feat: Added support for secretsmanager secret in endpoints (#27)

Author: Kostavro

README.md

@@ -303,14 +303,14 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.17 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >=0.7.2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.6 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.17 |
 | <a name="provider_time"></a> [time](#provider\_time) | >=0.7.2 |
 
 ## Modules

examples/complete/README.md

@@ -28,14 +28,14 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.17 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.6 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.17 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
 ## Modules
@@ -58,11 +58,15 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Type |
 |------|------|
 | [aws_iam_role.s3_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.secretsmanager_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_kms_key.aurora_credentials](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.msk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_rds_cluster_parameter_group.postgresql](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_parameter_group) | resource |
 | [aws_s3_object.hr_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
+| [aws_secretsmanager_secret.aurora_credentials](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
 | [aws_secretsmanager_secret.msk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
 | [aws_secretsmanager_secret_policy.msk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy) | resource |
+| [aws_secretsmanager_secret_version.aurora_credentials](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [aws_secretsmanager_secret_version.msk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [aws_sns_topic.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |

examples/complete/main.tf

@@ -119,17 +119,15 @@ module "dms_aurora_postgresql_aurora_mysql" {
     }
 
     postgresql-source = {
-      database_name               = local.db_name
-      endpoint_id                 = "${local.name}-postgresql-source"
-      endpoint_type               = "source"
-      engine_name                 = "aurora-postgresql"
-      extra_connection_attributes = "heartbeatFrequency=1;"
-      username                    = local.db_username
-      password                    = module.rds_aurora["postgresql-source"].cluster_master_password
-      port                        = 5432
-      server_name                 = module.rds_aurora["postgresql-source"].cluster_endpoint
-      ssl_mode                    = "none"
-      tags                        = { EndpointType = "postgresql-source" }
+      database_name                   = local.db_name
+      endpoint_id                     = "${local.name}-postgresql-source"
+      endpoint_type                   = "source"
+      engine_name                     = "aurora-postgresql"
+      secrets_manager_arn             = aws_secretsmanager_secret_version.aurora_credentials.arn
+      secrets_manager_access_role_arn = aws_iam_role.secretsmanager_role.arn
+      extra_connection_attributes     = "heartbeatFrequency=1;secretsManagerEndpointOverride=${module.vpc_endpoints.endpoints["secretsmanager"]["dns_entry"][0]["dns_name"]}"
+      ssl_mode                        = "none"
+      tags                            = { EndpointType = "postgresql-source" }
     }
 
     mysql-destination = {
@@ -303,6 +301,10 @@ module "vpc_endpoints" {
       route_table_ids = flatten([module.vpc.private_route_table_ids, module.vpc.database_route_table_ids])
       tags            = { Name = "s3-vpc-endpoint" }
     }
+    secretsmanager = {
+      service_name = "com.amazonaws.${local.region}.secretsmanager"
+      subnet_ids   = module.vpc.database_subnets
+    }
   }
 
   tags = local.tags
@@ -573,3 +575,77 @@ resource "aws_secretsmanager_secret_policy" "msk" {
   }
   POLICY
 }
+
+resource "aws_kms_key" "aurora_credentials" {
+  description         = "KMS CMK for ${local.name}"
+  enable_key_rotation = true
+
+  tags = local.tags
+}
+
+resource "aws_secretsmanager_secret" "aurora_credentials" {
+  name        = "rds_aurora_${local.name}_${random_pet.this.id}"
+  description = "Secret for ${local.name}"
+  kms_key_id  = aws_kms_key.aurora_credentials.key_id
+
+  tags = local.tags
+}
+
+resource "aws_secretsmanager_secret_version" "aurora_credentials" {
+  secret_id = aws_secretsmanager_secret.aurora_credentials.id
+  secret_string = jsonencode(
+    {
+      username = module.rds_aurora["postgresql-source"].cluster_master_username
+      password = module.rds_aurora["postgresql-source"].cluster_master_password
+      port     = 5432
+      host     = module.rds_aurora["postgresql-source"].cluster_endpoint
+    }
+  )
+  depends_on = [module.rds_aurora]
+}
+
+resource "aws_iam_role" "secretsmanager_role" {
+  name        = "${local.name}-secretsmanager"
+  description = "Role used to read secretsmanager secret"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "DMSAssume"
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "dms.${local.region}.amazonaws.com"
+        }
+      },
+    ]
+  })
+
+  inline_policy {
+    name = "${local.name}-secretsmanager"
+
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Sid      = "DMSRead"
+          Action   = "secretsmanager:GetSecretValue"
+          Effect   = "Allow"
+          Resource = aws_secretsmanager_secret_version.aurora_credentials.arn
+        },
+        {
+          Sid = "KMSRead"
+          Action = [
+            "kms:Decrypt",
+            "kms:DescribeKey"
+          ]
+          Effect   = "Allow"
+          Resource = aws_kms_key.aurora_credentials.arn
+        }
+      ]
+    })
+  }
+
+  tags = local.tags
+}

examples/complete/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.6"
+      version = ">= 4.17"
     }
     random = {
       source  = "hashicorp/random"

main.tf

@@ -151,19 +151,21 @@ resource "aws_dms_replication_instance" "this" {
 resource "aws_dms_endpoint" "this" {
   for_each = { for k, v in var.endpoints : k => v if var.create }
 
-  certificate_arn             = try(aws_dms_certificate.this[each.value.certificate_key].certificate_arn, null)
-  database_name               = lookup(each.value, "database_name", null)
-  endpoint_id                 = each.value.endpoint_id
-  endpoint_type               = each.value.endpoint_type
-  engine_name                 = each.value.engine_name
-  extra_connection_attributes = lookup(each.value, "extra_connection_attributes", null)
-  kms_key_arn                 = lookup(each.value, "kms_key_arn", null)
-  password                    = lookup(each.value, "password", null)
-  port                        = lookup(each.value, "port", null)
-  server_name                 = lookup(each.value, "server_name", null)
-  service_access_role         = lookup(each.value, "service_access_role", null)
-  ssl_mode                    = lookup(each.value, "ssl_mode", null)
-  username                    = lookup(each.value, "username", null)
+  certificate_arn                 = try(aws_dms_certificate.this[each.value.certificate_key].certificate_arn, null)
+  database_name                   = lookup(each.value, "database_name", null)
+  endpoint_id                     = each.value.endpoint_id
+  endpoint_type                   = each.value.endpoint_type
+  engine_name                     = each.value.engine_name
+  extra_connection_attributes     = lookup(each.value, "extra_connection_attributes", null)
+  kms_key_arn                     = lookup(each.value, "kms_key_arn", null)
+  password                        = lookup(each.value, "password", null)
+  port                            = lookup(each.value, "port", null)
+  server_name                     = lookup(each.value, "server_name", null)
+  service_access_role             = lookup(each.value, "service_access_role", null)
+  ssl_mode                        = lookup(each.value, "ssl_mode", null)
+  username                        = lookup(each.value, "username", null)
+  secrets_manager_access_role_arn = lookup(each.value, "secrets_manager_access_role_arn", null)
+  secrets_manager_arn             = lookup(each.value, "secrets_manager_arn", null)
 
   # https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.Elasticsearch.html
   dynamic "elasticsearch_settings" {

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.6"
+      version = ">= 4.17"
     }
     time = {
       source  = "hashicorp/time"