From e0bf5e90482c0428d47bad359949e0a0c873193d Mon Sep 17 00:00:00 2001
From: Alis Akers <94012653+alismx@users.noreply.github.com>
Date: Fri, 22 Nov 2024 16:25:33 -0500
Subject: [PATCH] fix for database secrets manager data (#12)
---
README.md | 8 ++++++--
_check.tf | 9 +++------
_data.tf | 22 +++++++++++++++++++++-
_local.tf | 22 +++++++++++-----------
_variable.tf | 40 ++++++++++++++++++++--------------------
5 files changed, 61 insertions(+), 40 deletions(-)
diff --git a/README.md b/README.md
index 59a9bfe..da91c05 100644
--- a/README.md
+++ b/README.md
@@ -161,6 +161,10 @@ No modules.
| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.ecr_viewer_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_route_table.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
+| [aws_secretsmanager_secret_version.postgres_database_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |
+| [aws_secretsmanager_secret_version.sqlserver_host](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |
+| [aws_secretsmanager_secret_version.sqlserver_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |
+| [aws_secretsmanager_secret_version.sqlserver_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |
## Inputs
@@ -183,7 +187,7 @@ No modules.
| [internal](#input\_internal) | Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example). | `bool` | `true` | no |
| [owner](#input\_owner) | Owner of the resources | `string` | `"CDC"` | no |
| [phdi\_version](#input\_phdi\_version) | Version of the PHDI application | `string` | `"v1.6.9"` | no |
-| [postgres\_database\_data](#input\_postgres\_database\_data) | n/a | object({
non_integrated_viewer = string
metadata_database_type = string
metadata_database_schema = string
secrets_manager_postgres_database_url_arn = string
}) | {
"metadata_database_schema": "",
"metadata_database_type": "",
"non_integrated_viewer": "false",
"secrets_manager_postgres_database_url_arn": ""
} | no |
+| [postgres\_database\_data](#input\_postgres\_database\_data) | n/a | object({
non_integrated_viewer = string
metadata_database_type = string
metadata_database_schema = string
secrets_manager_postgres_database_url_name = string
}) | {
"metadata_database_schema": "",
"metadata_database_type": "",
"non_integrated_viewer": "false",
"secrets_manager_postgres_database_url_name": ""
} | no |
| [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs | `list(string)` | n/a | yes |
| [project](#input\_project) | The project name | `string` | `"dibbs"` | no |
| [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs | `list(string)` | n/a | yes |
@@ -191,7 +195,7 @@ No modules.
| [s3\_viewer\_bucket\_name](#input\_s3\_viewer\_bucket\_name) | Name of the S3 bucket for the viewer | `string` | `""` | no |
| [s3\_viewer\_bucket\_role\_name](#input\_s3\_viewer\_bucket\_role\_name) | Name of the IAM role for the ecr-viewer bucket | `string` | `""` | no |
| [service\_data](#input\_service\_data) | Data for the DIBBS services | map(object({
short_name = string
fargate_cpu = number
fargate_memory = number
min_capacity = number
max_capacity = number
app_image = string
app_version = string
container_port = number
host_port = number
public = bool
registry_url = string
env_vars = list(object({
name = string
value = string
}))
})) | `{}` | no |
-| [sqlserver\_database\_data](#input\_sqlserver\_database\_data) | n/a | object({
non_integrated_viewer = string
metadata_database_type = string
metadata_database_schema = string
secrets_manager_sqlserver_user_arn = string
secrets_manager_sqlserver_password_arn = string
secrets_manager_sqlserver_host_arn = string
}) | {
"metadata_database_schema": "",
"metadata_database_type": "",
"non_integrated_viewer": "false",
"secrets_manager_sqlserver_host_arn": "",
"secrets_manager_sqlserver_password_arn": "",
"secrets_manager_sqlserver_user_arn": ""
} | no |
+| [sqlserver\_database\_data](#input\_sqlserver\_database\_data) | n/a | object({
non_integrated_viewer = string
metadata_database_type = string
metadata_database_schema = string
secrets_manager_sqlserver_user_name = string
secrets_manager_sqlserver_password_name = string
secrets_manager_sqlserver_host_name = string
}) | {
"metadata_database_schema": "",
"metadata_database_type": "",
"non_integrated_viewer": "false",
"secrets_manager_sqlserver_host_name": "",
"secrets_manager_sqlserver_password_name": "",
"secrets_manager_sqlserver_user_name": ""
} | no |
| [tags](#input\_tags) | Tags to apply to resources | `map(string)` | `{}` | no |
| [vpc\_id](#input\_vpc\_id) | ID of the VPC | `string` | n/a | yes |
diff --git a/_check.tf b/_check.tf
index 14186dd..327c3d6 100644
--- a/_check.tf
+++ b/_check.tf
@@ -1,11 +1,8 @@
check "database_data_non_integrated_viewer" {
assert {
- condition = (
- (local.database_data.non_integrated_viewer == "false" &&
- length(local.database_data.metadata_database_type) == 0) ||
- (local.database_data.non_integrated_viewer == "true" &&
- length(local.database_data.metadata_database_type) > 0 &&
- length(local.database_data.metadata_database_schema) > 0)
+ condition = (
+ (local.database_data.non_integrated_viewer == "false" && length(local.database_data.metadata_database_type) == 0) ||
+ (local.database_data.non_integrated_viewer == "true" && length(local.database_data.metadata_database_type) > 0 && length(local.database_data.metadata_database_schema) > 0)
)
error_message = "When non_integrated_viewer is false, no other database data should be provided. When non_integrated_viewer is true, metadata_database_type, metadata_database_schema, and secrets_manager_* variables should be provided."
}
diff --git a/_data.tf b/_data.tf
index 4a51084..c358fef 100644
--- a/_data.tf
+++ b/_data.tf
@@ -37,4 +37,24 @@ data "aws_iam_policy" "amazon_ec2_container_service_for_ec2_role" {
data "aws_route_table" "this" {
for_each = local.private_subnet_kvs
subnet_id = each.value
-}
\ No newline at end of file
+}
+
+data "aws_secretsmanager_secret_version" "postgres_database_url" {
+ count = local.database_data.metadata_database_type == "postgres" ? 1 : 0
+ secret_id = local.database_data.metadata_database_type == "postgres" ? local.database_data.secrets_manager_postgres_database_url_name : ""
+}
+
+data "aws_secretsmanager_secret_version" "sqlserver_user" {
+ count = local.database_data.metadata_database_type == "sqlserver" ? 1 : 0
+ secret_id = local.database_data.metadata_database_type == "sqlserver" ? local.database_data.secrets_manager_sqlserver_user_name : ""
+}
+
+data "aws_secretsmanager_secret_version" "sqlserver_password" {
+ count = local.database_data.metadata_database_type == "sqlserver" ? 1 : 0
+ secret_id = local.database_data.metadata_database_type == "sqlserver" ? local.database_data.secrets_manager_sqlserver_password_name : ""
+}
+
+data "aws_secretsmanager_secret_version" "sqlserver_host" {
+ count = local.database_data.metadata_database_type == "sqlserver" ? 1 : 0
+ secret_id = local.database_data.metadata_database_type == "sqlserver" ? local.database_data.secrets_manager_sqlserver_host_name : ""
+}
diff --git a/_local.tf b/_local.tf
index e02d7c4..fad1ef2 100644
--- a/_local.tf
+++ b/_local.tf
@@ -8,7 +8,7 @@ locals {
registry_url = var.disable_ecr == false ? "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com" : "ghcr.io/cdcgov/phdi"
registry_username = data.aws_ecr_authorization_token.this.user_name
registry_password = data.aws_ecr_authorization_token.this.password
- database_data = var.postgres_database_data.non_integrated_viewer == "true" ? var.postgres_database_data : var.sqlserver_database_data
+ database_data = var.postgres_database_data.non_integrated_viewer == "true" ? var.postgres_database_data : var.sqlserver_database_data
service_data = length(var.service_data) > 0 ? var.service_data : {
ecr-viewer = {
@@ -57,28 +57,28 @@ locals {
value = var.ecr_viewer_basepath
},
{
- name = "METADATA_DATABASE_TYPE",
+ name = "METADATA_DATABASE_TYPE",
value = local.database_data.non_integrated_viewer == "true" ? local.database_data.metadata_database_type : ""
},
{
- name = "METADATA_DATABASE_SCHEMA",
+ name = "METADATA_DATABASE_SCHEMA",
value = local.database_data.non_integrated_viewer == "true" ? local.database_data.metadata_database_schema : ""
},
{
- name = "DATABASE_URL",
- value = local.database_data.metadata_database_type == "postgres" ? local.database_data.secrets_manager_postgres_database_url_arn : ""
+ name = "DATABASE_URL",
+ value = local.database_data.metadata_database_type == "postgres" ? data.aws_secretsmanager_secret_version.postgres_database_url[0].secret_string : ""
},
{
- name = "SQL_SERVER_USER",
- value = local.database_data.metadata_database_type == "sqlserver" ? local.database_data.secrets_manager_sqlserver_user_arn : ""
+ name = "SQL_SERVER_USER",
+ value = local.database_data.metadata_database_type == "sqlserver" ? data.aws_secretsmanager_secret_version.sqlserver_user[0].secret_string : ""
},
{
- name = "SQL_SERVER_PASSWORD",
- value = local.database_data.metadata_database_type == "sqlserver" ? local.database_data.secrets_manager_sqlserver_password_arn : ""
+ name = "SQL_SERVER_PASSWORD",
+ value = local.database_data.metadata_database_type == "sqlserver" ? data.aws_secretsmanager_secret_version.sqlserver_password[0].secret_string : ""
},
{
- name = "SQL_SERVER_HOST",
- value = local.database_data.metadata_database_type == "sqlserver" ? local.database_data.secrets_manager_sqlserver_host_arn : ""
+ name = "SQL_SERVER_HOST",
+ value = local.database_data.metadata_database_type == "sqlserver" ? data.aws_secretsmanager_secret_version.sqlserver_host[0].secret_string : ""
}
]
},
diff --git a/_variable.tf b/_variable.tf
index 5e3f5a9..dc5b9d8 100644
--- a/_variable.tf
+++ b/_variable.tf
@@ -115,35 +115,35 @@ variable "service_data" {
variable "postgres_database_data" {
type = object({
- non_integrated_viewer = string
- metadata_database_type = string
- metadata_database_schema = string
- secrets_manager_postgres_database_url_arn = string
+ non_integrated_viewer = string
+ metadata_database_type = string
+ metadata_database_schema = string
+ secrets_manager_postgres_database_url_name = string
})
default = {
- non_integrated_viewer = "false"
- metadata_database_type = ""
- metadata_database_schema = ""
- secrets_manager_postgres_database_url_arn = ""
+ non_integrated_viewer = "false"
+ metadata_database_type = ""
+ metadata_database_schema = ""
+ secrets_manager_postgres_database_url_name = ""
}
}
variable "sqlserver_database_data" {
type = object({
- non_integrated_viewer = string
- metadata_database_type = string
- metadata_database_schema = string
- secrets_manager_sqlserver_user_arn = string
- secrets_manager_sqlserver_password_arn = string
- secrets_manager_sqlserver_host_arn = string
+ non_integrated_viewer = string
+ metadata_database_type = string
+ metadata_database_schema = string
+ secrets_manager_sqlserver_user_name = string
+ secrets_manager_sqlserver_password_name = string
+ secrets_manager_sqlserver_host_name = string
})
default = {
- non_integrated_viewer = "false"
- metadata_database_type = ""
- metadata_database_schema = ""
- secrets_manager_sqlserver_user_arn = ""
- secrets_manager_sqlserver_password_arn = ""
- secrets_manager_sqlserver_host_arn = ""
+ non_integrated_viewer = "false"
+ metadata_database_type = ""
+ metadata_database_schema = ""
+ secrets_manager_sqlserver_user_name = ""
+ secrets_manager_sqlserver_password_name = ""
+ secrets_manager_sqlserver_host_name = ""
}
}