From a04b50c67e157e2c6b114c133379b27b95a5cadf Mon Sep 17 00:00:00 2001
From: Kai Siren <kaisiren@navapbc.com>
Date: Tue, 7 May 2024 12:34:04 -0700
Subject: [PATCH] Fix variable access

---
 infra/analytics/metabase/main.tf         |  8 +++++---
 infra/api/service/main.tf                |  7 ++++---
 infra/frontend/service/main.tf           |  7 ++++---
 infra/modules/service/database-access.tf |  8 ++++----
 infra/modules/service/variables.tf       | 16 +++++++++++++---
 5 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/infra/analytics/metabase/main.tf b/infra/analytics/metabase/main.tf
index baee7f757..4e3e6ba9f 100644
--- a/infra/analytics/metabase/main.tf
+++ b/infra/analytics/metabase/main.tf
@@ -109,10 +109,12 @@ module "service" {
       ssm_param_name = "/metabase/${var.environment_name}/db_pass"
     },
   ]
+
+  app_access_policy_arn      = null
+  migrator_access_policy_arn = null
+
   db_vars = {
-    security_group_ids         = data.aws_rds_cluster.db_cluster.vpc_security_group_ids
-    app_access_policy_arn      = null
-    migrator_access_policy_arn = null
+    security_group_ids = data.aws_rds_cluster.db_cluster.vpc_security_group_ids
     connection_info = {
       host        = data.aws_rds_cluster.db_cluster.endpoint
       port        = data.aws_rds_cluster.db_cluster.port
diff --git a/infra/api/service/main.tf b/infra/api/service/main.tf
index 6ada674c3..818ace5f6 100644
--- a/infra/api/service/main.tf
+++ b/infra/api/service/main.tf
@@ -124,10 +124,11 @@ module "service" {
 
   cert_arn = local.domain != null ? data.aws_acm_certificate.cert[0].arn : null
 
+  app_access_policy_arn      = data.aws_iam_policy.app_db_access_policy[0].arn
+  migrator_access_policy_arn = data.aws_iam_policy.migrator_db_access_policy[0].arn
+
   db_vars = module.app_config.has_database ? {
-    security_group_ids         = data.aws_rds_cluster.db_cluster[0].vpc_security_group_ids
-    app_access_policy_arn      = data.aws_iam_policy.app_db_access_policy[0].arn
-    migrator_access_policy_arn = data.aws_iam_policy.migrator_db_access_policy[0].arn
+    security_group_ids = data.aws_rds_cluster.db_cluster[0].vpc_security_group_ids
     connection_info = {
       host        = data.aws_rds_cluster.db_cluster[0].endpoint
       port        = data.aws_rds_cluster.db_cluster[0].port
diff --git a/infra/frontend/service/main.tf b/infra/frontend/service/main.tf
index b74bf336c..f80b283d4 100644
--- a/infra/frontend/service/main.tf
+++ b/infra/frontend/service/main.tf
@@ -126,10 +126,11 @@ module "service" {
   cert_arn              = terraform.workspace == "default" ? data.aws_acm_certificate.cert[0].arn : null
   hostname              = module.app_config.hostname
 
+  app_access_policy_arn      = null
+  migrator_access_policy_arn = null
+
   db_vars = module.app_config.has_database ? {
-    security_group_ids         = data.aws_rds_cluster.db_cluster[0].vpc_security_group_ids
-    app_access_policy_arn      = data.aws_iam_policy.app_db_access_policy[0].arn
-    migrator_access_policy_arn = data.aws_iam_policy.migrator_db_access_policy[0].arn
+    security_group_ids = data.aws_rds_cluster.db_cluster[0].vpc_security_group_ids
     connection_info = {
       host        = data.aws_rds_cluster.db_cluster[0].endpoint
       port        = data.aws_rds_cluster.db_cluster[0].port
diff --git a/infra/modules/service/database-access.tf b/infra/modules/service/database-access.tf
index 25fdc442f..f4a4a2c2f 100644
--- a/infra/modules/service/database-access.tf
+++ b/infra/modules/service/database-access.tf
@@ -15,15 +15,15 @@ resource "aws_vpc_security_group_ingress_rule" "db_ingress_from_service" {
 }
 
 resource "aws_iam_role_policy_attachment" "app_service_db_access" {
-  count = var.db_vars != null && var.db_vars.app_access_policy_arn != null ? 1 : 0
+  count = var.app_access_policy_arn != null ? 1 : 0
 
   role       = aws_iam_role.app_service.name
-  policy_arn = var.db_vars.app_access_policy_arn
+  policy_arn = var.app_access_policy_arn
 }
 
 resource "aws_iam_role_policy_attachment" "migrator_db_access" {
-  count = var.db_vars != null && var.db_vars.migrator_access_policy_arn != null ? 1 : 0
+  count = var.migrator_access_policy_arn != null ? 1 : 0
 
   role       = aws_iam_role.migrator_task[0].name
-  policy_arn = var.db_vars.migrator_access_policy_arn
+  policy_arn = var.migrator_access_policy_arn
 }
diff --git a/infra/modules/service/variables.tf b/infra/modules/service/variables.tf
index d924f5784..ebd5b2c64 100644
--- a/infra/modules/service/variables.tf
+++ b/infra/modules/service/variables.tf
@@ -87,9 +87,7 @@ variable "secrets" {
 variable "db_vars" {
   description = "Variables for integrating the app service with a database"
   type = object({
-    security_group_ids         = list(string)
-    app_access_policy_arn      = string
-    migrator_access_policy_arn = string
+    security_group_ids = list(string)
     connection_info = object({
       host        = string
       port        = string
@@ -101,6 +99,18 @@ variable "db_vars" {
   default = null
 }
 
+variable "app_access_policy_arn" {
+  description = "The ARN of the IAM policy to attach to the app service role for database access"
+  type        = string
+  default     = null
+}
+
+variable "migrator_access_policy_arn" {
+  description = "The ARN of the IAM policy to attach to the migrator task role for database access"
+  type        = string
+  default     = null
+}
+
 variable "extra_policies" {
   description = "Map of extra IAM policies to attach to the service's task role. The map's keys define the resource name in terraform."
   type        = map(string)