diff --git a/docs/eks/index.md b/docs/eks/index.md index 7ce4edce..81def632 100644 --- a/docs/eks/index.md +++ b/docs/eks/index.md @@ -231,18 +231,13 @@ export GO_AMG_API_KEY=$(aws grafana create-workspace-api-key \ --output text) ``` -- Next, lets grab the Grafana API key secret name from AWS Secrets Manager. The keyname should start with `terraform-..` - -```bash -aws secretsmanager list-secrets -``` - - Finally, update the Grafana API key secret in AWS Secrets Manager using the above new Grafana API key: ```bash -aws secretsmanager update-secret \ - --secret-id \ - --secret-string "{\"GF_SECURITY_ADMIN_APIKEY\": \"${GO_AMG_API_KEY}\"}" \ +aws aws ssm put-parameter \ + --name "/terraform-accelerator/grafana-api-key" \ + --type "SecureString" \ + --value "{\"GF_SECURITY_ADMIN_APIKEY\": \"${GO_AMG_API_KEY}\"}" \ --region ``` diff --git a/modules/eks-monitoring/add-ons/external-secrets/README.md b/modules/eks-monitoring/add-ons/external-secrets/README.md index 8d13e60b..0506f8d0 100644 --- a/modules/eks-monitoring/add-ons/external-secrets/README.md +++ b/modules/eks-monitoring/add-ons/external-secrets/README.md @@ -32,8 +32,7 @@ This deploys an EKS Cluster with the External Secrets Operator. The cluster is p |------|------| | [aws_iam_policy.cluster_secretstore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_kms_key.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_secretsmanager_secret.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | -| [aws_secretsmanager_secret_version.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | +| [aws_ssm_parameter.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [kubectl_manifest.cluster_secretstore](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [kubectl_manifest.secret](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | diff --git a/modules/eks-monitoring/add-ons/external-secrets/main.tf b/modules/eks-monitoring/add-ons/external-secrets/main.tf index 8633d7b3..dd3ed2c4 100644 --- a/modules/eks-monitoring/add-ons/external-secrets/main.tf +++ b/modules/eks-monitoring/add-ons/external-secrets/main.tf @@ -36,12 +36,13 @@ resource "aws_iam_policy" "cluster_secretstore" { { "Effect": "Allow", "Action": [ - "secretsmanager:GetResourcePolicy", - "secretsmanager:GetSecretValue", - "secretsmanager:DescribeSecret", - "secretsmanager:ListSecretVersionIds" + "ssm:DescribeParameters", + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:GetParametersByPath", + "ssm:GetParameterHistory" ], - "Resource": "${aws_secretsmanager_secret.secret.arn}" + "Resource": "${aws_ssm_parameter.secret.arn}" }, { "Effect": "Allow", @@ -64,7 +65,7 @@ metadata: spec: provider: aws: - service: SecretsManager + service: ParameterStore region: ${data.aws_region.current.name} auth: jwt: @@ -75,16 +76,15 @@ YAML depends_on = [module.external_secrets] } -resource "aws_secretsmanager_secret" "secret" { - recovery_window_in_days = 0 - kms_key_id = aws_kms_key.secrets.arn -} - -resource "aws_secretsmanager_secret_version" "secret" { - secret_id = aws_secretsmanager_secret.secret.id - secret_string = jsonencode({ +resource "aws_ssm_parameter" "secret" { + name = "/terraform-accelerator/grafana-api-key" + description = "SSM Secret to store grafana API Key" + type = "SecureString" + value = jsonencode({ GF_SECURITY_ADMIN_APIKEY = var.grafana_api_key }) + key_id = aws_kms_key.secrets.id + overwrite = true } resource "kubectl_manifest" "secret" { @@ -103,7 +103,7 @@ spec: name: ${var.target_secret_name} dataFrom: - extract: - key: ${aws_secretsmanager_secret.secret.name} + key: ${aws_ssm_parameter.secret.name} YAML depends_on = [module.external_secrets] }