Merge pull request #3940 from ministryofjustice/asg-secretsmanager

secretsmanager-compatibility
ministryofjustice · Nov 13, 2023 · 2b4d344 · 2b4d344
2 parents dfb8bef + 60d86be
commit 2b4d344
Show file tree

Hide file tree

Showing 5 changed files with 88 additions and 52 deletions.
diff --git a/terraform/environments/oasys/locals.tf b/terraform/environments/oasys/locals.tf
@@ -212,8 +212,7 @@ locals {
   bip_a = {
     config = merge(module.baseline_presets.ec2_instance.config.default, {
       ami_name                  = "oasys_bip_release_2023-06-08T15-17-45.964Z"
-      ssm_parameters_prefix     = "ec2-web/"
-      iam_resource_names_prefix = "ec2-web"
+      iam_resource_names_prefix = "ec2"
       availability_zone         = "${local.region}a"
     })
     instance = merge(module.baseline_presets.ec2_instance.instance.default, {
@@ -232,6 +231,14 @@ locals {
       max_size         = 2
     })
     lb_target_groups = {}
+    secretsmanager_secrets = {
+      "weblogic/admin_password"     = {}
+      "weblogic/admin_username"     = {}
+      "weblogic/biplatformpassword" = {}
+      "weblogic/db_username"        = {}
+      "weblogic/mdspassword"        = {}
+      "weblogic/syspassword"        = {}
+    }
     tags = {
       backup            = "false" # opt out of mod platform default backup plan
       component         = "bip"

diff --git a/terraform/environments/oasys/locals_secrets.tf b/terraform/environments/oasys/locals_secrets.tf
@@ -49,4 +49,18 @@ locals {
     }
   }
 
+  secretsmanager_secrets_oasys_db = {
+    secrets = {
+      passwords = {}
+      apex-passwords = {}
+    }
+  }
+
+  secretsmanager_secrets_bip_db = {
+    secrets = {
+      passwords = {}
+      bip-passwords = {}
+    }
+  }
+
 }
diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf
@@ -28,58 +28,67 @@ locals {
       "/oracle/database/T2ONRBDS" = local.database_ssm_parameters
     }
     baseline_secretsmanager_secrets = {
-      "/oracle/database/T1OASYS"  = local.secretsmanager_secrets_db
-      "/oracle/database/T1OASREP" = local.secretsmanager_secrets_db
-      "/oracle/database/T1AZBIPI" = local.secretsmanager_secrets_db
-      "/oracle/database/T1MISTRN" = local.secretsmanager_secrets_db
-      "/oracle/database/T1ONRSYS" = local.secretsmanager_secrets_db
-      "/oracle/database/T1ONRAUD" = local.secretsmanager_secrets_db
-      "/oracle/database/T1ONRBDS" = local.secretsmanager_secrets_db
+      # NEW
+      "/oracle/database/T1OASYS"                = local.secretsmanager_secrets_oasys_db
+      "/oracle/database/T1OASREP"               = local.secretsmanager_secrets_db
+      "/oracle/database/T1AZBIPI"               = local.secretsmanager_secrets_bip_db
+      "/oracle/database/T1BIPINF"               = local.secretsmanager_secrets_bip_db
+      "/oracle/database/T1MISTRN"               = local.secretsmanager_secrets_db
+      "/oracle/database/T1ONRSYS"               = local.secretsmanager_secrets_db
+      "/oracle/database/T1ONRAUD"               = local.secretsmanager_secrets_db
+      "/oracle/database/T1ONRBDS"               = local.secretsmanager_secrets_db
 
-      "/oracle/database/T2OASYS"  = local.secretsmanager_secrets_db
-      "/oracle/database/T2OASREP" = local.secretsmanager_secrets_db
-      "/oracle/database/T2AZBIPI" = local.secretsmanager_secrets_db
-      "/oracle/database/T2MISTRN" = local.secretsmanager_secrets_db
-      "/oracle/database/T2ONRSYS" = local.secretsmanager_secrets_db
-      "/oracle/database/T2ONRAUD" = local.secretsmanager_secrets_db
-      "/oracle/database/T2ONRBDS" = local.secretsmanager_secrets_db
+      "/oracle/database/T2OASYS"                = local.secretsmanager_secrets_oasys_db
+      "/oracle/database/T2OASREP"               = local.secretsmanager_secrets_db
+      "/oracle/database/T2AZBIPI"               = local.secretsmanager_secrets_bip_db
+      "/oracle/database/T2BIPINF"               = local.secretsmanager_secrets_bip_db
+      "/oracle/database/T2MISTRN"               = local.secretsmanager_secrets_db
+      "/oracle/database/T2ONRSYS"               = local.secretsmanager_secrets_db
+      "/oracle/database/T2ONRAUD"               = local.secretsmanager_secrets_db
+      "/oracle/database/T2ONRBDS"               = local.secretsmanager_secrets_db
+
+      "/oracle/bip/t1/passwords"               = local.secretsmanager_secrets_db
+      "/oracle/bip/t2/passwords"               = local.secretsmanager_secrets_db
+
+      "" = {
+        postfix = ""
+        secrets = {
+          account_ids                       = {}
+          ec2-user_pem                      = {}
+          environment_management_arn        = {}
+          modernisation_platform_account_id = {}
+        }
+      }
+
+      # OLD AND WILL BE REPLACED
 
       "/database/t1/T1OASYS" = {
         secrets = {
-          apex_listenerpassword    = {}
-          apex_public_userpassword = {}
-          apex_rest_publicpassword = {}
+          apex_listenerpassword    = {} # move to /oracle/database/T1OASYS/apex-passwords {listener: ___ , (find the name of public user): ___ , rest_public: ___}
+          apex_public_userpassword = {} # move to /oracle/database/T1OASYS/apex-passwords {listener: ___ , (find the name of public user): ___ , rest_public: ___}
+          apex_rest_publicpassword = {} # move to /oracle/database/T1OASYS/apex-passwords {listener: ___ , (find the name of public user): ___ , rest_public: ___}
         }
       }
       "/database/t2/T2OASYS" = {
         secrets = {
-          apex_listenerpassword    = {}
-          apex_public_userpassword = {}
-          apex_rest_publicpassword = {}
+          apex_listenerpassword    = {} # move to /oracle/database/T2OASYS/apex-passwords {listener: ___ , (find the name of public user): ___ , rest_public: ___}
+          apex_public_userpassword = {} # move to /oracle/database/T2OASYS/apex-passwords {listener: ___ , (find the name of public user): ___ , rest_public: ___}
+          apex_rest_publicpassword = {} # move to /oracle/database/T2OASYS/apex-passwords {listener: ___ , (find the name of public user): ___ , rest_public: ___}
         }
       }
       "/database/t2-oasys-db-a/T2BIPINF" = {
         secrets = {
-          systempassword = {}
+          systempassword = {} # -> /oracle/database/T2AZBIPI/bip-passwords { biplatform: ___ , mdspassword : ___ , sys: ___ }
         }
       }
       "/weblogic/test-oasys-bip-b" = {
         secrets = {
-          admin_password     = {}
-          admin_username     = {}
-          biplatformpassword = {}
-          db_username        = {}
-          mdspassword        = {}
-          syspassword        = {}
-        }
-      }
-      "" = {
-        postfix = ""
-        secrets = {
-          account_ids                       = {}
-          ec2-user_pem                      = {}
-          environment_management_arn        = {}
-          modernisation_platform_account_id = {}
+          admin_password     = {} # -> /oracle/bip/t2/passwords { weblogic: admin_pass }
+          admin_username     = {} # just have in ansible defaults , username is always weblogic
+          biplatformpassword = {} # ->  /oracle/database/T2AZBIPI/bip-passwords { biplatform: ___ , mdspassword : ___ , sys: ___ }
+          db_username        = {} # put in ansible defaults, but can't find
+          mdspassword        = {} # -> /oracle/database/T2AZBIPI/bip-passwords { biplatform: ___ , mdspassword : ___ , sys: ___ }
+          syspassword        = {} # -> /oracle/database/T2AZBIPI/bip-passwords { biplatform: ___ , mdspassword : ___ , sys: ___ }
         }
       }
     }
@@ -95,17 +104,17 @@ locals {
           instance-scheduling                     = "skip-scheduling"
         })
       })
-      "t2-${local.application_name}-db-b" = merge(local.database_b, {
-        user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, {
-          args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, {
-            branch = "main"
-          })
-        })
-        tags = merge(local.database_b.tags, {
-          description                             = "t2 ${local.application_name} database"
-          "${local.application_name}-environment" = "t2"
-        })
-      })
+      # "t2-${local.application_name}-db-b" = merge(local.database_b, {
+      #   user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, {
+      #     args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, {
+      #       branch = "main"
+      #     })
+      #   })
+      #   tags = merge(local.database_b.tags, {
+      #     description                             = "t2 ${local.application_name} database"
+      #     "${local.application_name}-environment" = "t2"
+      #   })
+      # })
 
       ##
       ## T1
@@ -420,7 +429,6 @@ locals {
       }
     }
 
-
     # The following zones can be found on azure:
     # az.justice.gov.uk
     # oasys.service.justice.gov.uk

diff --git a/terraform/modules/baseline/ec2_autoscaling_group.tf b/terraform/modules/baseline/ec2_autoscaling_group.tf
@@ -15,7 +15,7 @@ module "ec2_autoscaling_group" {
 
   for_each = var.ec2_autoscaling_groups
 
-  source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.2.0"
+  source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.3.0"
 
   providers = {
     aws.core-vpc = aws.core-vpc
@@ -47,6 +47,7 @@ module "ec2_autoscaling_group" {
   user_data_raw                 = each.value.config.user_data_raw
   user_data_cloud_init          = each.value.user_data_cloud_init
   ssm_parameters_prefix         = each.value.config.ssm_parameters_prefix
+  secretsmanager_secrets_prefix = each.value.config.secretsmanager_secrets_prefix
   iam_resource_names_prefix     = each.value.config.iam_resource_names_prefix
 
   # add KMS Key Ids if they are referenced by name
@@ -59,6 +60,12 @@ module "ec2_autoscaling_group" {
     )
   }
 
+  secretsmanager_secrets = each.value.secretsmanager_secrets == null ? {} : {
+    for key, value in each.value.secretsmanager_secrets : key => merge(value,
+      value.kms_key_id == null ? { kms_key_id = null } : { kms_key_id = try(var.environment.kms_keys[value.kms_key_id].arn, value.kms_key_id) }
+    )
+  }
+
   # either reference policies created by this module by using the name, e.g.
   # "BusinessUnitKmsCmkPolicy", or pass in policy ARNs from outside module
   # directly.

diff --git a/terraform/modules/baseline/variables.tf b/terraform/modules/baseline/variables.tf
@@ -849,7 +849,7 @@ variable "secretsmanager_secrets" {
   #   my_db1_1 = local.my_database_secrets
   #   my_db2_2 = local.my_database_secrets
   # }
-  # Will create SSM params as follows
+  # Will create secretsmanager secrets as follows
   # /database/my_db1_1/asm_password
   # /database/my_db1_1/sys_password
   # /database/my_db2_2/asm_password