From 555bec855d0de6dc3a2aa957533b15f2567d2fcc Mon Sep 17 00:00:00 2001 From: wullub Date: Fri, 13 Oct 2023 14:00:27 +0100 Subject: [PATCH] add secretmanager secrets add secretmanager secrets --- terraform/environments/oasys/locals.tf | 8 +-- .../environments/oasys/locals_secrets.tf | 52 +++++++++++++++++++ terraform/environments/oasys/locals_test.tf | 17 ++++++ terraform/environments/oasys/main.tf | 1 + 4 files changed, 71 insertions(+), 7 deletions(-) create mode 100644 terraform/environments/oasys/locals_secrets.tf diff --git a/terraform/environments/oasys/locals.tf b/terraform/environments/oasys/locals.tf index 7d9cc7e7e22..5a46bdd627b 100644 --- a/terraform/environments/oasys/locals.tf +++ b/terraform/environments/oasys/locals.tf @@ -99,12 +99,6 @@ locals { } } - database_ssm_parameters = { - parameters = { - passwords = { description = "database passwords" } - } - } - database_a = { config = merge(module.baseline_presets.ec2_instance.config.db, { ami_name = "oasys_oracle_db_release_2023-06-26T10-16-03.670Z" @@ -250,4 +244,4 @@ locals { }) public_key_data = jsondecode(file("./files/bastion_linux.json")) -} +} \ No newline at end of file diff --git a/terraform/environments/oasys/locals_secrets.tf b/terraform/environments/oasys/locals_secrets.tf new file mode 100644 index 00000000000..8e1f25ecf0a --- /dev/null +++ b/terraform/environments/oasys/locals_secrets.tf @@ -0,0 +1,52 @@ +locals { + + database_ssm_parameters = { + parameters = { + passwords = { description = "database passwords" } + } + } + + share_secret_principal_ids_db = [ + "arn:aws:iam::${local.account_id}:role/ec2-database-*" + ] + + + secret_policy_write_db = { + effect = "Allow" + actions = [ + "secretsmanager:PutSecretValue", + ] + principals = { + type = "AWS" + identifiers = [ + "arn:aws:iam::${local.account_id}:role/ec2-database-*" + ] + } + resources = ["*"] + } + secret_policy_read_db = { + effect = "Allow" + actions = [ + "secretsmanager:GetSecretValue", + ] + principals = { + type = "AWS" + identifiers = [ + "arn:aws:iam::${local.account_id}:role/ec2-database-*" + ] + } + resources = ["*"] + } + + + secretsmanager_secrets_db = { + policy = [ + local.secret_policy_read_db, + local.secret_policy_write_db, + ] + secrets = { + passwords = {} + } + } + +} \ No newline at end of file diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 7a6e6735355..1a3c7e3655c 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -27,6 +27,23 @@ locals { "/oracle/database/T2ONRAUD" = local.database_ssm_parameters "/oracle/database/T2ONRBDS" = local.database_ssm_parameters } + baseline_secretsmanager_secrets = { + "/oracle/database/T1OASYS" = local.secretsmanager_secrets_db + "/oracle/database/T1OASREP" = local.secretsmanager_secrets_db + "/oracle/database/T1AZBIPI" = local.secretsmanager_secrets_db + "/oracle/database/T1MISTRN" = local.secretsmanager_secrets_db + "/oracle/database/T1ONRSYS" = local.secretsmanager_secrets_db + "/oracle/database/T1ONRAUD" = local.secretsmanager_secrets_db + "/oracle/database/T1ONRBDS" = local.secretsmanager_secrets_db + + "/oracle/database/T2OASYS" = local.secretsmanager_secrets_db + "/oracle/database/T2OASREP" = local.secretsmanager_secrets_db + "/oracle/database/T2AZBIPI" = local.secretsmanager_secrets_db + "/oracle/database/T2MISTRN" = local.secretsmanager_secrets_db + "/oracle/database/T2ONRSYS" = local.secretsmanager_secrets_db + "/oracle/database/T2ONRAUD" = local.secretsmanager_secrets_db + "/oracle/database/T2ONRBDS" = local.secretsmanager_secrets_db + } baseline_ec2_instances = { ## diff --git a/terraform/environments/oasys/main.tf b/terraform/environments/oasys/main.tf index c4c1519acb9..399144b9833 100644 --- a/terraform/environments/oasys/main.tf +++ b/terraform/environments/oasys/main.tf @@ -83,4 +83,5 @@ module "baseline" { s3_buckets = merge(local.baseline_s3_buckets, module.baseline_presets.s3_buckets, lookup(local.environment_config, "baseline_s3_buckets", {})) security_groups = local.baseline_security_groups ssm_parameters = merge(module.baseline_presets.ssm_parameters, lookup(local.environment_config, "baseline_ssm_parameters", {})) + secretsmanager_secrets = merge(local.baseline_secretsmanager_secrets, lookup(local.baseline_environment_config, "baseline_secretsmanager_secrets", {})) }