feat(secrets-management): add cloud-kms references for aws and gcp#66
Open
rawkode wants to merge 5 commits into
Open
feat(secrets-management): add cloud-kms references for aws and gcp#66rawkode wants to merge 5 commits into
rawkode wants to merge 5 commits into
Conversation
rawkode
force-pushed
the
feat-secrets-management-cloud-kms
branch
from
dbb6677 to
7992c58
Compare
…to-end test - Rewrite aws-kms and gcp-kms READMEs as numbered, copy-pasteable tutorials. - Each example provisions its own VPC + CKS cluster and uses that cluster's OIDC issuer URL directly (no remote_state dependency). - aws-kms: annotate SA with eks.amazonaws.com/role-arn for ESO IRSA; drop redundant role field from SecretStore. - Add cpu-nodepool.yaml as a starter NodePool for clusters that don't get capacity automatically. - Fix trim() -> trimspace() in OIDC presence check (Terraform trim/2). - Add env.example KUBECONFIG entries and AWS_REGION clarification. - Gitignore .envrc, kubeconfig, and tfplan in each example.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a new secrets-management reference area with end-to-end AWS and GCP “Cloud KMS + managed secrets backend + External Secrets Operator” tutorials, including Terraform to provision a disposable CoreWeave VPC/CKS cluster plus cloud-side KMS and secret manager resources, and Kubernetes manifests to validate syncing into runtime Secrets.
Changes:
- Added top-level and secrets-management documentation to index the new reference architectures.
- Added AWS reference (KMS + Secrets Manager + OIDC federation) with Terraform + ESO manifests + validation steps.
- Added GCP reference (Cloud KMS CMEK + Secret Manager + Workload Identity Federation) with Terraform + ESO manifests + validation steps.
Reviewed changes
Copilot reviewed 35 out of 35 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Links the new secrets-management reference area from the repo root. |
| secrets-management/README.md | Introduces secrets-management references and shared validation flow. |
| secrets-management/cloud-kms/README.md | Documents the Cloud KMS-based secrets references and links to provider-specific guides. |
| secrets-management/cloud-kms/aws-kms/README.md | AWS tutorial instructions for provisioning and validating ESO sync from Secrets Manager. |
| secrets-management/cloud-kms/aws-kms/.gitignore | Ignores local tutorial artifacts (envrc/kubeconfig). |
| secrets-management/cloud-kms/aws-kms/env.example | Example environment variable inputs for the AWS tutorial. |
| secrets-management/cloud-kms/aws-kms/manifests/00-namespace.yaml | Namespace manifest for the AWS tutorial. |
| secrets-management/cloud-kms/aws-kms/manifests/10-service-account.yaml | ServiceAccount for ESO auth in the AWS tutorial. |
| secrets-management/cloud-kms/aws-kms/manifests/20-secret-store.yaml | ESO SecretStore definition for AWS Secrets Manager. |
| secrets-management/cloud-kms/aws-kms/manifests/30-external-secret.yaml | ESO ExternalSecret mapping provider secrets to Kubernetes Secret keys. |
| secrets-management/cloud-kms/aws-kms/manifests/40-demo-app.yaml | Demo Deployment reading the synced Kubernetes Secret. |
| secrets-management/cloud-kms/aws-kms/manifests/cpu-nodepool.yaml | Optional NodePool manifest to ensure schedulable capacity. |
| secrets-management/cloud-kms/aws-kms/terraform/.gitignore | Terraform stack gitignore for AWS tutorial files/state. |
| secrets-management/cloud-kms/aws-kms/terraform/main.tf | Provisions CoreWeave VPC/CKS plus AWS KMS, Secrets Manager, OIDC provider, and IAM role/policy. |
| secrets-management/cloud-kms/aws-kms/terraform/outputs.tf | Exposes key outputs (cluster name, issuer URL, role ARN, secret names). |
| secrets-management/cloud-kms/aws-kms/terraform/providers.tf | Configures CoreWeave and AWS providers for the stack. |
| secrets-management/cloud-kms/aws-kms/terraform/terraform.tfvars.example | Example variables for the AWS tutorial stack. |
| secrets-management/cloud-kms/aws-kms/terraform/variables.tf | Defines inputs for CoreWeave + AWS provisioning and demo secret values. |
| secrets-management/cloud-kms/aws-kms/terraform/versions.tf | Pins Terraform/provides constraints for the AWS stack. |
| secrets-management/cloud-kms/gcp-kms/README.md | GCP tutorial instructions for provisioning and validating ESO sync from Secret Manager (CMEK). |
| secrets-management/cloud-kms/gcp-kms/.gitignore | Ignores local tutorial artifacts (envrc/kubeconfig). |
| secrets-management/cloud-kms/gcp-kms/env.example | Example environment variable inputs for the GCP tutorial. |
| secrets-management/cloud-kms/gcp-kms/manifests/00-namespace.yaml | Namespace manifest for the GCP tutorial. |
| secrets-management/cloud-kms/gcp-kms/manifests/10-service-account.yaml | ServiceAccount for ESO auth in the GCP tutorial. |
| secrets-management/cloud-kms/gcp-kms/manifests/20-secret-store.yaml | ESO SecretStore definition for GCP Secret Manager. |
| secrets-management/cloud-kms/gcp-kms/manifests/30-external-secret.yaml | ESO ExternalSecret mapping provider secrets to Kubernetes Secret keys. |
| secrets-management/cloud-kms/gcp-kms/manifests/40-demo-app.yaml | Demo Deployment reading the synced Kubernetes Secret. |
| secrets-management/cloud-kms/gcp-kms/manifests/cpu-nodepool.yaml | Optional NodePool manifest to ensure schedulable capacity. |
| secrets-management/cloud-kms/gcp-kms/terraform/.gitignore | Terraform stack gitignore for GCP tutorial files/state. |
| secrets-management/cloud-kms/gcp-kms/terraform/main.tf | Provisions CoreWeave VPC/CKS plus GCP KMS, Secret Manager CMEK secrets, and WIF resources/bindings. |
| secrets-management/cloud-kms/gcp-kms/terraform/outputs.tf | Exposes key outputs (cluster name, issuer URL, KMS key ID, principal, secret names). |
| secrets-management/cloud-kms/gcp-kms/terraform/providers.tf | Configures CoreWeave and Google providers for the stack. |
| secrets-management/cloud-kms/gcp-kms/terraform/terraform.tfvars.example | Example variables for the GCP tutorial stack. |
| secrets-management/cloud-kms/gcp-kms/terraform/variables.tf | Defines inputs for CoreWeave + GCP provisioning and demo secret values. |
| secrets-management/cloud-kms/gcp-kms/terraform/versions.tf | Pins Terraform/provider constraints for the GCP stack. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…load_identity_pool_id - Stop ignoring .terraform.lock.hcl in aws-kms and gcp-kms terraform dirs; commit the existing lock files so providers are pinned across runs (matches repo-level terraform/.gitignore guidance). - Drop default = null from gcp-kms workload_identity_pool_id; the check in main.tf already asserts it must be set, so the variable is required. Surfaced by Copilot PR review on #66.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
secrets-management/.module.cks.service_account_oidc_issuer_url— noterraform_remote_statedependency.create_oidc_provider) and GCP Workload Identity Pool/provider creation (create_workload_identity_pool).eks.amazonaws.com/role-arnannotation for ESO IRSA; SecretStore omits the redundantrolefield.manifests/cpu-nodepool.yamlstarter for clusters without auto-allocated capacity.Validation
terraform fmtpasses for both Terraform dirs.aws secretsmanager put-secret-valuepropagates within one refresh interval → IAM scope negative test returnsAccessDeniedon an out-of-scope secret →terraform destroycleans up.