From b2d09e5cebf20ff9546bef43769330db2eb58ab7 Mon Sep 17 00:00:00 2001 From: Prem Basumatary Date: Tue, 28 May 2024 11:11:16 +0100 Subject: [PATCH] NIT-1267 rebuild test db --- .../delius-core/locals_development.tf | 1 + .../environments/delius-core/locals_test.tf | 3 +- .../components/oracle_db_shared/iam.tf | 9 ++- .../components/oracle_db_shared/secrets.tf | 36 ----------- .../modules/delius_environment/database.tf | 64 ++++++++++++++++++- .../modules/delius_environment/locals.tf | 6 ++ .../modules/delius_environment/variables.tf | 6 ++ 7 files changed, 82 insertions(+), 43 deletions(-) diff --git a/terraform/environments/delius-core/locals_development.tf b/terraform/environments/delius-core/locals_development.tf index 182910e1577..1a880cad447 100644 --- a/terraform/environments/delius-core/locals_development.tf +++ b/terraform/environments/delius-core/locals_development.tf @@ -13,6 +13,7 @@ locals { legacy_engineering_vpc_cidr = "10.161.98.0/25" ec2_user_ssh_key = file("${path.module}/files/.ssh/${terraform.workspace}/ec2-user.pub") homepage_path = "/" + has_mis_environment = true } ldap_config_dev = { diff --git a/terraform/environments/delius-core/locals_test.tf b/terraform/environments/delius-core/locals_test.tf index 9e8a9bdf373..6aaf2406af4 100644 --- a/terraform/environments/delius-core/locals_test.tf +++ b/terraform/environments/delius-core/locals_test.tf @@ -13,6 +13,7 @@ locals { legacy_engineering_vpc_cidr = "10.161.98.0/25" ec2_user_ssh_key = file("${path.module}/files/.ssh/${terraform.workspace}/ec2-user.pub") homepage_path = "/" + has_mis_environment = false } ldap_config_test = { @@ -34,7 +35,7 @@ locals { instance_policies = { "business_unit_kms_key_access" = aws_iam_policy.business_unit_kms_key_access } - standby_count = 0 + standby_count = 0 ebs_volumes = { "/dev/sdb" = { label = "app", size = 200 } # /u01 "/dev/sdc" = { label = "app", size = 100 } # /u02 diff --git a/terraform/environments/delius-core/modules/components/oracle_db_shared/iam.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/iam.tf index 684900a0ee2..295079c18ac 100644 --- a/terraform/environments/delius-core/modules/components/oracle_db_shared/iam.tf +++ b/terraform/environments/delius-core/modules/components/oracle_db_shared/iam.tf @@ -151,17 +151,16 @@ data "aws_iam_policy_document" "db_access_to_secrets_manager" { ] effect = "Allow" resources = [ - aws_secretsmanager_secret.delius_core_dba_passwords.arn, - aws_secretsmanager_secret.delius_core_application_passwords.arn + aws_secretsmanager_secret.delius_core_dba_passwords.arn ] } } data "aws_iam_policy_document" "allow_access_to_delius_application_passwords" { statement { - sid = "DbAccessToDeliusSecretsManager" + sid = "DbAccessToDeliusSecretsManager" actions = ["secretsmanager:GetSecretValue"] - effect = "Allow" + effect = "Allow" resources = [ "arn:aws:secretsmanager:*:${local.delius_account_id}:secret:delius-core-${var.env_name}-oracle-db-application-passwords-*" ] @@ -171,7 +170,7 @@ data "aws_iam_policy_document" "allow_access_to_delius_application_passwords" { data "aws_iam_policy_document" "combined_policy_documents" { source_policy_documents = flatten([ data.aws_iam_policy_document.db_access_to_secrets_manager.json, - var.db_suffix == "mis-db" ? [data.aws_iam_policy_document.allow_access_to_delius_application_passwords.json] : []]) + var.db_suffix == "mis-db" ? [data.aws_iam_policy_document.allow_access_to_delius_application_passwords.json] : []]) } resource "aws_iam_policy" "db_access_to_secrets_manager" { diff --git a/terraform/environments/delius-core/modules/components/oracle_db_shared/secrets.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/secrets.tf index 5f80e7d7a81..52913046737 100644 --- a/terraform/environments/delius-core/modules/components/oracle_db_shared/secrets.tf +++ b/terraform/environments/delius-core/modules/components/oracle_db_shared/secrets.tf @@ -32,39 +32,3 @@ resource "aws_secretsmanager_secret_version" "delius_core_dba_passwords" { ] } } - -resource "aws_secretsmanager_secret" "delius_core_application_passwords" { - name = local.application_secret_name - description = "Application Users Credentials" - kms_key_id = var.account_config.kms_keys.general_shared - tags = var.tags -} - -data "aws_iam_policy_document" "delius_core_application_passwords" { - statement { - sid = "MisAWSAccountToReadTheSecret" - effect = "Allow" - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${local.mis_account_id}:role/instance-role-delius-mis-${var.env_name}-mis-db-1"] - } - actions = ["secretsmanager:GetSecretValue"] - resources = [aws_secretsmanager_secret.delius_core_application_passwords.arn] - } -} - -resource "aws_secretsmanager_secret_policy" "delius_core_application_passwords" { - count = var.account_info.application_name == "delius-core" ? 1 : 0 - secret_arn = aws_secretsmanager_secret.delius_core_application_passwords.arn - policy = data.aws_iam_policy_document.delius_core_application_passwords.json -} - -resource "aws_secretsmanager_secret_version" "delius_core_application_passwords" { - secret_id = aws_secretsmanager_secret.delius_core_application_passwords.id - secret_string = "REPLACE" - lifecycle { - ignore_changes = [ - secret_string - ] - } -} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/delius_environment/database.tf b/terraform/environments/delius-core/modules/delius_environment/database.tf index a1060c06dff..8b01613124a 100644 --- a/terraform/environments/delius-core/modules/delius_environment/database.tf +++ b/terraform/environments/delius-core/modules/delius_environment/database.tf @@ -104,7 +104,7 @@ module "oracle_db_standby" { environment_config = var.environment_config subnet_id = var.account_config.ordered_private_subnet_ids[(count.index + length(module.oracle_db_primary)) % 3] availability_zone = "eu-west-2${lookup(local.availability_zone_map, (count.index + length(module.oracle_db_primary)) % 3, "a")}" - tags = merge(local.tags, { "Patch Group" = "oracle_db_patchgroup" }) + tags = merge(local.tags, { "Patch Group" = "oracle_db_patchgroup" }) user_data = templatefile( "${path.module}/templates/userdata.sh.tftpl", var.db_config.ansible_user_data_config @@ -120,3 +120,65 @@ module "oracle_db_standby" { aws.core-vpc = aws.core-vpc } } + +resource "aws_secretsmanager_secret" "delius_core_application_passwords_secret" { + count = local.has_mis_environment ? 1 : 0 + + name = local.application_secret_name + description = "Application Users Credentials" + kms_key_id = var.account_config.kms_keys.general_shared + tags = var.tags +} + +data "aws_iam_policy_document" "delius_core_application_passwords_policy_doc" { + + count = local.has_mis_environment ? 1 : 0 + statement { + sid = "MisAWSAccountToReadTheSecret" + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${local.mis_account_id}:role/instance-role-delius-mis-${var.env_name}-mis-db-1"] + } + actions = ["secretsmanager:GetSecretValue"] + resources = [aws_secretsmanager_secret.delius_core_application_passwords_secret[count.index].arn] + } +} + +resource "aws_secretsmanager_secret_policy" "delius_core_application_passwords_pol" { + count = local.has_mis_environment ? 1 : 0 + + secret_arn = aws_secretsmanager_secret.delius_core_application_passwords_secret[count.index].arn + policy = data.aws_iam_policy_document.delius_core_application_passwords_policy_doc[count.index].json +} + +resource "aws_secretsmanager_secret_version" "delius_core_application_passwords" { + count = local.has_mis_environment ? 1 : 0 + + secret_id = aws_secretsmanager_secret.delius_core_application_passwords_secret[count.index].id + secret_string = "REPLACE" + lifecycle { + ignore_changes = [ + secret_string + ] + } +} + +data "aws_iam_policy_document" "db_access_to_secrets_manager" { + count = local.has_mis_environment ? 1 : 0 + statement { + sid = "DbAccessToSecretsManager" + actions = [ + "secretsmanager:Describe*", + "secretsmanager:Get*", + "secretsmanager:ListSecret*", + "secretsmanager:Put*", + "secretsmanager:RestoreSecret", + "secretsmanager:Update*" + ] + effect = "Allow" + resources = [ + aws_secretsmanager_secret.delius_core_application_passwords_secret[count.index].arn + ] + } +} diff --git a/terraform/environments/delius-core/modules/delius_environment/locals.tf b/terraform/environments/delius-core/modules/delius_environment/locals.tf index c02f03d49e5..333ae85c623 100644 --- a/terraform/environments/delius-core/modules/delius_environment/locals.tf +++ b/terraform/environments/delius-core/modules/delius_environment/locals.tf @@ -37,4 +37,10 @@ locals { "217.138.45.110/32", # Unilink AOVPN ] all_ingress_ips = concat(local.globalprotect_ips, local.unilink_ips) + + secret_prefix = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}" + application_secret_name = "${local.secret_prefix}-application-passwords" + mis_account_id = var.platform_vars.environment_management.account_ids[join("-", ["delius-mis", var.account_info.mp_environment])] + + has_mis_environment = lookup(var.environment_config, "has_mis_environment", false) } diff --git a/terraform/environments/delius-core/modules/delius_environment/variables.tf b/terraform/environments/delius-core/modules/delius_environment/variables.tf index cd284548bd6..8f628c79f29 100644 --- a/terraform/environments/delius-core/modules/delius_environment/variables.tf +++ b/terraform/environments/delius-core/modules/delius_environment/variables.tf @@ -106,3 +106,9 @@ variable "enable_platform_backups" { type = bool default = null } + +variable "db_suffix" { + description = "identifier to append to name e.g. dsd, boe" + type = string + default = "db" +}