From 32e3fdce6ccce949550718cf0fc8f9628eaa016b Mon Sep 17 00:00:00 2001 From: Annie Hawes Date: Fri, 29 Nov 2024 14:29:38 +0000 Subject: [PATCH 1/3] [TDRD 512] Toggleable master password management via secrets manager integration --- lambda/create_db_users.tf | 27 ++++++++++++++++++++------- lambda/variables.tf | 4 ++++ rds_instance/main.tf | 1 + rds_instance/outputs.tf | 2 +- 4 files changed, 26 insertions(+), 8 deletions(-) diff --git a/lambda/create_db_users.tf b/lambda/create_db_users.tf index 043da94..b820884 100644 --- a/lambda/create_db_users.tf +++ b/lambda/create_db_users.tf @@ -10,12 +10,18 @@ resource "aws_lambda_function" "create_db_users_lambda_function" { reserved_concurrent_executions = var.reserved_concurrency tags = var.common_tags environment { - variables = { - DB_ADMIN_USER = aws_kms_ciphertext.environment_vars_create_db_users["db_admin_user"].ciphertext_blob - DB_ADMIN_PASSWORD = aws_kms_ciphertext.environment_vars_create_db_users["db_admin_password"].ciphertext_blob - DB_URL = aws_kms_ciphertext.environment_vars_create_db_users["db_url"].ciphertext_blob - DATABASE_NAME = aws_kms_ciphertext.environment_vars_create_db_users["database_name"].ciphertext_blob - } + variables = merge( + { + DB_ADMIN_USER = aws_kms_ciphertext.environment_vars_create_db_users["db_admin_user"].ciphertext_blob + DB_URL = aws_kms_ciphertext.environment_vars_create_db_users["db_url"].ciphertext_blob + DATABASE_NAME = aws_kms_ciphertext.environment_vars_create_db_users["database_name"].ciphertext_blob + }, + var.db_admin_password != null ? { + DB_ADMIN_PASSWORD = aws_kms_ciphertext.environment_vars_create_db_users["db_admin_password"].ciphertext_blob + } : { + DB_MASTER_USER_SECRET_ARN = aws_kms_ciphertext.environment_vars_create_db_users["db_master_user_secret_arn"].ciphertext_blob + } + ) } vpc_config { @@ -29,7 +35,14 @@ resource "aws_lambda_function" "create_db_users_lambda_function" { } resource "aws_kms_ciphertext" "environment_vars_create_db_users" { - for_each = local.count_create_db_users == 0 ? {} : { db_admin_user = var.db_admin_user, db_admin_password = var.db_admin_password, db_url = "jdbc:postgresql://${var.db_url}:5432/consignmentapi", database_name = var.database_name } + for_each = local.count_create_db_users == 0 ? {} : merge( + { + db_admin_user = var.db_admin_user + db_url = "jdbc:postgresql://${var.db_url}:5432/consignmentapi" + database_name = var.database_name + }, + var.db_admin_password != null ? { db_admin_password = var.db_admin_password } : { db_master_user_secret_arn = var.db_master_user_secret_arn } + ) key_id = var.kms_key_arn plaintext = each.value context = { "LambdaFunctionName" = local.create_db_users_function_name } diff --git a/lambda/variables.tf b/lambda/variables.tf index b24cf60..c866850 100644 --- a/lambda/variables.tf +++ b/lambda/variables.tf @@ -380,3 +380,7 @@ variable "notifications_vpc_config" { security_group_ids = [] } } + +variable "db_master_user_secret_arn" { + default = null +} \ No newline at end of file diff --git a/rds_instance/main.tf b/rds_instance/main.tf index c81b6a4..d236fd0 100644 --- a/rds_instance/main.tf +++ b/rds_instance/main.tf @@ -57,6 +57,7 @@ resource "aws_ssm_parameter" "database_username" { } resource "aws_ssm_parameter" "database_password" { + count = var.manage_master_credentials_with_secrets_manager ? 0 : 1 name = "/${var.environment}/${var.database_name}/instance/password" type = "SecureString" value = aws_db_instance.db_instance.password diff --git a/rds_instance/outputs.tf b/rds_instance/outputs.tf index 2f8e46e..9fb3b1a 100644 --- a/rds_instance/outputs.tf +++ b/rds_instance/outputs.tf @@ -15,5 +15,5 @@ output "resource_id" { } output "database_master_user_secret_arn" { - value = var.manage_master_credentials_with_secrets_manager ? aws_db_instance.db_instance.master_user_secret[0].secret_arn : null + value = var.manage_master_credentials_with_secrets_manager ? join("", aws_db_instance.db_instance.master_user_secret.*.secret_arn) : null } From c60318343fdc2d16ffc36455c719bab26438f216 Mon Sep 17 00:00:00 2001 From: Annie Hawes Date: Fri, 29 Nov 2024 14:32:17 +0000 Subject: [PATCH 2/3] Terraform fmt --- lambda/create_db_users.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lambda/create_db_users.tf b/lambda/create_db_users.tf index b820884..135494a 100644 --- a/lambda/create_db_users.tf +++ b/lambda/create_db_users.tf @@ -16,9 +16,9 @@ resource "aws_lambda_function" "create_db_users_lambda_function" { DB_URL = aws_kms_ciphertext.environment_vars_create_db_users["db_url"].ciphertext_blob DATABASE_NAME = aws_kms_ciphertext.environment_vars_create_db_users["database_name"].ciphertext_blob }, - var.db_admin_password != null ? { + var.db_admin_password != null ? { DB_ADMIN_PASSWORD = aws_kms_ciphertext.environment_vars_create_db_users["db_admin_password"].ciphertext_blob - } : { + } : { DB_MASTER_USER_SECRET_ARN = aws_kms_ciphertext.environment_vars_create_db_users["db_master_user_secret_arn"].ciphertext_blob } ) @@ -38,10 +38,10 @@ resource "aws_kms_ciphertext" "environment_vars_create_db_users" { for_each = local.count_create_db_users == 0 ? {} : merge( { db_admin_user = var.db_admin_user - db_url = "jdbc:postgresql://${var.db_url}:5432/consignmentapi" + db_url = "jdbc:postgresql://${var.db_url}:5432/consignmentapi" database_name = var.database_name }, - var.db_admin_password != null ? { db_admin_password = var.db_admin_password } : { db_master_user_secret_arn = var.db_master_user_secret_arn } + var.db_admin_password != null ? { db_admin_password = var.db_admin_password } : { db_master_user_secret_arn = var.db_master_user_secret_arn } ) key_id = var.kms_key_arn plaintext = each.value From 3340cd821704c07742bc04fdc4353d351779341d Mon Sep 17 00:00:00 2001 From: Annie Hawes Date: Fri, 29 Nov 2024 15:04:51 +0000 Subject: [PATCH 3/3] Missing newline --- lambda/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lambda/variables.tf b/lambda/variables.tf index c866850..bbe217e 100644 --- a/lambda/variables.tf +++ b/lambda/variables.tf @@ -383,4 +383,4 @@ variable "notifications_vpc_config" { variable "db_master_user_secret_arn" { default = null -} \ No newline at end of file +}