Added special = true to graphdb_admin_password

Removed validation and defaults for password and token variables in the config module. Updated the user data scripts. Added graphdb_admin_password and graphdb_cluster_token to root main.tf and variables.tf fixed formatting
Ontotext-AD · Mar 26, 2024 · 33f0513 · 33f0513
1 parent 681cf57
commit 33f0513
Show file tree

Hide file tree

Showing 9 changed files with 28 additions and 17 deletions.
diff --git a/main.tf b/main.tf
@@ -43,9 +43,11 @@ module "backup" {
 module "config" {
   source = "./modules/config"
 
-  resource_name_prefix = var.resource_name_prefix
-  graphdb_license_path = var.graphdb_license_path
-  graphdb_lb_dns_name  = module.load_balancer.lb_dns_name
+  resource_name_prefix   = var.resource_name_prefix
+  graphdb_license_path   = var.graphdb_license_path
+  graphdb_lb_dns_name    = module.load_balancer.lb_dns_name
+  graphdb_admin_password = var.graphdb_admin_password
+  graphdb_cluster_token  = var.graphdb_cluster_token
 }
 
 module "load_balancer" {

diff --git a/modules/config/config.tf b/modules/config/config.tf
@@ -1,6 +1,7 @@
 resource "random_password" "graphdb_admin_password" {
-  count  = var.graphdb_admin_password != null ? 0 : 1
-  length = 8
+  count   = var.graphdb_admin_password != null ? 0 : 1
+  length  = 8
+  special = true
 }
 
 resource "random_password" "graphdb_cluster_token" {
@@ -12,4 +13,4 @@ resource "random_password" "graphdb_cluster_token" {
 locals {
   graphdb_cluster_token  = var.graphdb_cluster_token != null ? var.graphdb_cluster_token : random_password.graphdb_cluster_token[0].result
   graphdb_admin_password = var.graphdb_admin_password != null ? var.graphdb_admin_password : random_password.graphdb_admin_password[0].result
-}
+}
diff --git a/modules/config/main.tf b/modules/config/main.tf
@@ -1,3 +1,4 @@
+# TODO move to config.tf after module restructuring
 resource "aws_ssm_parameter" "graphdb_admin_password" {
   name        = "/${var.resource_name_prefix}/graphdb/admin_password"
   description = "Password for the 'admin' user in GraphDB."

diff --git a/modules/config/variables.tf b/modules/config/variables.tf
@@ -15,18 +15,11 @@ variable "resource_name_prefix" {
 variable "graphdb_admin_password" {
   description = "Password for the 'admin' user in GraphDB."
   type        = string
-  default     = null
   sensitive   = true
-
-  # validation {
-  #   condition     = length(var.graphdb_admin_password) >= 5 && can(regex("[0-9]", var.graphdb_admin_password))
-  #   error_message = "Password must be at least 5 characters long and contain at least one number."
-  # }
 }
 
 variable "graphdb_cluster_token" {
   description = "Cluster token used for authenticating the communication between the nodes."
-  default     = null
   sensitive   = true
 }
 

diff --git a/modules/user_data/templates/03_gdb_conf_overrides.sh.tpl b/modules/user_data/templates/03_gdb_conf_overrides.sh.tpl
@@ -23,7 +23,7 @@ aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${na
   base64 -d > /etc/graphdb/graphdb.license
 
 # Get the cluster token
-GRAPHDB_CLUSTER_TOKEN="$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/cluster_token" --with-decryption | jq -r .Parameter.Value)"
+GRAPHDB_CLUSTER_TOKEN="$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/cluster_token" --with-decryption | jq -r .Parameter.Value | base64 -d)"
 # Get the NODE_DNS value from the previous script
 NODE_DNS=$(cat /tmp/node_dns)
 

diff --git a/modules/user_data/templates/04_gdb_backup_conf.sh.tpl b/modules/user_data/templates/04_gdb_backup_conf.sh.tpl
@@ -18,7 +18,7 @@ cat <<-EOF > /usr/bin/graphdb_backup
 
 set -euxo pipefail
 
-GRAPHDB_ADMIN_PASSWORD="\$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/admin_password" --with-decryption | jq -r .Parameter.Value)"
+GRAPHDB_ADMIN_PASSWORD="\$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/admin_password" --with-decryption | jq -r .Parameter.Value | base64 -d)"
 NODE_STATE="\$(curl --silent --fail --user "admin:\$GRAPHDB_ADMIN_PASSWORD" localhost:7201/rest/cluster/node/status | jq -r .nodeState)"
 
 if [ "\$NODE_STATE" != "LEADER" ]; then

diff --git a/modules/user_data/templates/06_cloudwatch_setup.sh.tpl b/modules/user_data/templates/06_cloudwatch_setup.sh.tpl
@@ -16,7 +16,7 @@ echo "#################################"
 CWAGENT_CONFIG=$(aws ssm get-parameter --name "/CWAgent/Config" --query "Parameter.Value" --output text)
 echo "$CWAGENT_CONFIG" > /etc/graphdb/cloudwatch-agent-config.json
 
-GRAPHDB_ADMIN_PASSWORD=$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/admin_password" --with-decryption --query "Parameter.Value" --output text)
+GRAPHDB_ADMIN_PASSWORD=$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/admin_password" --with-decryption --query "Parameter.Value" --output text | base64 -d)
 
 tmp=$(mktemp)
 jq '.logs.metrics_collected.prometheus.log_group_name = "${name}-graphdb"' /etc/graphdb/cloudwatch-agent-config.json > "$tmp" && mv "$tmp" /etc/graphdb/cloudwatch-agent-config.json

diff --git a/modules/user_data/templates/07_cluster_setup.sh.tpl b/modules/user_data/templates/07_cluster_setup.sh.tpl
@@ -14,7 +14,7 @@ set -o pipefail
 NODE_DNS=$(cat /tmp/node_dns)
 IMDS_TOKEN=$(curl -Ss -H "X-aws-ec2-metadata-token-ttl-seconds: 6000" -XPUT 169.254.169.254/latest/api/token)
 INSTANCE_ID=$(curl -Ss -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" 169.254.169.254/latest/meta-data/instance-id)
-GRAPHDB_ADMIN_PASSWORD=$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/admin_password" --with-decryption --query "Parameter.Value" --output text)
+GRAPHDB_ADMIN_PASSWORD=$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/admin_password" --with-decryption --query "Parameter.Value" --output text | base64 -d)
 VPC_ID=$(aws ec2 describe-instances --instance-id "$${INSTANCE_ID}" --query 'Reservations[0].Instances[0].VpcId' --output text)
 
 RETRY_DELAY=5

diff --git a/variables.tf b/variables.tf
@@ -245,6 +245,20 @@ variable "graphdb_license_path" {
   default     = null
 }
 
+variable "graphdb_admin_password" {
+  description = "Password for the 'admin' user in GraphDB."
+  type        = string
+  sensitive   = true
+  default     = null
+}
+
+variable "graphdb_cluster_token" {
+  description = "Cluster token used for authenticating the communication between the nodes."
+  type        = string
+  sensitive   = true
+  default     = null
+}
+
 variable "zone_dns_name" {
   description = "DNS name for the private hosted zone in Route 53"
   type        = string