template infra changes

infra/api/service/main.tf

@@ -67,11 +67,6 @@ data "aws_rds_cluster" "db_cluster" {
   cluster_identifier = local.database_config.cluster_name
 }
 
-data "aws_iam_policy" "db_access_policy" {
-  count = module.app_config.has_database ? 1 : 0
-  name  = local.database_config.access_policy_name
-}
-
 data "aws_iam_policy" "app_db_access_policy" {
   count = module.app_config.has_database ? 1 : 0
   name  = local.database_config.app_access_policy_name
@@ -99,7 +94,6 @@ module "service" {
 
   db_vars = module.app_config.has_database ? {
     security_group_ids         = data.aws_rds_cluster.db_cluster[0].vpc_security_group_ids
-    access_policy_arn          = data.aws_iam_policy.db_access_policy[0].arn
     app_access_policy_arn      = data.aws_iam_policy.app_db_access_policy[0].arn
     migrator_access_policy_arn = data.aws_iam_policy.migrator_db_access_policy[0].arn
     connection_info = {

infra/api/service/outputs.tf

@@ -18,3 +18,7 @@ output "application_log_group" {
 output "application_log_stream_prefix" {
   value = module.service.application_log_stream_prefix
 }
+
+output "migrator_role_arn" {
+  value = module.service.migrator_role_arn
+}

infra/frontend/service/main.tf

@@ -68,11 +68,6 @@ data "aws_rds_cluster" "db_cluster" {
   cluster_identifier = local.database_config.cluster_name
 }
 
-data "aws_iam_policy" "db_access_policy" {
-  count = module.app_config.has_database ? 1 : 0
-  name  = local.database_config.access_policy_name
-}
-
 data "aws_iam_policy" "app_db_access_policy" {
   count = module.app_config.has_database ? 1 : 0
   name  = local.database_config.app_access_policy_name
@@ -110,7 +105,6 @@ module "service" {
 
   db_vars = module.app_config.has_database ? {
     security_group_ids         = data.aws_rds_cluster.db_cluster[0].vpc_security_group_ids
-    access_policy_arn          = data.aws_iam_policy.db_access_policy[0].arn
     app_access_policy_arn      = data.aws_iam_policy.app_db_access_policy[0].arn
     migrator_access_policy_arn = data.aws_iam_policy.migrator_db_access_policy[0].arn
     connection_info = {

infra/frontend/service/outputs.tf

@@ -18,3 +18,7 @@ output "application_log_group" {
 output "application_log_stream_prefix" {
   value = module.service.application_log_stream_prefix
 }
+
+output "migrator_role_arn" {
+  value = module.service.migrator_role_arn
+}

infra/modules/database/authentication.tf

@@ -1,30 +1,6 @@
 # Authentication
 # --------------
 
-
-# TODO: Delete when no longer in use. Part 3 of multipart update https://github.com/navapbc/template-infra/issues/354#issuecomment-1693973424
-resource "aws_iam_policy" "db_access" {
-  name   = var.access_policy_name
-  policy = data.aws_iam_policy_document.db_access.json
-}
-
-# TODO: Delete when no longer in use. Part 3 of multipart update https://github.com/navapbc/template-infra/issues/354#issuecomment-1693973424
-data "aws_iam_policy_document" "db_access" {
-  # Policy to allow connection to RDS via IAM database authentication
-  # which is more secure than traditional username/password authentication
-  # https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
-  statement {
-    actions = [
-      "rds-db:connect"
-    ]
-
-    resources = [
-      "${local.db_user_arn_prefix}/${var.app_username}",
-      "${local.db_user_arn_prefix}/${var.migrator_username}",
-    ]
-  }
-}
-
 resource "aws_iam_policy" "app_db_access" {
   name   = var.app_access_policy_name
   policy = data.aws_iam_policy_document.app_db_access.json

infra/modules/database/main.tf

@@ -23,14 +23,14 @@ resource "aws_rds_cluster" "db" {
   # https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.CreateInstance.html
   cluster_identifier = var.name
 
-  engine            = "aurora-postgresql"
-  engine_mode       = "provisioned"
-  database_name     = var.database_name
-  port              = var.port
-  master_username   = local.master_username
-  master_password   = aws_ssm_parameter.random_db_password.value
-  storage_encrypted = true
-  kms_key_id        = aws_kms_key.db.arn
+  engine                      = "aurora-postgresql"
+  engine_mode                 = "provisioned"
+  database_name               = var.database_name
+  port                        = var.port
+  master_username             = local.master_username
+  manage_master_user_password = true
+  storage_encrypted           = true
+  kms_key_id                  = aws_kms_key.db.arn
 
   # checkov:skip=CKV_AWS_128:Auth decision needs to be ironed out
   # checkov:skip=CKV_AWS_162:Auth decision needs to be ironed out
@@ -61,18 +61,6 @@ resource "aws_rds_cluster_instance" "primary" {
   monitoring_interval        = 30
 }
 
-resource "random_password" "random_db_password" {
-  length = 48
-  # Remove '@' sign from allowed characters since only printable ASCII characters besides '/', '@', '"', ' ' may be used.
-  override_special = "!#$%&*()-_=+[]{}<>:?"
-}
-
-resource "aws_ssm_parameter" "random_db_password" {
-  name  = "/db/${var.name}/master-password"
-  type  = "SecureString"
-  value = random_password.random_db_password.result
-}
-
 resource "aws_kms_key" "db" {
   description         = "Key for RDS cluster ${var.name}"
   enable_key_rotation = true
@@ -83,7 +71,7 @@ resource "aws_kms_key" "db" {
 
 resource "aws_rds_cluster_parameter_group" "rds_query_logging" {
   name        = var.name
-  family      = "aurora-postgresql13"
+  family      = "aurora-postgresql14"
   description = "Default cluster parameter group"
 
   parameter {

infra/modules/database/role-manager.tf

@@ -29,7 +29,7 @@ resource "aws_lambda_function" "role_manager" {
       DB_PORT                = aws_rds_cluster.db.port
       DB_USER                = local.master_username
       DB_NAME                = aws_rds_cluster.db.database_name
-      DB_PASSWORD_PARAM_NAME = aws_ssm_parameter.random_db_password.name
+      DB_PASSWORD_PARAM_NAME = "/aws/reference/secretsmanager/${data.aws_secretsmanager_secret.db_pass.name}"
       DB_SCHEMA              = var.schema_name
       APP_USER               = var.app_username
       MIGRATOR_USER          = var.migrator_username
@@ -49,10 +49,14 @@ resource "aws_lambda_function" "role_manager" {
 }
 
 # Installs python packages needed by the role manager lambda function before
-# creating the zip archive. Reinstalls whenever requirements.txt changes
+# creating the zip archive.
+# Runs pip install on every apply so that the role manager archive file that
+# is generated locally is guaranteed to have the required dependencies even
+# when terraform is run by a developer that did not originally create the
+# environment.
+# Timestamp is used to always trigger replacement.
 resource "terraform_data" "role_manager_python_vendor_packages" {
-  triggers_replace = file("${path.module}/role_manager/requirements.txt")
-
+  triggers_replace = timestamp()
   provisioner "local-exec" {
     command = "pip3 install -r ${path.module}/role_manager/requirements.txt -t ${path.module}/role_manager/vendor"
   }
@@ -90,6 +94,10 @@ resource "aws_iam_role" "role_manager" {
   ]
 }
 
+data "aws_secretsmanager_secret" "db_pass" {
+  arn = aws_rds_cluster.db.master_user_secret[0].secret_arn
+}
+
 resource "aws_iam_role_policy" "ssm_access" {
   name = "${var.name}-role-manager-ssm-access"
   role = aws_iam_role.role_manager.id
@@ -99,8 +107,8 @@ resource "aws_iam_role_policy" "ssm_access" {
     Statement = [
       {
         Effect   = "Allow"
-        Action   = ["ssm:GetParameter*"]
-        Resource = "${aws_ssm_parameter.random_db_password.arn}"
+        Action   = ["secretsmanager:GetSecretValue"]
+        Resource = [data.aws_secretsmanager_secret.db_pass.arn]
       },
       {
         Effect   = "Allow"

infra/modules/database/role_manager/role_manager.py

@@ -11,6 +11,9 @@
 def lambda_handler(event, context):
     if event == "check":
         return check()
+    elif event == "password_ts":
+        connect_as_master_user()
+        return "Succeeded"
     else:
         return manage()
 
@@ -115,11 +118,11 @@ def get_password() -> str:
     ssm = boto3.client("ssm")
     param_name = os.environ["DB_PASSWORD_PARAM_NAME"]
     logger.info("Fetching password from parameter store")
-    result = ssm.get_parameter(
+    result = json.loads(ssm.get_parameter(
         Name=param_name,
         WithDecryption=True,
-    )
-    return result["Parameter"]["Value"]
+    )["Parameter"]["Value"])
+    return result["password"]
 
 
 def get_roles(conn: Connection) -> list[str]:

infra/modules/service/database-access.tf

@@ -27,11 +27,3 @@ resource "aws_iam_role_policy_attachment" "migrator_db_access" {
   role       = aws_iam_role.migrator_task[0].name
   policy_arn = var.db_vars.migrator_access_policy_arn
 }
-
-# TODO: Delete as part 3 of multipart update https://github.com/navapbc/template-infra/issues/354#issuecomment-1693973424
-resource "aws_iam_role_policy_attachment" "temp_app_migrator_db_access" {
-  count = var.db_vars != null ? 1 : 0
-
-  role       = aws_iam_role.app_service.name
-  policy_arn = var.db_vars.migrator_access_policy_arn
-}

infra/modules/service/main.tf

@@ -63,9 +63,6 @@ resource "aws_ecs_task_definition" "app" {
   execution_role_arn = aws_iam_role.task_executor.arn
   task_role_arn      = aws_iam_role.app_service.arn
 
-  # when is this needed?
-  # task_role_arn      = aws_iam_role.app_service.arn
-
   container_definitions = jsonencode([
     {
       name                   = var.service_name,

infra/modules/service/variables.tf

@@ -55,7 +55,6 @@ variable "db_vars" {
   description = "Variables for integrating the app service with a database"
   type = object({
     security_group_ids         = list(string)
-    access_policy_arn          = string
     app_access_policy_arn      = string
     migrator_access_policy_arn = string
     connection_info = object({