diff --git a/modules/aws/eks/main.tf b/modules/aws/eks/main.tf index d265a9e..d95be79 100644 --- a/modules/aws/eks/main.tf +++ b/modules/aws/eks/main.tf @@ -184,4 +184,53 @@ resource "aws_iam_role_policy_attachment" "ebs_csi_policy_attach" { policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" } +##Resource for creating an managed policy of SecretsManager&SSM Parameterstore readonly for Node Role +resource "aws_iam_policy" "s3_read_only_policy" { + name_prefix = "SSMSecretsManagerReadOnlyPolicy" + policy = jsonencode({ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "secretsmanager:DescribeSecret", + "secretsmanager:GetSecretValue", + "ssm:DescribeParameters", + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:GetParametersByPath" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "kms:DescribeCustomKeyStores", + "kms:ListKeys", + "kms:ListAliases" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "kms:Decrypt", + "kms:GetKeyRotationStatus", + "kms:GetKeyPolicy", + "kms:DescribeKey" + ], + "Effect": "Allow", + "Resource": "*" + } + ] + }) +} + +##Resource for attaching Externalsecrets Readonly Policy to NodeIAMRole +resource "aws_iam_role_policy_attachment" "secrets_policy_attach" { + role = module.eks.worker_iam_role_name + policy_arn = aws_iam_policy.s3_read_only_policy.arn +} + + + diff --git a/modules/gcp/gke/main.tf b/modules/gcp/gke/main.tf index 720ee6d..d0f647b 100644 --- a/modules/gcp/gke/main.tf +++ b/modules/gcp/gke/main.tf @@ -39,7 +39,7 @@ resource "google_compute_subnetwork" "cluster_subnet" { module "gke" { depends_on = [google_compute_subnetwork.cluster_subnet] - source = "github.com/argonautdev/terraform-google-kubernetes-engine//modules/private-cluster?ref=v21.1.6" + source = "github.com/argonautdev/terraform-google-kubernetes-engine//modules/private-cluster?ref=v21.1.7" project_id = var.project_id name = var.cluster_name description = var.description