From df47356c1e731e79a3823a13c1514589f416a7e7 Mon Sep 17 00:00:00 2001 From: Stavros Foteinopoulos Date: Thu, 6 Feb 2025 14:13:42 +0200 Subject: [PATCH] Change secrets store approach (#814) Signed-off-by: Stavros Foteinopoulos --- aws/awat/README.md | 3 ++- aws/awat/awat_db.tf | 10 +++++++++- aws/awat/variables.tf | 4 ---- aws/customer-web-server/README.md | 3 ++- aws/customer-web-server/variables.tf | 4 ---- aws/customer-web-server/web-server.tf | 10 +++++++++- aws/grafana/README.md | 3 ++- aws/grafana/rds.tf | 11 ++++++++++- aws/grafana/variables.tf | 4 ---- aws/provisioner/README.md | 3 ++- aws/provisioner/provisioner-db.tf | 10 +++++++++- aws/provisioner/variables.tf | 4 ---- 12 files changed, 45 insertions(+), 24 deletions(-) diff --git a/aws/awat/README.md b/aws/awat/README.md index 77def59d..dc36a9a1 100644 --- a/aws/awat/README.md +++ b/aws/awat/README.md @@ -35,6 +35,8 @@ | [aws_iam_policy_document.awat_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_kms_key.master_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_secretsmanager_secret.awat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret_version.awat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | | [terraform_remote_state.cnc_cluster](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | ## Inputs @@ -58,7 +60,6 @@ | [awat\_db\_cluster\_instance\_type](#input\_awat\_db\_cluster\_instance\_type) | n/a | `string` | `"db.serverless"` | no | | [awat\_db\_deletion\_protection](#input\_awat\_db\_deletion\_protection) | n/a | `bool` | `true` | no | | [awat\_db\_maintenance\_window](#input\_awat\_db\_maintenance\_window) | n/a | `string` | n/a | yes | -| [awat\_db\_password](#input\_awat\_db\_password) | n/a | `string` | n/a | yes | | [awat\_db\_username](#input\_awat\_db\_username) | n/a | `string` | n/a | yes | | [awat\_enable\_rds\_alerting](#input\_awat\_enable\_rds\_alerting) | n/a | `bool` | `false` | no | | [awat\_enabled\_cloudwatch\_logs\_exports](#input\_awat\_enabled\_cloudwatch\_logs\_exports) | n/a | `list(string)` | 
[
  "postgresql"
]
| no | diff --git a/aws/awat/awat_db.tf b/aws/awat/awat_db.tf index b5b9f3bb..c783ad08 100644 --- a/aws/awat/awat_db.tf +++ b/aws/awat/awat_db.tf @@ -56,6 +56,14 @@ resource "aws_db_subnet_group" "subnets_db" { } +data "aws_secretsmanager_secret" "awat" { + name = format("%s-%s", var.awat_service_name, var.environment) +} + +data "aws_secretsmanager_secret_version" "awat" { + secret_id = data.aws_secretsmanager_secret.awat.id +} + module "aurora-cluster" { source = "github.com/mattermost/mattermost-cloud-monitoring.git//aws/aurora-cluster?ref=v1.7.93" @@ -71,7 +79,7 @@ module "aurora-cluster" { engine_version = var.awat_db_cluster_engine_version instance_type = var.awat_db_cluster_instance_type username = var.awat_db_username - password = var.awat_db_password + password = data.aws_secretsmanager_secret_version.awat.secret_string iam_database_authentication_enabled = var.iam_database_authentication_enabled final_snapshot_identifier_prefix = "awat-final-${var.awat_db_cluster_identifier}-${local.timestamp_now}" skip_final_snapshot = false diff --git a/aws/awat/variables.tf b/aws/awat/variables.tf index 47569bfd..12c7d705 100644 --- a/aws/awat/variables.tf +++ b/aws/awat/variables.tf @@ -14,10 +14,6 @@ variable "awat_db_username" { type = string } -variable "awat_db_password" { - type = string -} - variable "awat_db_backup_retention_period" { type = number } diff --git a/aws/customer-web-server/README.md b/aws/customer-web-server/README.md index 3d65a2b7..13430658 100644 --- a/aws/customer-web-server/README.md +++ b/aws/customer-web-server/README.md @@ -25,6 +25,8 @@ | [aws_db_subnet_group.cws_subnets_db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | | [aws_security_group.cws_postgres_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_secretsmanager_secret.cws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret_version.cws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | | [terraform_remote_state.cluster](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | ## Inputs @@ -49,7 +51,6 @@ | [cws\_db\_cluster\_instance\_type](#input\_cws\_db\_cluster\_instance\_type) | n/a | `string` | `"db.serverless"` | no | | [cws\_db\_deletion\_protection](#input\_cws\_db\_deletion\_protection) | n/a | `bool` | `true` | no | | [cws\_db\_maintenance\_window](#input\_cws\_db\_maintenance\_window) | n/a | `string` | n/a | yes | -| [cws\_db\_password](#input\_cws\_db\_password) | n/a | `string` | n/a | yes | | [cws\_db\_username](#input\_cws\_db\_username) | n/a | `string` | n/a | yes | | [cws\_enable\_bastion](#input\_cws\_enable\_bastion) | n/a | `bool` | `true` | no | | [cws\_enable\_rds\_alerting](#input\_cws\_enable\_rds\_alerting) | n/a | `bool` | `false` | no | diff --git a/aws/customer-web-server/variables.tf b/aws/customer-web-server/variables.tf index 51a0c613..8783ebd6 100644 --- a/aws/customer-web-server/variables.tf +++ b/aws/customer-web-server/variables.tf @@ -14,10 +14,6 @@ variable "cws_db_username" { type = string } -variable "cws_db_password" { - type = string -} - variable "cws_db_backup_retention_period" { type = number } diff --git a/aws/customer-web-server/web-server.tf b/aws/customer-web-server/web-server.tf index 2a7f35af..418a72b8 100644 --- a/aws/customer-web-server/web-server.tf +++ b/aws/customer-web-server/web-server.tf @@ -67,6 +67,14 @@ resource "aws_db_subnet_group" "cws_subnets_db" { } +data "aws_secretsmanager_secret" "cws" { + name = format("%s-%s", var.cws_service_name, var.environment) +} + +data "aws_secretsmanager_secret_version" "cws" { + secret_id = data.aws_secretsmanager_secret.cws.id +} + module "aurora-cluster" { source = "github.com/mattermost/mattermost-cloud-monitoring.git//aws/aurora-cluster?ref=v1.7.93" cluster_identifier = var.cws_db_cluster_identifier @@ -81,7 +89,7 @@ module "aurora-cluster" { engine_version = var.cws_db_cluster_engine_version instance_type = var.cws_db_cluster_instance_type username = var.cws_db_username - password = var.cws_db_password + password = data.aws_secretsmanager_secret_version.cws.secret_string iam_database_authentication_enabled = var.iam_database_authentication_enabled final_snapshot_identifier_prefix = "cws-final-${var.cws_db_cluster_identifier}-${local.timestamp_now}" skip_final_snapshot = false diff --git a/aws/grafana/README.md b/aws/grafana/README.md index e6740fb8..b96f0a54 100644 --- a/aws/grafana/README.md +++ b/aws/grafana/README.md @@ -25,6 +25,8 @@ | [aws_db_subnet_group.grafana_subnets_db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | | [aws_security_group.grafana_cec_to_postgres](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_secretsmanager_secret.grafana](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret_version.grafana](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | | [terraform_remote_state.cluster](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | ## Inputs @@ -36,7 +38,6 @@ | [db\_backup\_window](#input\_db\_backup\_window) | n/a | `string` | n/a | yes | | [db\_deletion\_protection](#input\_db\_deletion\_protection) | n/a | `bool` | `true` | no | | [db\_maintenance\_window](#input\_db\_maintenance\_window) | n/a | `string` | n/a | yes | -| [db\_password](#input\_db\_password) | n/a | `string` | n/a | yes | | [db\_username](#input\_db\_username) | n/a | `string` | n/a | yes | | [enable\_grafana\_read\_replica](#input\_enable\_grafana\_read\_replica) | n/a | `bool` | `true` | no | | [environment](#input\_environment) | n/a | `string` | n/a | yes | diff --git a/aws/grafana/rds.tf b/aws/grafana/rds.tf index b0833110..2d76dee9 100644 --- a/aws/grafana/rds.tf +++ b/aws/grafana/rds.tf @@ -48,6 +48,15 @@ resource "aws_db_subnet_group" "grafana_subnets_db" { } +data "aws_secretsmanager_secret" "grafana" { + name = format("%s-%s", var.grafana_service_name, var.environment) +} + +data "aws_secretsmanager_secret_version" "grafana" { + secret_id = data.aws_secretsmanager_secret.grafana.id +} + + module "aurora-cluster" { source = "github.com/mattermost/mattermost-cloud-monitoring.git//aws/aurora-cluster?ref=v1.7.5" cluster_identifier = var.grafana_db_cluster_identifier @@ -62,7 +71,7 @@ module "aurora-cluster" { engine_version = var.grafana_db_cluster_engine_version instance_type = var.grafana_db_cluster_instance_type username = var.db_username - password = var.db_password + password = data.aws_secretsmanager_secret_version.grafana.secret_string final_snapshot_identifier_prefix = "grafana-final-${var.grafana_db_cluster_identifier}-${local.timestamp_now}" skip_final_snapshot = false deletion_protection = var.db_deletion_protection diff --git a/aws/grafana/variables.tf b/aws/grafana/variables.tf index 7ce0569e..484fcef3 100644 --- a/aws/grafana/variables.tf +++ b/aws/grafana/variables.tf @@ -14,10 +14,6 @@ variable "db_username" { type = string } -variable "db_password" { - type = string -} - variable "db_backup_retention_period" { type = number } diff --git a/aws/provisioner/README.md b/aws/provisioner/README.md index 16dcfa5b..cfdbf8d8 100644 --- a/aws/provisioner/README.md +++ b/aws/provisioner/README.md @@ -26,6 +26,8 @@ | [aws_iam_access_key.provisioner_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource | | [aws_security_group.cec_to_postgress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_secretsmanager_secret.provisioner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret_version.provisioner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | | [terraform_remote_state.cluster](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | ## Inputs @@ -38,7 +40,6 @@ | [db\_backup\_window](#input\_db\_backup\_window) | n/a | `string` | n/a | yes | | [db\_deletion\_protection](#input\_db\_deletion\_protection) | n/a | `bool` | `true` | no | | [db\_maintenance\_window](#input\_db\_maintenance\_window) | n/a | `string` | n/a | yes | -| [db\_password](#input\_db\_password) | n/a | `string` | n/a | yes | | [db\_username](#input\_db\_username) | n/a | `string` | n/a | yes | | [enable\_provisioner\_read\_replica](#input\_enable\_provisioner\_read\_replica) | n/a | `bool` | `true` | no | | [environment](#input\_environment) | n/a | `string` | n/a | yes | diff --git a/aws/provisioner/provisioner-db.tf b/aws/provisioner/provisioner-db.tf index cf9a1f36..08844658 100644 --- a/aws/provisioner/provisioner-db.tf +++ b/aws/provisioner/provisioner-db.tf @@ -80,6 +80,14 @@ resource "aws_db_subnet_group" "subnets_db" { } +data "aws_secretsmanager_secret" "provisioner" { + name = format("%s-%s", var.provisioner_service_name, var.environment) +} + +data "aws_secretsmanager_secret_version" "provisioner" { + secret_id = data.aws_secretsmanager_secret.provisioner.id +} + module "aurora-cluster" { source = "github.com/mattermost/mattermost-cloud-monitoring.git//aws/aurora-cluster?ref=v1.7.93" cluster_identifier = var.provisioner_db_cluster_identifier @@ -94,7 +102,7 @@ module "aurora-cluster" { engine_version = var.provisioner_db_cluster_engine_version instance_type = var.provisioner_db_cluster_instance_type username = var.db_username - password = var.db_password + password = data.aws_secretsmanager_secret_version.provisioner.secret_string iam_database_authentication_enabled = var.iam_database_authentication_enabled final_snapshot_identifier_prefix = "provisioner-final-${var.provisioner_db_cluster_identifier}-${local.timestamp_now}" skip_final_snapshot = false diff --git a/aws/provisioner/variables.tf b/aws/provisioner/variables.tf index f3ce480a..34c8a6b7 100644 --- a/aws/provisioner/variables.tf +++ b/aws/provisioner/variables.tf @@ -14,10 +14,6 @@ variable "db_username" { type = string } -variable "db_password" { - type = string -} - variable "db_backup_retention_period" { type = string }