[Issue #2391] More Metabases (#2479)

## Summary

Relates to, but does not fully complete,
#2391

### Time to review: __2 mins__

## Changes proposed

- Configures metabase with the latest secrets management stuff.
- Adds configure for deploying metabase staging and prod. Deploys are
manual, and I haven't done them just yet.

## Context for reviewers

The secrets stuff is like 90% of this diff, sorry about that 🙏🏼

infra/analytics/app-config/env-config/environment-variables.tf

@@ -3,28 +3,48 @@ locals {
   # This is a map rather than a list so that variables can be easily
   # overridden per environment using terraform's `merge` function
   default_extra_environment_variables = {
-    # Example environment variables
-    # WORKER_THREADS_COUNT    = 4
-    # LOG_LEVEL               = "info"
-    # DB_CONNECTION_POOL_SIZE = 5
+    MB_DB_TYPE   = "postgres"
+    MB_DB_USER   = "metabaseuser"
+    MB_DB_DBNAME = "metabase"
   }
 
   # Configuration for secrets
   # List of configurations for defining environment variables that pull from SSM parameter
   # store. Configurations are of the format
-  # { name = "ENV_VAR_NAME", ssm_param_name = "/ssm/param/name" }
+  # {
+  #   ENV_VAR_NAME = {
+  #     manage_method     = "generated" # or "manual" for a secret that was created and stored in SSM manually
+  #     secret_store_name = "/ssm/param/name"
+  #   }
+  # }
   secrets = {
+    # Create this in Github
     GH_TOKEN = {
       manage_method     = "manual"
       secret_store_name = "/${var.app_name}/github-token"
-    },
+    }
+    # Create this in Slack
     ANALYTICS_SLACK_BOT_TOKEN = {
       manage_method     = "manual"
       secret_store_name = "/${var.app_name}/slack-bot-token"
-    },
+    }
+    # Retrieve this from Slack
     ANALYTICS_REPORTING_CHANNEL_ID = {
       manage_method     = "manual"
       secret_store_name = "/${var.app_name}/${var.environment}/reporting-channel-id"
     }
+    # Create this manually in the AWS console via the RDS Query Editor
+    #
+    # CREATE ROLE metabaserole;
+    # GRANT metabase TO "< ROOT USER >";
+    # CREATE DATABASE metabase OWNER = "< ROOT USER >";
+    # CREATE USER metabaseuser WITH PASSWORD "< RANDOM PASSWORD >"; <== add this to Parameter Store
+    # GRANT ALL PRIVILEGES ON DATABASE metabase TO metabaseuser;
+    # GRANT CONNECT ON DATABASE metabase TO metabaseuser;
+    # GRANT metabaserole TO metabaseuser;
+    MB_DB_PASS = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/metabase-db-pass"
+    }
   }
 }

infra/analytics/metabase/main.tf

@@ -39,6 +39,8 @@ locals {
 
   service_name = "metabase-${var.environment_name}"
 
+  is_temporary = startswith(terraform.workspace, "t-")
+
   environment_config = module.app_config.environment_configs[var.environment_name]
   service_config     = local.environment_config.service_config
   database_config    = local.environment_config.database_config
@@ -79,8 +81,9 @@ data "aws_rds_cluster" "db_cluster" {
 }
 
 module "service" {
-  source                   = "../../modules/service"
-  service_name             = local.service_name
+  source       = "../../modules/service"
+  service_name = local.service_name
+  # https://hub.docker.com/r/metabase/metabase
   image_repository_url     = "docker.io/metabase/metabase"
   image_tag                = local.image_tag
   vpc_id                   = data.aws_vpc.network.id
@@ -94,21 +97,16 @@ module "service" {
   healthcheck_command      = null
   healthcheck_path         = "/"
   extra_environment_variables = {
-    MB_DB_TYPE   = "postgres"
-    MB_DB_DBNAME = "metabase"
-    MB_DB_PORT   = data.aws_rds_cluster.db_cluster.port
-    MB_DB_HOST   = data.aws_rds_cluster.db_cluster.endpoint
+    MB_DB_PORT = data.aws_rds_cluster.db_cluster.port
+    MB_DB_HOST = data.aws_rds_cluster.db_cluster.endpoint
   }
-  secrets = [
-    {
-      name           = "MB_DB_USER"
-      ssm_param_name = "/metabase/${var.environment_name}/db_user"
-    },
-    {
-      name           = "MB_DB_PASS"
-      ssm_param_name = "/metabase/${var.environment_name}/db_pass"
-    },
-  ]
+
+  secrets = concat(
+    [for secret_name in keys(local.service_config.secrets) : {
+      name      = secret_name
+      valueFrom = module.secrets[secret_name].secret_arn
+    }],
+  )
 
   app_access_policy_arn      = null
   migrator_access_policy_arn = null

infra/analytics/metabase/prod.s3.tfbackend

@@ -0,0 +1,4 @@
+bucket         = "simpler-grants-gov-315341936575-us-east-1-tf"
+key            = "infra/analytics/metabase/prod.tfstate"
+dynamodb_table = "simpler-grants-gov-315341936575-us-east-1-tf-state-locks"
+region         = "us-east-1"

infra/analytics/metabase/secrets.tf

@@ -0,0 +1,16 @@
+module "secrets" {
+  for_each = local.service_config.secrets
+
+  source = "../../modules/secret"
+
+  # When generating secrets and storing them in parameter store, append the
+  # terraform workspace to the secret store path if the environment is temporary
+  # to avoid conflicts with existing environments.
+  # Don't do this for secrets that are managed manually since the temporary
+  # environments will need to share those secrets.
+  secret_store_name = (each.value.manage_method == "generated" && local.is_temporary ?
+    "${each.value.secret_store_name}/${terraform.workspace}" :
+    each.value.secret_store_name
+  )
+  manage_method = each.value.manage_method
+}

infra/analytics/metabase/staging.s3.tfbackend

@@ -0,0 +1,4 @@
+bucket         = "simpler-grants-gov-315341936575-us-east-1-tf"
+key            = "infra/analytics/metabase/staging.tfstate"
+dynamodb_table = "simpler-grants-gov-315341936575-us-east-1-tf-state-locks"
+region         = "us-east-1"