From 84e9323853e64da4f95e27d1444c059f2bc8833a Mon Sep 17 00:00:00 2001
From: Stavros Foteinopoulos <stafot@gmail.com>
Date: Wed, 5 Feb 2025 11:34:13 +0200
Subject: [PATCH] Password elrond from AWS secrets

Signed-off-by: Stavros Foteinopoulos <stafot@gmail.com>
---
 aws/eks-customer/README.md |  3 ---
 aws/elrond/README.md       |  3 ++-
 aws/elrond/elrond-db.tf    | 10 +++++++++-
 aws/elrond/variables.tf    |  5 -----
 4 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/aws/eks-customer/README.md b/aws/eks-customer/README.md
index 16bbc4eb..be71bbcc 100644
--- a/aws/eks-customer/README.md
+++ b/aws/eks-customer/README.md
@@ -4,7 +4,6 @@
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.41.0 |
-| <a name="requirement_github"></a> [github](#requirement\_github) | ~> 6.0 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.5.1 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.2 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.6.2 |
@@ -15,7 +14,6 @@
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.41.0 |
-| <a name="provider_github"></a> [github](#provider\_github) | ~> 6.0 |
 | <a name="provider_local"></a> [local](#provider\_local) | >= 2.5.1 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 3.2.2 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.6.2 |
@@ -71,7 +69,6 @@
 | [aws_subnets.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
 | [aws_subnets.private-a](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
 | [aws_subnets.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
-| [github_app_token.this](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/app_token) | data source |
 
 ## Inputs
 
diff --git a/aws/elrond/README.md b/aws/elrond/README.md
index 47189960..3156f85c 100644
--- a/aws/elrond/README.md
+++ b/aws/elrond/README.md
@@ -25,6 +25,8 @@
 | [aws_db_subnet_group.subnets_db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
 | [aws_security_group.cnc_to_elrond_postgress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_secretsmanager_secret.elrond](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
+| [aws_secretsmanager_secret_version.elrond](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |
 | [terraform_remote_state.cluster](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |
 
 ## Inputs
@@ -37,7 +39,6 @@
 | <a name="input_db_backup_window"></a> [db\_backup\_window](#input\_db\_backup\_window) | The Elrond DB backup window | `string` | n/a | yes |
 | <a name="input_db_deletion_protection"></a> [db\_deletion\_protection](#input\_db\_deletion\_protection) | Whether to enable DB deletion protection or not | `bool` | `true` | no |
 | <a name="input_db_maintenance_window"></a> [db\_maintenance\_window](#input\_db\_maintenance\_window) | The Elrond DB maintenance window | `string` | n/a | yes |
-| <a name="input_db_password"></a> [db\_password](#input\_db\_password) | The Elrond DB password | `string` | n/a | yes |
 | <a name="input_db_username"></a> [db\_username](#input\_db\_username) | The Elrond DB username | `string` | n/a | yes |
 | <a name="input_elrond_apply_immediately"></a> [elrond\_apply\_immediately](#input\_elrond\_apply\_immediately) | n/a | `bool` | `false` | no |
 | <a name="input_elrond_aurora_family"></a> [elrond\_aurora\_family](#input\_elrond\_aurora\_family) | n/a | `string` | `"aurora-postgresql14"` | no |
diff --git a/aws/elrond/elrond-db.tf b/aws/elrond/elrond-db.tf
index 756d98ca..6e12495e 100644
--- a/aws/elrond/elrond-db.tf
+++ b/aws/elrond/elrond-db.tf
@@ -56,6 +56,14 @@ resource "aws_db_subnet_group" "subnets_db" {
 
 }
 
+data "aws_secretsmanager_secret" "elrond" {
+  name = format("%s-%s", var.elrond_service_name, var.environment)
+}
+
+data "aws_secretsmanager_secret_version" "elrond" {
+  secret_id = data.aws_secretsmanager_secret.elrond.id
+}
+
 module "aurora-cluster" {
   source                                = "github.com/mattermost/mattermost-cloud-monitoring.git//aws/aurora-cluster?ref=v1.7.93"
   cluster_identifier                    = var.elrond_db_cluster_identifier
@@ -70,7 +78,7 @@ module "aurora-cluster" {
   engine_version                        = var.elrond_db_cluster_engine_version
   instance_type                         = var.elrond_db_cluster_instance_type
   username                              = var.db_username
-  password                              = var.db_password
+  password                              = data.aws_secretsmanager_secret_version.elrond.secret_string
   iam_database_authentication_enabled   = var.iam_database_authentication_enabled
   final_snapshot_identifier_prefix      = "elrond-final-${var.elrond_db_cluster_identifier}-${local.timestamp_now}"
   skip_final_snapshot                   = false
diff --git a/aws/elrond/variables.tf b/aws/elrond/variables.tf
index e3fdc2c2..636d17cf 100644
--- a/aws/elrond/variables.tf
+++ b/aws/elrond/variables.tf
@@ -18,11 +18,6 @@ variable "db_username" {
   description = "The Elrond DB username"
 }
 
-variable "db_password" {
-  type        = string
-  description = "The Elrond DB password"
-}
-
 variable "db_backup_retention_period" {
   type        = string
   description = "The Elrond DB backup retention period"