Change secrets store approach (#814)

Signed-off-by: Stavros Foteinopoulos <[email protected]>

aws/awat/README.md

@@ -35,6 +35,8 @@
 | [aws_iam_policy_document.awat_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_kms_key.master_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_secretsmanager_secret.awat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
+| [aws_secretsmanager_secret_version.awat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |
 | [terraform_remote_state.cnc_cluster](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |
 
 ## Inputs
@@ -58,7 +60,6 @@
 | <a name="input_awat_db_cluster_instance_type"></a> [awat\_db\_cluster\_instance\_type](#input\_awat\_db\_cluster\_instance\_type) | n/a | `string` | `"db.serverless"` | no |
 | <a name="input_awat_db_deletion_protection"></a> [awat\_db\_deletion\_protection](#input\_awat\_db\_deletion\_protection) | n/a | `bool` | `true` | no |
 | <a name="input_awat_db_maintenance_window"></a> [awat\_db\_maintenance\_window](#input\_awat\_db\_maintenance\_window) | n/a | `string` | n/a | yes |
-| <a name="input_awat_db_password"></a> [awat\_db\_password](#input\_awat\_db\_password) | n/a | `string` | n/a | yes |
 | <a name="input_awat_db_username"></a> [awat\_db\_username](#input\_awat\_db\_username) | n/a | `string` | n/a | yes |
 | <a name="input_awat_enable_rds_alerting"></a> [awat\_enable\_rds\_alerting](#input\_awat\_enable\_rds\_alerting) | n/a | `bool` | `false` | no |
 | <a name="input_awat_enabled_cloudwatch_logs_exports"></a> [awat\_enabled\_cloudwatch\_logs\_exports](#input\_awat\_enabled\_cloudwatch\_logs\_exports) | n/a | `list(string)` | <pre>[<br/>  "postgresql"<br/>]</pre> | no |

aws/awat/awat_db.tf

@@ -56,6 +56,14 @@ resource "aws_db_subnet_group" "subnets_db" {
 
 }
 
+data "aws_secretsmanager_secret" "awat" {
+  name = format("%s-%s", var.awat_service_name, var.environment)
+}
+
+data "aws_secretsmanager_secret_version" "awat" {
+  secret_id = data.aws_secretsmanager_secret.awat.id
+}
+
 
 module "aurora-cluster" {
   source                                = "github.com/mattermost/mattermost-cloud-monitoring.git//aws/aurora-cluster?ref=v1.7.93"
@@ -71,7 +79,7 @@ module "aurora-cluster" {
   engine_version                        = var.awat_db_cluster_engine_version
   instance_type                         = var.awat_db_cluster_instance_type
   username                              = var.awat_db_username
-  password                              = var.awat_db_password
+  password                              = data.aws_secretsmanager_secret_version.awat.secret_string
   iam_database_authentication_enabled   = var.iam_database_authentication_enabled
   final_snapshot_identifier_prefix      = "awat-final-${var.awat_db_cluster_identifier}-${local.timestamp_now}"
   skip_final_snapshot                   = false

aws/awat/variables.tf

@@ -14,10 +14,6 @@ variable "awat_db_username" {
   type = string
 }
 
-variable "awat_db_password" {
-  type = string
-}
-
 variable "awat_db_backup_retention_period" {
   type = number
 }

aws/customer-web-server/README.md

@@ -25,6 +25,8 @@
 | [aws_db_subnet_group.cws_subnets_db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
 | [aws_security_group.cws_postgres_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_secretsmanager_secret.cws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
+| [aws_secretsmanager_secret_version.cws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |
 | [terraform_remote_state.cluster](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |
 
 ## Inputs
@@ -49,7 +51,6 @@
 | <a name="input_cws_db_cluster_instance_type"></a> [cws\_db\_cluster\_instance\_type](#input\_cws\_db\_cluster\_instance\_type) | n/a | `string` | `"db.serverless"` | no |
 | <a name="input_cws_db_deletion_protection"></a> [cws\_db\_deletion\_protection](#input\_cws\_db\_deletion\_protection) | n/a | `bool` | `true` | no |
 | <a name="input_cws_db_maintenance_window"></a> [cws\_db\_maintenance\_window](#input\_cws\_db\_maintenance\_window) | n/a | `string` | n/a | yes |
-| <a name="input_cws_db_password"></a> [cws\_db\_password](#input\_cws\_db\_password) | n/a | `string` | n/a | yes |
 | <a name="input_cws_db_username"></a> [cws\_db\_username](#input\_cws\_db\_username) | n/a | `string` | n/a | yes |
 | <a name="input_cws_enable_bastion"></a> [cws\_enable\_bastion](#input\_cws\_enable\_bastion) | n/a | `bool` | `true` | no |
 | <a name="input_cws_enable_rds_alerting"></a> [cws\_enable\_rds\_alerting](#input\_cws\_enable\_rds\_alerting) | n/a | `bool` | `false` | no |

aws/customer-web-server/variables.tf

@@ -14,10 +14,6 @@ variable "cws_db_username" {
   type = string
 }
 
-variable "cws_db_password" {
-  type = string
-}
-
 variable "cws_db_backup_retention_period" {
   type = number
 }

aws/customer-web-server/web-server.tf

@@ -67,6 +67,14 @@ resource "aws_db_subnet_group" "cws_subnets_db" {
 
 }
 
+data "aws_secretsmanager_secret" "cws" {
+  name = format("%s-%s", var.cws_service_name, var.environment)
+}
+
+data "aws_secretsmanager_secret_version" "cws" {
+  secret_id = data.aws_secretsmanager_secret.cws.id
+}
+
 module "aurora-cluster" {
   source                                = "github.com/mattermost/mattermost-cloud-monitoring.git//aws/aurora-cluster?ref=v1.7.93"
   cluster_identifier                    = var.cws_db_cluster_identifier
@@ -81,7 +89,7 @@ module "aurora-cluster" {
   engine_version                        = var.cws_db_cluster_engine_version
   instance_type                         = var.cws_db_cluster_instance_type
   username                              = var.cws_db_username
-  password                              = var.cws_db_password
+  password                              = data.aws_secretsmanager_secret_version.cws.secret_string
   iam_database_authentication_enabled   = var.iam_database_authentication_enabled
   final_snapshot_identifier_prefix      = "cws-final-${var.cws_db_cluster_identifier}-${local.timestamp_now}"
   skip_final_snapshot                   = false

aws/grafana/README.md

@@ -25,6 +25,8 @@
 | [aws_db_subnet_group.grafana_subnets_db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
 | [aws_security_group.grafana_cec_to_postgres](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_secretsmanager_secret.grafana](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
+| [aws_secretsmanager_secret_version.grafana](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |
 | [terraform_remote_state.cluster](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |
 
 ## Inputs
@@ -36,7 +38,6 @@
 | <a name="input_db_backup_window"></a> [db\_backup\_window](#input\_db\_backup\_window) | n/a | `string` | n/a | yes |
 | <a name="input_db_deletion_protection"></a> [db\_deletion\_protection](#input\_db\_deletion\_protection) | n/a | `bool` | `true` | no |
 | <a name="input_db_maintenance_window"></a> [db\_maintenance\_window](#input\_db\_maintenance\_window) | n/a | `string` | n/a | yes |
-| <a name="input_db_password"></a> [db\_password](#input\_db\_password) | n/a | `string` | n/a | yes |
 | <a name="input_db_username"></a> [db\_username](#input\_db\_username) | n/a | `string` | n/a | yes |
 | <a name="input_enable_grafana_read_replica"></a> [enable\_grafana\_read\_replica](#input\_enable\_grafana\_read\_replica) | n/a | `bool` | `true` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | n/a | `string` | n/a | yes |

aws/grafana/rds.tf

@@ -48,6 +48,15 @@ resource "aws_db_subnet_group" "grafana_subnets_db" {
 
 }
 
+data "aws_secretsmanager_secret" "grafana" {
+  name = format("%s-%s", var.grafana_service_name, var.environment)
+}
+
+data "aws_secretsmanager_secret_version" "grafana" {
+  secret_id = data.aws_secretsmanager_secret.grafana.id
+}
+
+
 module "aurora-cluster" {
   source                                = "github.com/mattermost/mattermost-cloud-monitoring.git//aws/aurora-cluster?ref=v1.7.5"
   cluster_identifier                    = var.grafana_db_cluster_identifier
@@ -62,7 +71,7 @@ module "aurora-cluster" {
   engine_version                        = var.grafana_db_cluster_engine_version
   instance_type                         = var.grafana_db_cluster_instance_type
   username                              = var.db_username
-  password                              = var.db_password
+  password                              = data.aws_secretsmanager_secret_version.grafana.secret_string
   final_snapshot_identifier_prefix      = "grafana-final-${var.grafana_db_cluster_identifier}-${local.timestamp_now}"
   skip_final_snapshot                   = false
   deletion_protection                   = var.db_deletion_protection

aws/grafana/variables.tf

@@ -14,10 +14,6 @@ variable "db_username" {
   type = string
 }
 
-variable "db_password" {
-  type = string
-}
-
 variable "db_backup_retention_period" {
   type = number
 }

aws/provisioner/README.md

@@ -26,6 +26,8 @@
 | [aws_iam_access_key.provisioner_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
 | [aws_security_group.cec_to_postgress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_secretsmanager_secret.provisioner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
+| [aws_secretsmanager_secret_version.provisioner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |
 | [terraform_remote_state.cluster](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |
 
 ## Inputs
@@ -38,7 +40,6 @@
 | <a name="input_db_backup_window"></a> [db\_backup\_window](#input\_db\_backup\_window) | n/a | `string` | n/a | yes |
 | <a name="input_db_deletion_protection"></a> [db\_deletion\_protection](#input\_db\_deletion\_protection) | n/a | `bool` | `true` | no |
 | <a name="input_db_maintenance_window"></a> [db\_maintenance\_window](#input\_db\_maintenance\_window) | n/a | `string` | n/a | yes |
-| <a name="input_db_password"></a> [db\_password](#input\_db\_password) | n/a | `string` | n/a | yes |
 | <a name="input_db_username"></a> [db\_username](#input\_db\_username) | n/a | `string` | n/a | yes |
 | <a name="input_enable_provisioner_read_replica"></a> [enable\_provisioner\_read\_replica](#input\_enable\_provisioner\_read\_replica) | n/a | `bool` | `true` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | n/a | `string` | n/a | yes |

aws/provisioner/provisioner-db.tf

@@ -80,6 +80,14 @@ resource "aws_db_subnet_group" "subnets_db" {
 
 }
 
+data "aws_secretsmanager_secret" "provisioner" {
+  name = format("%s-%s", var.provisioner_service_name, var.environment)
+}
+
+data "aws_secretsmanager_secret_version" "provisioner" {
+  secret_id = data.aws_secretsmanager_secret.provisioner.id
+}
+
 module "aurora-cluster" {
   source                                = "github.com/mattermost/mattermost-cloud-monitoring.git//aws/aurora-cluster?ref=v1.7.93"
   cluster_identifier                    = var.provisioner_db_cluster_identifier
@@ -94,7 +102,7 @@ module "aurora-cluster" {
   engine_version                        = var.provisioner_db_cluster_engine_version
   instance_type                         = var.provisioner_db_cluster_instance_type
   username                              = var.db_username
-  password                              = var.db_password
+  password                              = data.aws_secretsmanager_secret_version.provisioner.secret_string
   iam_database_authentication_enabled   = var.iam_database_authentication_enabled
   final_snapshot_identifier_prefix      = "provisioner-final-${var.provisioner_db_cluster_identifier}-${local.timestamp_now}"
   skip_final_snapshot                   = false

aws/provisioner/variables.tf

@@ -14,10 +14,6 @@ variable "db_username" {
   type = string
 }
 
-variable "db_password" {
-  type = string
-}
-
 variable "db_backup_retention_period" {
   type = string
 }