This script automates the management of AWS SSM Parameters and Secrets for configuring Gen3 EKS clusters. It handles the deployment of environment-specific configurations, IAM role configurations, and ArgoCD admin secrets. The script ensures that parameter and secret values are up-to-date and creates them if they don't exist.
To use this script in your own AWS environment, fork this repository to your GitHub account. This will allow you to make modifications and updates as needed.
Clone the forked repository to your local machine:
git clone https://github.com/AustralianBioCommonsE/gen3-cdk-config-manager.git
cd gen3-cdk-config-manager
Ensure you have Node.js installed on your system. Install the necessary packages by running:
npm install
Install TypeScript globally (if not already installed):
npm install -g typescript
The script expects configuration files to be in a directory, with .secrets/
as the default path. If you choose a different path, use the --config-path
argument to specify it (see below for usage).
Create the configuration files in the path as follows:
- config.yaml: Contains the general configuration for each environment.
- iamRolesConfig.yaml: Holds IAM roles configuration for different services across environments.
- clusterConfig.yaml: Contains EKS cluster configuration details.
- blueprint-repo.yaml: Holds information about the GitHub repository for EKS blueprints.
- AWS Credentials: Ensure your AWS CLI is configured with credentials that have permissions to manage SSM Parameters and Secrets Manager in the target AWS account.
- Environment Variables:
AWS_REGION
: (Optional) The AWS region to use. Defaults toap-southeast-2
.
The script loads configuration data from the specified directory:
- config.yaml: General configuration for each environment.
- iamRolesConfig.yaml: IAM roles configuration for different services across environments.
- clusterConfig.yaml: EKS cluster configuration details.
- blueprint-repo.yaml: GitHub repository information for EKS blueprints.
-
SSM Parameters:
- Updates or creates parameters in AWS SSM Parameter Store, depending on the presence of the
--updateenv
flag,--updatenetwork
for the AWS network parameter. - Supports configurations for each specified environment.
- Updates or creates parameters in AWS SSM Parameter Store, depending on the presence of the
-
Secrets Manager:
- Manages the ArgoCD admin password for each environment.
- Restores secrets if they are marked for deletion.
The tool expects a specific directory structure for configuration files. By default, it looks for configuration files in the .secrets
directory, which should be placed in the root of the project.
The expected files are:
config.yaml
: Contains environment-specific configuration.iamRolesConfig.yaml
: Defines IAM roles configuration for services.clusterConfig.yaml
: Contains cluster configuration settings.blueprint-repo.yaml
: Configuration for the blueprint repository.
Quick Start
-
Update the configuration files found in
src/config
with your own AWS account details. -
Deploy the configuration to your tools/management or dev account:
npx ts-node src/index.ts --configDir ./config --environments dev
For subsequent config deployments, you will need provide the following flags --updateenv
or --updatenetwork
, or both , in order to make updates to existing parameter stores.
Example:
npx ts-node src/index.ts --configDir <path-to-config-dir> \
--environments <env1> <env2> ... --updateenv --updatenetwork
--configDir
: (Optional) Path to the configuration directory. Defaults to.secrets
.--environments
: (Required) List of environments to process (e.g.,dev staging prod
).--updateenv
: (Optional) Flag to overwrite existing parameters in SSM. Defaults tofalse
.--updatenetwork
: (Optional) Flag to overwrite existing global parameter (/gen3/config
) in SSM. Defaults tofalse
.
The script performs the following actions:
- Load Configuration: It reads the necessary configuration files from the specified directory.
- Check Existing Parameters: It checks if SSM parameters already exist and decides whether to update them based on the provided flags.
- Handle Secrets: It manages secrets in AWS Secrets Manager, including creating, retrieving, and restoring secrets if necessary.
- Ensure that the AWS CLI is configured properly and that you have the necessary permissions to access SSM and Secrets Manager.
- Check that the specified configuration directory exists and contains the required files.
- If you encounter any errors, verify the structure of your configuration files and ensure they match the expected format.
This project is licensed under the Apache 2.0 License.