add secretmanager secrets

ministryofjustice · Oct 13, 2023 · 555bec8 · 555bec8
1 parent 8b00859
commit 555bec8
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 7 deletions.
diff --git a/terraform/environments/oasys/locals.tf b/terraform/environments/oasys/locals.tf
@@ -99,12 +99,6 @@ locals {
     }
   }
 
-  database_ssm_parameters = {
-    parameters = {
-      passwords = { description = "database passwords" }
-    }
-  }
-
   database_a = {
     config = merge(module.baseline_presets.ec2_instance.config.db, {
       ami_name          = "oasys_oracle_db_release_2023-06-26T10-16-03.670Z"
@@ -250,4 +244,4 @@ locals {
   })
 
   public_key_data = jsondecode(file("./files/bastion_linux.json"))
-}
+}
diff --git a/terraform/environments/oasys/locals_secrets.tf b/terraform/environments/oasys/locals_secrets.tf
@@ -0,0 +1,52 @@
+locals {
+
+  database_ssm_parameters = {
+    parameters = {
+      passwords = { description = "database passwords" }
+    }
+  }
+
+  share_secret_principal_ids_db = [
+    "arn:aws:iam::${local.account_id}:role/ec2-database-*"
+  ]
+
+
+  secret_policy_write_db = {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:PutSecretValue",
+    ]
+    principals = {
+      type        = "AWS"
+      identifiers = [
+        "arn:aws:iam::${local.account_id}:role/ec2-database-*"
+      ]
+    }
+    resources = ["*"]
+  }
+  secret_policy_read_db = {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+    principals = {
+      type        = "AWS"
+      identifiers = [
+        "arn:aws:iam::${local.account_id}:role/ec2-database-*"
+      ]
+    }
+    resources = ["*"]
+  }
+
+
+  secretsmanager_secrets_db = {
+    policy = [
+      local.secret_policy_read_db,
+      local.secret_policy_write_db,
+    ]
+    secrets = {
+      passwords = {}
+    }
+  }
+
+}
diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf
@@ -27,6 +27,23 @@ locals {
       "/oracle/database/T2ONRAUD" = local.database_ssm_parameters
       "/oracle/database/T2ONRBDS" = local.database_ssm_parameters
     }
+    baseline_secretsmanager_secrets = {
+      "/oracle/database/T1OASYS"  = local.secretsmanager_secrets_db
+      "/oracle/database/T1OASREP" = local.secretsmanager_secrets_db
+      "/oracle/database/T1AZBIPI" = local.secretsmanager_secrets_db
+      "/oracle/database/T1MISTRN" = local.secretsmanager_secrets_db
+      "/oracle/database/T1ONRSYS" = local.secretsmanager_secrets_db
+      "/oracle/database/T1ONRAUD" = local.secretsmanager_secrets_db
+      "/oracle/database/T1ONRBDS" = local.secretsmanager_secrets_db
+
+      "/oracle/database/T2OASYS"  = local.secretsmanager_secrets_db
+      "/oracle/database/T2OASREP" = local.secretsmanager_secrets_db
+      "/oracle/database/T2AZBIPI" = local.secretsmanager_secrets_db
+      "/oracle/database/T2MISTRN" = local.secretsmanager_secrets_db
+      "/oracle/database/T2ONRSYS" = local.secretsmanager_secrets_db
+      "/oracle/database/T2ONRAUD" = local.secretsmanager_secrets_db
+      "/oracle/database/T2ONRBDS" = local.secretsmanager_secrets_db
+    }
 
     baseline_ec2_instances = {
       ##

diff --git a/terraform/environments/oasys/main.tf b/terraform/environments/oasys/main.tf
@@ -83,4 +83,5 @@ module "baseline" {
   s3_buckets             = merge(local.baseline_s3_buckets, module.baseline_presets.s3_buckets, lookup(local.environment_config, "baseline_s3_buckets", {}))
   security_groups        = local.baseline_security_groups
   ssm_parameters         = merge(module.baseline_presets.ssm_parameters, lookup(local.environment_config, "baseline_ssm_parameters", {}))
+  secretsmanager_secrets = merge(local.baseline_secretsmanager_secrets,  lookup(local.baseline_environment_config, "baseline_secretsmanager_secrets", {}))
 }