1 of 3

Apono Connector for Kubernetes

How to install a Connector on a Kubernetes cluster to integrate Kubernetes with Apono

Overview

To integrate with Kubernetes and start managing JIT access to Kubernetes resources, you must first install a connector in your Kubernetes cluster.

This is can be done by one of the following methods:

Helm
Terraform

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.

With Helm

An Apono connector is installed in the cloud platform managing your Kubernetes resource. The installation is made by running a Helm command with the necessary parameters.

Prerequisites

An existing Kubernetes project on one of the following platforms:
- Google Kubernetes Engine (GKE)
- Elastic Kubernetes Service (EKS)
- Azure Kubernetes Engine (AKS)
- Kubernetes (self-managed)
Helm
kubectl

Step-by-step guide

Find Your Integration Token

Select any Kubernetes integration in the Catalog.

You can install a new connector from any Kubernetes New Integration form. Pick the one relevant to your network.

Connectors for EKS, GKE, AKS and self-managed Kubernetes work in the same way.

From the drop-down list on the next page select Add a New Connector, and then select Help.
Copy the token displayed toward the bottom of the page.

Install the Connector

Run the following Helm command in a terminal:

Without permissions

If you would like to install the connector in Kubernetes, but not grant Apono access to read or manage access to Kubernetes resources, use this code:

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=[APONO_TOKEN] \
    --set-string apono.connectorId=[CONNECTOR_NAME] \
    --set serviceAccount.manageClusterRoles=false \
    --namespace apono-connector \
    --create-namespace

With permissions

If you would like to install the connector in Kubernetes and grant Apono access to read and manage access to Kubernetes resources, use this code:

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=[APONO_TOKEN] \
    --set-string apono.connectorId=[CONNECTOR_NAME] \
    --set serviceAccount.manageClusterRoles=true \
    --namespace apono-connector \
    --create-namespace

Where:

[APONO_TOKEN] is the token copied from the integration page in the previous step.
[CONNECTOR_NAME] is any name you choose to give the connector.

Helm will finish with a message that the apono-connector has been installed.

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Results and next steps

The Kubernetes Connector is now installed.

Return to the Add new integration form from step 1 for EKS, GKE, AKS or self-managed Kubernetes.
The Connector is found by the form, marked by a green checkmark

You can now integrate Apono with your Kubernetes instance

Complete the integration with EKS, GKE, AKS or self-managed Kubernetes.

Troubleshooting

If you are managing more than one Kubernetes cluster, you must be certain that the current context points to the cluster into which the Apono connector is to be added.
- Get the current context with kubectl config current-context
- Set the current context with kubectl config use-context [clustername]

With Terraform

An Apono connector is installed in the cloud platform managing your Kubernetes resource. The installation is made by adding an Apono module to your Terraform configuration.

Prerequisites

A Kubernetes project on one of the following platforms:
- Google Kubernetes Engine (GKE)
- Elastic Kubernetes Service (EKS)
- Azure Kubernetes Engine (AKS)
- Kubernetes (self-managed)
Terraform with the following providers:
- Helm
- Kubernetes
- AWS

Step-by-step guide

Find Your Integration Token

Select any Kubernetes integration in the Catalog.

You can install a new connector from any Kubernetes New Integration form. Pick the one relevant to your network.

Connectors for EKS, GKE, AKS and self-managed Kubernetes work in the same way.

From the drop-down list on the next page select Add a New Connector, and then select Terraform.
Copy the token displayed toward the bottom of the page.

Edit the Terraform Configuration

Add the following to your Terraform module.

Without permissions

If you would like to install the connector in Kubernetes, but not grant Apono access to read or manage access to Kubernetes resources, use this code:

module "connector" {
    source = "github.com/apono-io/terraform-modules/k8s/connector-without-permissions/stacks/apono-connector"
    aponoToken = [APONO_TOKEN]
    connectorId = [CONNECTOR_NAME] // choose connector name
}

With permissions

If you would like to install the connector in Kubernetes and grant Apono access to read and manage access to Kubernetes resources, use this code:

module "connector" {  
    source = "github.com/apono-io/terraform-modules/k8s/connector-with-permissions/stacks/apono-connector"  
    aponoToken = [APONO_TOKEN]  
    connectorId = [CONNECTOR_NAME] // choose connector name  
}

Where:

[APONO_TOKEN] is the token copied from the integration page in the previous step.
[CONNECTOR_NAME] is any name you choose to give the connector.

Run terraform init. It will finish with the message: "Terraform has been successfully initialized!"
Run terraform apply. It will finish with the message: "Apply complete! Resources: (N) added.."

Results and next steps

The Kubernetes Connector is now installed.

Return to the Add new integration form from step 1 for EKS, GKE, AKS or self-managed Kubernetes.
The Connector is found by the form, marked by a green checkmark

You can now integrate Apono with your Kubernetes instance

Complete the integration with EKS, GKE, AKS or self-managed Kubernetes.

Next Steps

Return to the Catalog, and select one of the following Kubernetes integrations:

Installing a connector on Kubernetes with AWS permissions

You have chosen the advanced installation method

You can also easily connect AWS in Apono following this UI guide

How to install the Connector on Kubernetes

Prerequisite

It's required that you have your Cloud Account connected to your Kubernetes Cluster In this example we use Kube2Iam solution for kubernetes on EC2

Deploying the Connector

The Connector is deployed using helm and requires and IAM Role to be able to access tagged ASM secrets in the future. You can choose to install the Connector using either your CLI or Terraform:

CLI

Create a IAM role to allow Connector read access for apono tagged secrets
Get AWS Account
Replace #EKS_CLUSTER_NAME

Create Connector Role

Assign Role Policies

Deploy Apono Connector

Terraform

Required providers: helm (v2.5.1), aws, kubernetes

Validate the Connector is Connected

Updating a Kubernetes connector

Learn how to update a connector through the Helm CLI

Periodically, you may need to update your Kubernetes connector to help maintain functionality, performance, and security.

This article explains how to update a connector through the Helm CLI.

Prerequisites

Item

Description

Update a connector

Use the following steps to update an Apono connector for Kubernetes:

In the shell environment, run the following helm upgrade command to pull the most recent connector version.

Shell

helm upgrade apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=[APONO_TOKEN] \
    --set-string apono.connectorId=[CONNECTOR_NAME] \
    --set serviceAccount.manageClusterRoles=true \
    --namespace apono-connector \
    --create-namespace

Parameter

Description

On the Connectors page, verify that the connector has been updated.

Apono Connector for Kubernetes

How to install a Connector on a Kubernetes cluster to integrate Kubernetes with Apono

Overview

To integrate with Kubernetes and start managing JIT access to Kubernetes resources, you must first install a connector in your Kubernetes cluster.

This is can be done by one of the following methods:

Helm
Terraform

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.

With Helm

An Apono connector is installed in the cloud platform managing your Kubernetes resource. The installation is made by running a Helm command with the necessary parameters.

Prerequisites

An existing Kubernetes project on one of the following platforms:
- Google Kubernetes Engine (GKE)
- Elastic Kubernetes Service (EKS)
- Azure Kubernetes Engine (AKS)
- Kubernetes (self-managed)
Helm
kubectl

Step-by-step guide

Find Your Integration Token

Select any Kubernetes integration in the Catalog.

You can install a new connector from any Kubernetes New Integration form. Pick the one relevant to your network.

Connectors for EKS, GKE, AKS and self-managed Kubernetes work in the same way.

From the drop-down list on the next page select Add a New Connector, and then select Help.
Copy the token displayed toward the bottom of the page.

Install the Connector

Run the following Helm command in a terminal:

Without permissions

If you would like to install the connector in Kubernetes, but not grant Apono access to read or manage access to Kubernetes resources, use this code:

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=[APONO_TOKEN] \
    --set-string apono.connectorId=[CONNECTOR_NAME] \
    --set serviceAccount.manageClusterRoles=false \
    --namespace apono-connector \
    --create-namespace

With permissions

If you would like to install the connector in Kubernetes and grant Apono access to read and manage access to Kubernetes resources, use this code:

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=[APONO_TOKEN] \
    --set-string apono.connectorId=[CONNECTOR_NAME] \
    --set serviceAccount.manageClusterRoles=true \
    --namespace apono-connector \
    --create-namespace

Where:

[APONO_TOKEN] is the token copied from the integration page in the previous step.
[CONNECTOR_NAME] is any name you choose to give the connector.

Helm will finish with a message that the apono-connector has been installed.

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Results and next steps

The Kubernetes Connector is now installed.

Return to the Add new integration form from step 1 for EKS, GKE, AKS or self-managed Kubernetes.
The Connector is found by the form, marked by a green checkmark

You can now integrate Apono with your Kubernetes instance

Complete the integration with EKS, GKE, AKS or self-managed Kubernetes.

Troubleshooting

If you are managing more than one Kubernetes cluster, you must be certain that the current context points to the cluster into which the Apono connector is to be added.
- Get the current context with kubectl config current-context
- Set the current context with kubectl config use-context [clustername]

With Terraform

An Apono connector is installed in the cloud platform managing your Kubernetes resource. The installation is made by adding an Apono module to your Terraform configuration.

Prerequisites

A Kubernetes project on one of the following platforms:
- Google Kubernetes Engine (GKE)
- Elastic Kubernetes Service (EKS)
- Azure Kubernetes Engine (AKS)
- Kubernetes (self-managed)
Terraform with the following providers:
- Helm
- Kubernetes
- AWS

Step-by-step guide

Find Your Integration Token

Select any Kubernetes integration in the Catalog.

You can install a new connector from any Kubernetes New Integration form. Pick the one relevant to your network.

Connectors for EKS, GKE, AKS and self-managed Kubernetes work in the same way.

From the drop-down list on the next page select Add a New Connector, and then select Terraform.
Copy the token displayed toward the bottom of the page.

Edit the Terraform Configuration

Add the following to your Terraform module.

Without permissions

If you would like to install the connector in Kubernetes, but not grant Apono access to read or manage access to Kubernetes resources, use this code:

module "connector" {
    source = "github.com/apono-io/terraform-modules/k8s/connector-without-permissions/stacks/apono-connector"
    aponoToken = [APONO_TOKEN]
    connectorId = [CONNECTOR_NAME] // choose connector name
}

With permissions

If you would like to install the connector in Kubernetes and grant Apono access to read and manage access to Kubernetes resources, use this code:

module "connector" {  
    source = "github.com/apono-io/terraform-modules/k8s/connector-with-permissions/stacks/apono-connector"  
    aponoToken = [APONO_TOKEN]  
    connectorId = [CONNECTOR_NAME] // choose connector name  
}

Where:

[APONO_TOKEN] is the token copied from the integration page in the previous step.
[CONNECTOR_NAME] is any name you choose to give the connector.

Run terraform init. It will finish with the message: "Terraform has been successfully initialized!"
Run terraform apply. It will finish with the message: "Apply complete! Resources: (N) added.."

Results and next steps

The Kubernetes Connector is now installed.

Return to the Add new integration form from step 1 for EKS, GKE, AKS or self-managed Kubernetes.
The Connector is found by the form, marked by a green checkmark

You can now integrate Apono with your Kubernetes instance

Complete the integration with EKS, GKE, AKS or self-managed Kubernetes.

Next Steps

Return to the Catalog, and select one of the following Kubernetes integrations:

Installing a connector on Kubernetes with AWS permissions

You have chosen the advanced installation method

You can also easily connect AWS in Apono following this UI guide

How to install the Connector on Kubernetes

Prerequisite

It's required that you have your Cloud Account connected to your Kubernetes Cluster In this example we use Kube2Iam solution for kubernetes on EC2

Deploying the Connector

The Connector is deployed using helm and requires and IAM Role to be able to access tagged ASM secrets in the future. You can choose to install the Connector using either your CLI or Terraform:

CLI

Create a IAM role to allow Connector read access for apono tagged secrets
Get AWS Account
Replace #EKS_CLUSTER_NAME

Create Connector Role

Assign Role Policies

aws iam put-role-policy --role-name "{{K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-tagged-secrets-access-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"],
      "Resource": "arn:aws:secretsmanager:*:'"${ACCOUNT_ID}"':secret:*",
      "Condition": { "StringEquals": {"aws:ResourceTag/apono-connector-read": "true"} }
    }]
}'

aws iam put-role-policy --role-name "{{K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-tagged-kms-keys-access-policy" --policy-document '{  
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "kms:Sign",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/apono-connector-read": "true"
                }
            }
        }
    ]
}'

aws iam put-role-policy --role-name "{{K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-iam-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{"Action":["iam:ListPolicies","iam:CreateInstanceProfile","iam:ListGroups","iam:ListInstanceProfiles"],
    "Effect":"Allow",
    "Resource":"*"},
    {"Action":["iam:CreateInstanceProfile","iam:GetRole","iam:UpdateAssumeRolePolicy","iam:ListRoleTags","iam:TagRole","iam:CreateRole","iam:DeleteRole","iam:AttachRolePolicy","iam:PutRolePolicy","iam:AddRoleToInstanceProfile","iam:ListInstanceProfilesForRole","iam:DetachRolePolicy","iam:ListAttachedRolePolicies","iam:DeleteRolePolicy","iam:ListAttachedGroupPolicies","iam:ListRolePolicies","iam:GetRolePolicy","iam:PassRole","iam:GetInstanceProfile","iam:CreateUser","iam:CreateAccessKey","iam:DeleteAccessKey","iam:PutUserPolicy","iam:DeleteUserPolicy","iam:GetUser","iam:GetUserPolicy","iam:ListAttachedUserPolicies","iam:ListUserPolicies","iam:UpdateLoginProfile","iam:ListAccessKeys","iam:AttachUserPolicy","iam:DetachUserPolicy","iam:CreateLoginProfile"],
    "Effect":"Allow",
    "Resource":["arn:aws:iam::*:instance-profile/*","arn:aws:iam::*:role/*","arn:aws:iam::*:group/*","arn:aws:iam::*:user/*"]}]
}'

aws iam put-role-policy --role-name "{{K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-read-objects-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{"Action":["rds:DescribeDBInstances","rds:ListTagsForResource"],
    "Effect":"Allow",
    "Resource":"arn:aws:rds:*:*:db:*"},
    {"Action":["ssm:GetParameters*"],
    "Effect":"Allow",
    "Resource":"arn:aws:ssm:*:*:parameter/*"},
    {"Action":["ssm:DescribeParameters"],
    "Effect":"Allow",
    "Resource":"*"},
    {"Action":["s3:GetBucketTagging","s3:ListAllMyBuckets","s3:ListBucket","s3:GetBucketLocation"],
    "Effect":"Allow",
    "Resource":"arn:aws:s3:::*"}]
}'

aws iam put-role-policy --role-name "{{K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-read-resource-tags" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": "tag:GetResources",
      "Resource": "*"
    }]
}'

Deploy Apono Connector

helm install apono-connector {{CONNECTOR_CHART_REPO}}/{{CONNECTOR_CHART_NAME}}/{{CONNECTOR_CHART_NAME}}-<<helmVersion>>.tgz \
    --namespace "{{K8S_NAMESPACE}}" \
    --set image.repository="{{CONNECTOR_IMAGE_REPO}}" \
    --set image.tag="<<connectorVersion>>" \
    --set gitSyncImage="{{GIT_SYNC_IMAGE}}" \
    --set githubAccessToken="{{GITHUB_ACCESS_TOKEN}}" \
    --set serviceAccount.name="{{K8S_SERVICE_ACCOUNT}}" \
    --set podAnnotations."iam\.amazonaws\.com/role"="{{K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" \
    --set apono.token="{{TOKEN}}" \
    --set apono.url="{{APONO_WEBSOCKET_URL}}" \
    --set apono.websocketSsl="{{APONO_WEBSOCKET_SSL}}" \
    --set apono.connectorId="{{CONNECTOR_ID}}" \
    --create-namespace

Terraform

Required providers: helm (v2.5.1), aws, kubernetes

locals {
  apono_token = "{{TOKEN}}"
  apono_websocket_url = "{{APONO_WEBSOCKET_URL}}"
  apono_websocket_ssl = "{{APONO_WEBSOCKET_SSL}}"
  connector_id = "{{CONNECTOR_ID}}"
  connector_helm_repo = "{{CONNECTOR_CHART_REPO}}"
  connector_helm_chart = "{{CONNECTOR_CHART_NAME}}"
  connector_helm_chart_version = "<<helmVersion>>"
  connector_image_repo = "{{CONNECTOR_IMAGE_REPO}}"
  connector_image_tag = "<<connectorVersion>>"
  git_sync_image = "{{GIT_SYNC_IMAGE}}"
  github_access_token = "{{GITHUB_ACCESS_TOKEN}}"
  service_account_name = "{{K8S_SERVICE_ACCOUNT}}"
  namespace = "{{K8S_NAMESPACE}}"
}

data "aws_caller_identity" "aws_account" {
  
}

locals {
  aws_account_id = data.aws_caller_identity.aws_account.account_id
}


// agent deployment
resource "kubernetes_namespace_v1" "apono-namespace" {
  metadata {
    name = local.namespace
  }
}

resource "helm_release" "apono-connector" {
  name             = "apono-connector"
  repository       = local.connector_helm_repo
  chart            = local.connector_helm_chart
  version          = local.connector_helm_chart_version
  namespace        = kubernetes_namespace_v1.apono-namespace.metadata[0].name

  set {
    name = "image.repository"
    value = local.connector_image_repo
  }

  set {
    name = "image.tag"
    value = local.connector_image_tag
  }

  set {
    name  = "gitSyncImage"
    value = local.git_sync_image
  }

  set {
    name  = "githubAccessToken"
    value = local.github_access_token
  }

  set {
    name = "serviceAccount.name"
    value = local.service_account_name
  }
  
  set {
    name = "serviceAccount.awsRoleAccountId"
    value = local.aws_account_id
  }
  
  set {
    name = "podAnnotations."iam\.amazonaws\.com/role""
    value = "${local.service_account_name}-${local.connector_id}"
  }

  set {
    name  = "apono.token"
    value = local.apono_token
  }

  set {
    name  = "apono.url"
    value = local.apono_websocket_url
  }

  set {
    name  = "apono.websocketSsl"
    value = local.apono_websocket_ssl
  }

  set {
    name  = "apono.connectorId"
    value = local.connector_id
  }
}

// IAM role and access policy for apono tagged secrets
resource "aws_iam_role" "apono-connector" {
  name = "${local.service_account_name}-${local.connector_id}"

  assume_role_policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal": { "Service": "ec2.amazonaws.com"},
        "Action" : "sts:AssumeRole"
      }
    ]
  })
  
  inline_policy {
    name = "apono-tagged-keys-access-policy"

    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"
          Action = [ "kms:Sign" ]
          Resource = "*"
          Condition = { "StringEquals": {"aws:ResourceTag/apono-connector-read": "true"} }
        },
      ]
    })
  }
  
  inline_policy {
    name = "apono-tagged-secrets-access-policy"

    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"
          Action = [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"]
          Resource = "arn:aws:secretsmanager:*:${local.aws_account_id}:secret:*"
          Condition = { "StringEquals": {"aws:ResourceTag/apono-connector-read": "true"} }
        },
      ]
    })
  }
  
  // for s3-iam-role resources
  inline_policy {
    name = "s3-list-policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"
          Action = ["s3:GetBucketTagging", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation"]
          Resource = "arn:aws:s3:::*"
        },
      ]
    })
  }
  
  // for mysql-rds resources
  inline_policy {
    name = "rds-list-policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"
          Action = ["rds:DescribeDBInstances", "rds:ListTagsForResource"]
          Resource = "arn:aws:rds:*:*:db:*"
        },
      ]
    })
  }

  // for ssm-iam-role resources
  inline_policy {
    name = "ssm-params-list-policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"
          Action = ["ssm:GetParameters*"]
          Resource = "arn:aws:ssm:*:*:parameter/*"
        },
        {
          Effect = "Allow"
          Action = ["ssm:DescribeParameters"]
          Resource = "*"
        },
      ]
    })
  }

  // for iam manipulation
  inline_policy {
    name = "iam-access-policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
            Effect = "Allow"
            Action = [
                "iam:ListPolicies",
                "iam:CreateInstanceProfile",
                "iam:ListGroups",
                "iam:ListInstanceProfiles"
            ],
            Resource = "*"
        },
        {
            Effect = "Allow"
            Action = [
                "iam:CreateInstanceProfile",
                "iam:GetRole",
                "iam:UpdateAssumeRolePolicy",
                "iam:ListRoleTags",
                "iam:TagRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:DeleteRolePolicy",
                "iam:ListAttachedGroupPolicies",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:PassRole",
                "iam:GetInstanceProfile",
                "iam:CreateUser",
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:PutUserPolicy",
                "iam:DeleteUserPolicy",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAttachedUserPolicies",
                "iam:ListUserPolicies",
                "iam:UpdateLoginProfile",
                "iam:ListAccessKeys",
                "iam:AttachUserPolicy",
                "iam:DetachUserPolicy",
                "iam:CreateLoginProfile"
            ]
            Resource = [
                "arn:aws:iam::*:instance-profile/*",
                "arn:aws:iam::*:role/*",
                "arn:aws:iam::*:group/*",
                "arn:aws:iam::*:user/*"
            ]
        }
      ]
    })
  }
  
  inline_policy {
    name = "apono-read-resource-tags"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [{
        "Effect": "Allow",
        "Action": [ "tag:GetResources" ],
        "Resource": "*"
      }]
    })
  }
    
  inline_policy {
    name = "ec2-policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [{
        "Effect": "Allow",
        "Action": [ "ec2:DescribeInstances","ec2:DescribeTags","ec2:AssociateIamInstanceProfile" ],
        "Resource": "*"
      }]
    })
  }
}

Validate the Connector is Connected

You can validate the Connector is installed in the .

aws iam put-role-policy --role-name "{{K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-tagged-secrets-access-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"],
      "Resource": "arn:aws:secretsmanager:*:'"${ACCOUNT_ID}"':secret:*",
      "Condition": { "StringEquals": {"aws:ResourceTag/apono-connector-read": "true"} }
    }]
}'

aws iam put-role-policy --role-name "{{K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-tagged-kms-keys-access-policy" --policy-document '{  
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "kms:Sign",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/apono-connector-read": "true"
                }
            }
        }
    ]
}'

aws iam put-role-policy --role-name "{{K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-iam-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{"Action":["iam:ListPolicies","iam:CreateInstanceProfile","iam:ListGroups","iam:ListInstanceProfiles"],
    "Effect":"Allow",
    "Resource":"*"},
    {"Action":["iam:CreateInstanceProfile","iam:GetRole","iam:UpdateAssumeRolePolicy","iam:ListRoleTags","iam:TagRole","iam:CreateRole","iam:DeleteRole","iam:AttachRolePolicy","iam:PutRolePolicy","iam:AddRoleToInstanceProfile","iam:ListInstanceProfilesForRole","iam:DetachRolePolicy","iam:ListAttachedRolePolicies","iam:DeleteRolePolicy","iam:ListAttachedGroupPolicies","iam:ListRolePolicies","iam:GetRolePolicy","iam:PassRole","iam:GetInstanceProfile","iam:CreateUser","iam:CreateAccessKey","iam:DeleteAccessKey","iam:PutUserPolicy","iam:DeleteUserPolicy","iam:GetUser","iam:GetUserPolicy","iam:ListAttachedUserPolicies","iam:ListUserPolicies","iam:UpdateLoginProfile","iam:ListAccessKeys","iam:AttachUserPolicy","iam:DetachUserPolicy","iam:CreateLoginProfile"],
    "Effect":"Allow",
    "Resource":["arn:aws:iam::*:instance-profile/*","arn:aws:iam::*:role/*","arn:aws:iam::*:group/*","arn:aws:iam::*:user/*"]}]
}'

aws iam put-role-policy --role-name "{{K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-read-objects-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{"Action":["rds:DescribeDBInstances","rds:ListTagsForResource"],
    "Effect":"Allow",
    "Resource":"arn:aws:rds:*:*:db:*"},
    {"Action":["ssm:GetParameters*"],
    "Effect":"Allow",
    "Resource":"arn:aws:ssm:*:*:parameter/*"},
    {"Action":["ssm:DescribeParameters"],
    "Effect":"Allow",
    "Resource":"*"},
    {"Action":["s3:GetBucketTagging","s3:ListAllMyBuckets","s3:ListBucket","s3:GetBucketLocation"],
    "Effect":"Allow",
    "Resource":"arn:aws:s3:::*"}]
}'

aws iam put-role-policy --role-name "{{K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-read-resource-tags" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": "tag:GetResources",
      "Resource": "*"
    }]
}'

locals {
  apono_token = "{{TOKEN}}"
  apono_websocket_url = "{{APONO_WEBSOCKET_URL}}"
  apono_websocket_ssl = "{{APONO_WEBSOCKET_SSL}}"
  connector_id = "{{CONNECTOR_ID}}"
  connector_helm_repo = "{{CONNECTOR_CHART_REPO}}"
  connector_helm_chart = "{{CONNECTOR_CHART_NAME}}"
  connector_helm_chart_version = "<<helmVersion>>"
  connector_image_repo = "{{CONNECTOR_IMAGE_REPO}}"
  connector_image_tag = "<<connectorVersion>>"
  git_sync_image = "{{GIT_SYNC_IMAGE}}"
  github_access_token = "{{GITHUB_ACCESS_TOKEN}}"
  service_account_name = "{{K8S_SERVICE_ACCOUNT}}"
  namespace = "{{K8S_NAMESPACE}}"
}

data "aws_caller_identity" "aws_account" {
  
}

locals {
  aws_account_id = data.aws_caller_identity.aws_account.account_id
}


// agent deployment
resource "kubernetes_namespace_v1" "apono-namespace" {
  metadata {
    name = local.namespace
  }
}

resource "helm_release" "apono-connector" {
  name             = "apono-connector"
  repository       = local.connector_helm_repo
  chart            = local.connector_helm_chart
  version          = local.connector_helm_chart_version
  namespace        = kubernetes_namespace_v1.apono-namespace.metadata[0].name

  set {
    name = "image.repository"
    value = local.connector_image_repo
  }

  set {
    name = "image.tag"
    value = local.connector_image_tag
  }

  set {
    name  = "gitSyncImage"
    value = local.git_sync_image
  }

  set {
    name  = "githubAccessToken"
    value = local.github_access_token
  }

  set {
    name = "serviceAccount.name"
    value = local.service_account_name
  }
  
  set {
    name = "serviceAccount.awsRoleAccountId"
    value = local.aws_account_id
  }
  
  set {
    name = "podAnnotations."iam\.amazonaws\.com/role""
    value = "${local.service_account_name}-${local.connector_id}"
  }

  set {
    name  = "apono.token"
    value = local.apono_token
  }

  set {
    name  = "apono.url"
    value = local.apono_websocket_url
  }

  set {
    name  = "apono.websocketSsl"
    value = local.apono_websocket_ssl
  }

  set {
    name  = "apono.connectorId"
    value = local.connector_id
  }
}

// IAM role and access policy for apono tagged secrets
resource "aws_iam_role" "apono-connector" {
  name = "${local.service_account_name}-${local.connector_id}"

  assume_role_policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal": { "Service": "ec2.amazonaws.com"},
        "Action" : "sts:AssumeRole"
      }
    ]
  })
  
  inline_policy {
    name = "apono-tagged-keys-access-policy"

    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"
          Action = [ "kms:Sign" ]
          Resource = "*"
          Condition = { "StringEquals": {"aws:ResourceTag/apono-connector-read": "true"} }
        },
      ]
    })
  }
  
  inline_policy {
    name = "apono-tagged-secrets-access-policy"

    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"
          Action = [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"]
          Resource = "arn:aws:secretsmanager:*:${local.aws_account_id}:secret:*"
          Condition = { "StringEquals": {"aws:ResourceTag/apono-connector-read": "true"} }
        },
      ]
    })
  }
  
  // for s3-iam-role resources
  inline_policy {
    name = "s3-list-policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"
          Action = ["s3:GetBucketTagging", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation"]
          Resource = "arn:aws:s3:::*"
        },
      ]
    })
  }
  
  // for mysql-rds resources
  inline_policy {
    name = "rds-list-policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"
          Action = ["rds:DescribeDBInstances", "rds:ListTagsForResource"]
          Resource = "arn:aws:rds:*:*:db:*"
        },
      ]
    })
  }

  // for ssm-iam-role resources
  inline_policy {
    name = "ssm-params-list-policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"
          Action = ["ssm:GetParameters*"]
          Resource = "arn:aws:ssm:*:*:parameter/*"
        },
        {
          Effect = "Allow"
          Action = ["ssm:DescribeParameters"]
          Resource = "*"
        },
      ]
    })
  }

  // for iam manipulation
  inline_policy {
    name = "iam-access-policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
            Effect = "Allow"
            Action = [
                "iam:ListPolicies",
                "iam:CreateInstanceProfile",
                "iam:ListGroups",
                "iam:ListInstanceProfiles"
            ],
            Resource = "*"
        },
        {
            Effect = "Allow"
            Action = [
                "iam:CreateInstanceProfile",
                "iam:GetRole",
                "iam:UpdateAssumeRolePolicy",
                "iam:ListRoleTags",
                "iam:TagRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:DeleteRolePolicy",
                "iam:ListAttachedGroupPolicies",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:PassRole",
                "iam:GetInstanceProfile",
                "iam:CreateUser",
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:PutUserPolicy",
                "iam:DeleteUserPolicy",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAttachedUserPolicies",
                "iam:ListUserPolicies",
                "iam:UpdateLoginProfile",
                "iam:ListAccessKeys",
                "iam:AttachUserPolicy",
                "iam:DetachUserPolicy",
                "iam:CreateLoginProfile"
            ]
            Resource = [
                "arn:aws:iam::*:instance-profile/*",
                "arn:aws:iam::*:role/*",
                "arn:aws:iam::*:group/*",
                "arn:aws:iam::*:user/*"
            ]
        }
      ]
    })
  }
  
  inline_policy {
    name = "apono-read-resource-tags"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [{
        "Effect": "Allow",
        "Action": [ "tag:GetResources" ],
        "Resource": "*"
      }]
    })
  }
    
  inline_policy {
    name = "ec2-policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [{
        "Effect": "Allow",
        "Action": [ "ec2:DescribeInstances","ec2:DescribeTags","ec2:AssociateIamInstanceProfile" ],
        "Resource": "*"
      }]
    })
  }
}