Remove SA and improve naming (#2)

utilitywarehouse · Nov 1, 2019 · 1280be0 · 1280be0
1 parent b62b522
commit 1280be0
Show file tree

Hide file tree

Showing 8 changed files with 42 additions and 28 deletions.
diff --git a/README.md b/README.md
@@ -29,6 +29,12 @@ Git repository.
 - `POLL_INTERVAL_SECONDS` - (int) (default: `5`) Number of seconds to wait between each check for new commits to the repo
 - `REPO_PATH_FILTERS` - (string) (default: `""`) A comma separated list of sub directories to be applied. Supports [shell file name patterns](https://golang.org/pkg/path/filepath/#Match).
 
+#### Variables used by terraform resources
+
+You can also provide environment variables for use by terraform providers (such as AWS_ACCESS_KEY_ID) or variables for use in your
+code (TF_VAR_your_variable_name). This is useful for providing sensitive values that you don't want to save in version control or
+variables that are only available in your Kube environment
+
 ## Monitoring
 
 ### Metrics

diff --git a/manifests/base/terraform-applier.yaml b/manifests/base/terraform-applier.yaml
@@ -1,9 +1,4 @@
 apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: terraform-applier
----
-apiVersion: v1
 kind: Service
 metadata:
   annotations:
@@ -36,7 +31,6 @@ spec:
       labels:
         app: terraform-applier
     spec:
-      serviceAccountName: terraform-applier
       containers:
         - name: git-sync
           image: k8s.gcr.io/git-sync:v3.1.2
@@ -64,7 +58,6 @@ spec:
               memory: 512Mi
         - name: terraform-applier
           image: quay.io/utilitywarehouse/terraform-applier:0.1.0
-          env:
           volumeMounts:
             - name: git-repo
               mountPath: /src
@@ -83,5 +76,5 @@ spec:
           emptyDir: {}
         - name: git-secret
           secret:
-            secretName: ssh
+            secretName: git-sync
             defaultMode: 0440
diff --git a/manifests/example/kustomization.yaml b/manifests/example/kustomization.yaml
@@ -8,14 +8,16 @@ resources:
 patchesStrategicMerge:
   - terraform-applier-patch.yaml
 secretGenerator:
-  # aws secret access key
-  - name: aws
+  # Needed by git-sync to clone repositories
+  - name: git-sync
     type: Opaque
     files:
-      - aws-secret-access-key=secrets/aws-secret-access-key
-  # ssh key to clone the "root" terraform modules repository, used by git-sync
-  - name: ssh
+      - ssh=secrets/git-sync-ssh-key
+      - known_hosts=resources/git-sync-known_hosts
+  # Used by terraform-applier. Will differ based on terraform resources being applied
+  # Example for the AWS provider and for a custom resource secret
+  - name: terraform-applier
     type: Opaque
     files:
-      - ssh=secrets/ssh
-      - known_hosts=resources/known_hosts
+      - terraform-aws-provider-secret=secrets/terraform-applier-terraform-aws-provider-secret
+      - example-app-s3-reader-secret=secrets/terraform-applier-example-app-s3-reader-secret
diff --git a/manifests/example/resources/known_hosts → ...ts/example/resources/git-sync-known_hosts b/manifests/example/resources/known_hosts → ...ts/example/resources/git-sync-known_hosts
diff --git a/manifests/example/secrets/ssh → manifests/example/secrets/git-sync-ssh-key b/manifests/example/secrets/ssh → manifests/example/secrets/git-sync-ssh-key
diff --git a/...sts/example/secrets/aws-secret-access-key → ...form-applier-example-app-s3-reader-secret b/...sts/example/secrets/aws-secret-access-key → ...form-applier-example-app-s3-reader-secret
diff --git a/manifests/example/secrets/terraform-applier-terraform-aws-provider-secret b/manifests/example/secrets/terraform-applier-terraform-aws-provider-secret
@@ -0,0 +1 @@
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
diff --git a/manifests/example/terraform-applier-patch.yaml b/manifests/example/terraform-applier-patch.yaml
@@ -6,24 +6,36 @@ spec:
   template:
     spec:
       containers:
+        - name: git-sync
+          env:
+            - name: GIT_SYNC_REPO
+              value: "[email protected]:org/repo.git"
         - name: terraform-applier
           env:
-            # AWS credentials for use by an S3 backend/AWS provider. Substitute the configuration for your particular
-            # backends and providers.
-            - name: AWS_ACCESS_KEY_ID
-              value: AAAAAAAAAAAAAAAAAAAA
-            - name: AWS_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: aws
-                  key: aws-secret-access-key
+            # terraform-applier vars
             - name: REPO_PATH
               value: "/src/modules/example-env"
             - name: REPO_PATH_FILTERS
               value: "my-module-1,my-module-2,env-*"
             - name: DIFF_URL_FORMAT
               value: "https://github.com/org/repo/commit/%s"
-        - name: git-sync
-          env:
-            - name: GIT_SYNC_REPO
-              value: "[email protected]:org/repo.git"
+            #
+            # Variables from now depend on what terraform providers and resources you use
+            # Substitute above configuration for your particular needs
+            #
+            # terraform-provider-aws vars
+            - name: AWS_ACCESS_KEY_ID
+              value: "AAAAAAAAAAAAAAAAAAAA"
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: terraform-applier
+                  key: terraform-aws-provider-secret
+            # custom terraform resources vars
+            - name: TF_VAR_s3_reader_access_key_id
+              value: "AAAAAAAAAAAAAAAAAAAA"
+            - name: TF_VAR_s3_reader_secret_access_key
+              valueFrom:
+                secretKeyRef:
+                  name: terraform-applier
+                  key: example-app-s3-reader-secret