Merge pull request #672 from UKHSA-Internal/task/rollout-aurora-db-pa…

…rt-two/CDD-1750 Task/rollout aurora db part two/cdd 1750
UKHSA-Internal · May 3, 2024 · 7f475c9 · 7f475c9
2 parents d365597 + 2db6e07
commit 7f475c9
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 4 deletions.
diff --git a/terraform/20-app/ip-allow-lists.tf b/terraform/20-app/ip-allow-lists.tf
@@ -2,7 +2,7 @@ locals {
   ip_allow_list = {
     engineers = [
       "185.241.164.214/32", # Afaan
-      "82.132.235.146/32",  # Afaan's phone
+      "82.132.233.64/32",   # Afaan's phone
       "154.51.68.102/32",   # Burendo
       "82.2.4.244/32",      # Kev
       "78.147.110.81/32",   # Kev 2

diff --git a/terraform/20-app/locals.tf b/terraform/20-app/locals.tf
@@ -67,5 +67,5 @@ locals {
   thirty_days_in_seconds  = 2592000
   five_minutes_in_seconds = 300
 
-  main_db_password_secret_arn = join("", aws_db_instance.app_rds_primary.master_user_secret.*.secret_arn)
+  main_db_password_secret_arn = aws_secretsmanager_secret.temporary_main_db_credentials.arn
 }
diff --git a/terraform/20-app/passwords.tf b/terraform/20-app/passwords.tf
@@ -6,6 +6,14 @@ resource "random_password" "feature_flags_db_password" {
   special     = false
 }
 
+resource "random_password" "temporary_main_db_credentials" {
+  length      = 20
+  min_lower   = 1
+  min_numeric = 1
+  min_upper   = 1
+  special     = false
+}
+
 resource "random_password" "cms_admin_user_password" {
   length      = 10
   min_numeric = 1

diff --git a/terraform/20-app/rds.tf b/terraform/20-app/rds.tf
@@ -19,8 +19,8 @@ resource "aws_db_instance" "app_rds_primary" {
   identifier                  = "${local.prefix}-db"
   instance_class              = local.use_prod_sizing ? "db.t3.medium" : "db.t3.small"
   kms_key_id                  = module.kms_app_rds.key_arn
-  multi_az                    = local.use_prod_sizing ? true : false
-  manage_master_user_password = true
+  multi_az                    = false
+  password                    = jsondecode(aws_secretsmanager_secret_version.temporary_main_db_credentials.secret_string)["password"]
   username                    = "api_user"
   publicly_accessible         = local.enable_public_db
   skip_final_snapshot         = true

diff --git a/terraform/20-app/secret-manager.tf b/terraform/20-app/secret-manager.tf
@@ -1,3 +1,19 @@
+################################################################################
+# Temporary main database credentials
+################################################################################
+
+resource "aws_secretsmanager_secret" "temporary_main_db_credentials" {
+  name = "${local.prefix}-temporary-main-db-credentials"
+}
+
+resource "aws_secretsmanager_secret_version" "temporary_main_db_credentials" {
+  secret_id     = aws_secretsmanager_secret.temporary_main_db_credentials.id
+  secret_string = jsonencode({
+    username = "api_user"
+    password = random_password.temporary_main_db_credentials.result
+  })
+}
+
 ################################################################################
 # Feature flags database credentials
 ################################################################################