allow",
       "Action": [
-        "secretsmanager:GetResourcePolicy",
-        "secretsmanager:GetSecretValue",
-        "secretsmanager:DescribeSecret",
-        "secretsmanager:ListSecretVersionIds"
+        "ssm:DescribeParameters",
+        "ssm:GetParameter",
+        "ssm:GetParameters",
+        "ssm:GetParametersByPath",
+        "ssm:GetParameterHistory"
       ],
-      "Resource": "${aws_secretsmanager_secret.secret.arn}"
+      "Resource": "${aws_ssm_parameter.secret.arn}"
     },
     {
       "Effect": "Allow",
@@ -64,7 +65,7 @@ metadata:
 spec:
   provider:
     aws:
-      service: SecretsManager
+      service: ParameterStore
       region: ${data.aws_region.current.name}
       auth:
         jwt:
@@ -75,16 +76,15 @@ YAML
   depends_on = [module.external_secrets]
 }
 
-resource "aws_secretsmanager_secret" "secret" {
-  recovery_window_in_days = 0
-  kms_key_id              = aws_kms_key.secrets.arn
-}
-
-resource "aws_secretsmanager_secret_version" "secret" {
-  secret_id = aws_secretsmanager_secret.secret.id
-  secret_string = jsonencode({
+resource "aws_ssm_parameter" "secret" {
+  name        = "/terraform-accelerator/grafana-api-key"
+  description = "SSM Secret to store grafana API Key"
+  type        = "SecureString"
+  value = jsonencode({
     GF_SECURITY_ADMIN_APIKEY = var.grafana_api_key
   })
+  key_id    = aws_kms_key.secrets.id
+  overwrite = true
 }
 
 resource "kubectl_manifest" "secret" {
@@ -103,7 +103,7 @@ spec:
     name: ${var.target_secret_name}
   dataFrom:
   - extract:
-      key: ${aws_secretsmanager_secret.secret.name}
+      key: ${aws_ssm_parameter.secret.name}
 YAML
   depends_on = [module.external_secrets]
 }