Update Kubernetes Secret in Terraform

Question

I'm using an ECR private repo to pull my docker image for my Kube.netes cluster to run. To achieve this, ECR authorisation token is required.

I've used a Terraform module to get this authorisation token as the below;

data "aws_ecr_authorization_token" "token" {}

I have then injected this token into my kube.netes secrete in order to authenticate and login to ECR and pull the image:

resource "kubernetes_secret" "docker" {
  metadata {
    name      = "docker-cfg"
    namespace = kubernetes_namespace.data-layer.metadata.0.name
  }

  data = {
    ".dockerconfigjson" = jsonencode({
      auths = {
        "${data.aws_ecr_authorization_token.token.proxy_endpoint}" = {
          auth = "${data.aws_ecr_authorization_token.token.authorization_token}"
        }
      }
    })
  }

  type = "kubernetes.io/dockerconfigjson"
}

This secret is later on used in the pod , as the imagePullSecret like the below;

spec {

    image_pull_secrets {
      name = "docker-cfg"
    }

    container {
      image             = "ECR REPO FQDN"
      name              = "Repo name"
      image_pull_policy = "Always"


      port {
        container_port = 4000
      }
    }
}

This is cool and everything works fine , however the ECR token expires after 12 hours, how can I update this token in my cluster through Terraform? I'm aware of local_exec provisioner and the Kube.netes Cron jobs , but what's the cleanest way to achieve this in Terraform?

Answer 1

I guess there's no way to revoke individual ECR authorization tokens in AWS (As of today). May be we can take help of Amazon Secure Token Services (STS), if that helps your usecase. Please find below reference links for more details

Reference links:

AWS STS: Aws secure token service

Github issue link: aws ecr token expiry issue

terraform + aws sts: AWS sts in terraform