Add AWS SM vault_password (#80)

* Add AWS SM vault_password * Add alternative k8s cluster admin * Update ansible-roles/eks_cluster_init/tasks/main.yml Co-authored-by: jack-clarke-luthersystems <[email protected]> --------- Co-authored-by: jack-clarke-luthersystems <[email protected]>
luthersystems · Sep 9, 2024 · 8467b26 · 8467b26
1 parent 8936c6b
commit 8467b26
Show file tree

Hide file tree

Showing 6 changed files with 224 additions and 95 deletions.
diff --git a/ansible-roles/eks_cluster_init/defaults/main.yml b/ansible-roles/eks_cluster_init/defaults/main.yml
@@ -5,6 +5,7 @@ eks_cluster_init_default_storageclass: gp3-encrypted
 
 # eks_cluster_init_eks_worker_iam_role_arn: ""
 # eks_cluster_init_k8s_admin_role_arn: ""
+eks_cluster_init_k8s_alt_admin_role_arn: ""
 # eks_cluster_init_storage_kms_key_id: ""
 
 eks_cluster_init_available_encrypted_storage_types:

diff --git a/ansible-roles/eks_cluster_init/tasks/main.yml b/ansible-roles/eks_cluster_init/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 # tasks file for eks_cluster_init
 
-- name: Enable IAM admin role access
+- name: Enable IAM admin role access without alternative admin
   kubernetes.core.k8s:
     kind: ConfigMap
     name: aws-auth
@@ -25,6 +25,37 @@
     - eks_cluster_init_configure_aws_auth
     - eks_cluster_init_eks_worker_iam_role_arn is defined
     - eks_cluster_init_k8s_admin_role_arn is defined
+    - eks_cluster_init_k8s_alt_admin_role_arn is not defined
+
+- name: Enable IAM admin role access with alternate admin
+  kubernetes.core.k8s:
+    kind: ConfigMap
+    name: aws-auth
+    namespace: kube-system
+    definition:
+      data:
+        mapRoles: "{{ map_roles_with_alt | to_nice_yaml(indent=2) }}"
+  vars:
+    map_roles_with_alt:
+      - rolearn: "{{ eks_cluster_init_eks_worker_iam_role_arn }}"
+        username: !unsafe system:node:{{EC2PrivateDNSName}}
+        groups:
+          - system:bootstrappers
+          - system:nodes
+      - rolearn: "{{ eks_cluster_init_k8s_admin_role_arn }}"
+        username: luther:admin
+        groups:
+          - system:masters
+      - rolearn: "{{ eks_cluster_init_k8s_alt_admin_role_arn }}"
+        username: luther:admin
+        groups:
+          - system:masters
+  environment: "{{ kubectl_env }}"
+  when:
+    - eks_cluster_init_configure_aws_auth
+    - eks_cluster_init_eks_worker_iam_role_arn is defined
+    - eks_cluster_init_k8s_admin_role_arn is defined
+    - eks_cluster_init_k8s_alt_admin_role_arn is defined
 
 - name: Get all StorageClasses
   kubernetes.core.k8s_info:

diff --git a/scripts/keyvault.py b/scripts/keyvault.py
@@ -1,8 +1,54 @@
+import boto3
 from azure.keyvault.secrets import SecretClient
 from azure.identity import DefaultAzureCredential
 
-def get_secret(az_vault, az_vault_key):
-    vault_uri = f'https://{az_vault}.vault.azure.net'
+
+def get_azure_secret(az_vault, az_vault_key):
+    vault_uri = f"https://{az_vault}.vault.azure.net"
     credential = DefaultAzureCredential()
     client = SecretClient(vault_url=vault_uri, credential=credential)
-    return client.get_secret(az_vault_key).value
+    return client.get_secret(az_vault_key).value
+
+
+def get_aws_secret(
+    aws_secret_name,
+    aws_region_name,
+    role_arn=None,
+    session_name="AssumeRoleVaultSession1",
+):
+    """
+    Retrieve a secret from AWS Secrets Manager, optionally assuming a role before retrieval.
+
+    :param aws_secret_name: The name of the secret to retrieve
+    :param aws_region_name: The AWS region where the secret is stored
+    :param role_arn: (Optional) The ARN of the role to assume
+    :param session_name: (Optional) A name for the assumed session
+    :return: The secret string from AWS Secrets Manager
+    """
+    if role_arn:
+        # Assume the role
+        sts_client = boto3.client("sts")
+        assumed_role_object = sts_client.assume_role(
+            RoleArn=role_arn, RoleSessionName=session_name
+        )
+        credentials = assumed_role_object["Credentials"]
+
+        # Create a new session with the assumed role's credentials
+        session = boto3.Session(
+            aws_access_key_id=credentials["AccessKeyId"],
+            aws_secret_access_key=credentials["SecretAccessKey"],
+            aws_session_token=credentials["SessionToken"],
+            region_name=aws_region_name,
+        )
+    else:
+        # Use default session if no role assumption is needed
+        session = boto3.session.Session()
+
+    # Create the Secrets Manager client
+    client = session.client(service_name="secretsmanager", region_name=aws_region_name)
+
+    # Retrieve the secret
+    response = client.get_secret_value(
+        SecretId=aws_secret_name, VersionStage="AWSCURRENT"
+    )
+    return response["SecretString"]