From 555bec855d0de6dc3a2aa957533b15f2567d2fcc Mon Sep 17 00:00:00 2001 From: wullub Date: Fri, 13 Oct 2023 14:00:27 +0100 Subject: [PATCH 01/24] add secretmanager secrets add secretmanager secrets --- terraform/environments/oasys/locals.tf | 8 +-- .../environments/oasys/locals_secrets.tf | 52 +++++++++++++++++++ terraform/environments/oasys/locals_test.tf | 17 ++++++ terraform/environments/oasys/main.tf | 1 + 4 files changed, 71 insertions(+), 7 deletions(-) create mode 100644 terraform/environments/oasys/locals_secrets.tf diff --git a/terraform/environments/oasys/locals.tf b/terraform/environments/oasys/locals.tf index 7d9cc7e7e22..5a46bdd627b 100644 --- a/terraform/environments/oasys/locals.tf +++ b/terraform/environments/oasys/locals.tf @@ -99,12 +99,6 @@ locals { } } - database_ssm_parameters = { - parameters = { - passwords = { description = "database passwords" } - } - } - database_a = { config = merge(module.baseline_presets.ec2_instance.config.db, { ami_name = "oasys_oracle_db_release_2023-06-26T10-16-03.670Z" @@ -250,4 +244,4 @@ locals { }) public_key_data = jsondecode(file("./files/bastion_linux.json")) -} +} \ No newline at end of file diff --git a/terraform/environments/oasys/locals_secrets.tf b/terraform/environments/oasys/locals_secrets.tf new file mode 100644 index 00000000000..8e1f25ecf0a --- /dev/null +++ b/terraform/environments/oasys/locals_secrets.tf @@ -0,0 +1,52 @@ +locals { + + database_ssm_parameters = { + parameters = { + passwords = { description = "database passwords" } + } + } + + share_secret_principal_ids_db = [ + "arn:aws:iam::${local.account_id}:role/ec2-database-*" + ] + + + secret_policy_write_db = { + effect = "Allow" + actions = [ + "secretsmanager:PutSecretValue", + ] + principals = { + type = "AWS" + identifiers = [ + "arn:aws:iam::${local.account_id}:role/ec2-database-*" + ] + } + resources = ["*"] + } + secret_policy_read_db = { + effect = "Allow" + actions = [ + "secretsmanager:GetSecretValue", + ] + principals = { + type = "AWS" + identifiers = [ + "arn:aws:iam::${local.account_id}:role/ec2-database-*" + ] + } + resources = ["*"] + } + + + secretsmanager_secrets_db = { + policy = [ + local.secret_policy_read_db, + local.secret_policy_write_db, + ] + secrets = { + passwords = {} + } + } + +} \ No newline at end of file diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 7a6e6735355..1a3c7e3655c 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -27,6 +27,23 @@ locals { "/oracle/database/T2ONRAUD" = local.database_ssm_parameters "/oracle/database/T2ONRBDS" = local.database_ssm_parameters } + baseline_secretsmanager_secrets = { + "/oracle/database/T1OASYS" = local.secretsmanager_secrets_db + "/oracle/database/T1OASREP" = local.secretsmanager_secrets_db + "/oracle/database/T1AZBIPI" = local.secretsmanager_secrets_db + "/oracle/database/T1MISTRN" = local.secretsmanager_secrets_db + "/oracle/database/T1ONRSYS" = local.secretsmanager_secrets_db + "/oracle/database/T1ONRAUD" = local.secretsmanager_secrets_db + "/oracle/database/T1ONRBDS" = local.secretsmanager_secrets_db + + "/oracle/database/T2OASYS" = local.secretsmanager_secrets_db + "/oracle/database/T2OASREP" = local.secretsmanager_secrets_db + "/oracle/database/T2AZBIPI" = local.secretsmanager_secrets_db + "/oracle/database/T2MISTRN" = local.secretsmanager_secrets_db + "/oracle/database/T2ONRSYS" = local.secretsmanager_secrets_db + "/oracle/database/T2ONRAUD" = local.secretsmanager_secrets_db + "/oracle/database/T2ONRBDS" = local.secretsmanager_secrets_db + } baseline_ec2_instances = { ## diff --git a/terraform/environments/oasys/main.tf b/terraform/environments/oasys/main.tf index c4c1519acb9..399144b9833 100644 --- a/terraform/environments/oasys/main.tf +++ b/terraform/environments/oasys/main.tf @@ -83,4 +83,5 @@ module "baseline" { s3_buckets = merge(local.baseline_s3_buckets, module.baseline_presets.s3_buckets, lookup(local.environment_config, "baseline_s3_buckets", {})) security_groups = local.baseline_security_groups ssm_parameters = merge(module.baseline_presets.ssm_parameters, lookup(local.environment_config, "baseline_ssm_parameters", {})) + secretsmanager_secrets = merge(local.baseline_secretsmanager_secrets, lookup(local.baseline_environment_config, "baseline_secretsmanager_secrets", {})) } From a2fd8db0540e69d887b7dddc74ff0509fafb8d77 Mon Sep 17 00:00:00 2001 From: wullub Date: Fri, 13 Oct 2023 14:05:40 +0100 Subject: [PATCH 02/24] Update locals.tf --- terraform/environments/oasys/locals.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/environments/oasys/locals.tf b/terraform/environments/oasys/locals.tf index 5a46bdd627b..3613ea30bbd 100644 --- a/terraform/environments/oasys/locals.tf +++ b/terraform/environments/oasys/locals.tf @@ -243,5 +243,7 @@ locals { }) }) + baseline_secretsmanager_secrets = {} + public_key_data = jsondecode(file("./files/bastion_linux.json")) } \ No newline at end of file From e0e80b7f35ccf7d4de78ba9143902771a0e043f0 Mon Sep 17 00:00:00 2001 From: wullub Date: Fri, 13 Oct 2023 14:09:28 +0100 Subject: [PATCH 03/24] Update main.tf --- terraform/environments/oasys/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/oasys/main.tf b/terraform/environments/oasys/main.tf index 399144b9833..081e51844ee 100644 --- a/terraform/environments/oasys/main.tf +++ b/terraform/environments/oasys/main.tf @@ -83,5 +83,5 @@ module "baseline" { s3_buckets = merge(local.baseline_s3_buckets, module.baseline_presets.s3_buckets, lookup(local.environment_config, "baseline_s3_buckets", {})) security_groups = local.baseline_security_groups ssm_parameters = merge(module.baseline_presets.ssm_parameters, lookup(local.environment_config, "baseline_ssm_parameters", {})) - secretsmanager_secrets = merge(local.baseline_secretsmanager_secrets, lookup(local.baseline_environment_config, "baseline_secretsmanager_secrets", {})) + secretsmanager_secrets = merge(local.baseline_secretsmanager_secrets, lookup(local.environment_config, "baseline_secretsmanager_secrets", {})) } From 22ecdd6f9460d1ad6f72187091bf73b5dcb81184 Mon Sep 17 00:00:00 2001 From: wullub Date: Fri, 13 Oct 2023 14:00:27 +0100 Subject: [PATCH 04/24] add secretmanager secrets add secretmanager secrets --- terraform/environments/oasys/locals.tf | 8 +-- .../environments/oasys/locals_secrets.tf | 52 +++++++++++++++++++ terraform/environments/oasys/locals_test.tf | 17 ++++++ terraform/environments/oasys/main.tf | 1 + 4 files changed, 71 insertions(+), 7 deletions(-) create mode 100644 terraform/environments/oasys/locals_secrets.tf diff --git a/terraform/environments/oasys/locals.tf b/terraform/environments/oasys/locals.tf index 7d9cc7e7e22..5a46bdd627b 100644 --- a/terraform/environments/oasys/locals.tf +++ b/terraform/environments/oasys/locals.tf @@ -99,12 +99,6 @@ locals { } } - database_ssm_parameters = { - parameters = { - passwords = { description = "database passwords" } - } - } - database_a = { config = merge(module.baseline_presets.ec2_instance.config.db, { ami_name = "oasys_oracle_db_release_2023-06-26T10-16-03.670Z" @@ -250,4 +244,4 @@ locals { }) public_key_data = jsondecode(file("./files/bastion_linux.json")) -} +} \ No newline at end of file diff --git a/terraform/environments/oasys/locals_secrets.tf b/terraform/environments/oasys/locals_secrets.tf new file mode 100644 index 00000000000..8e1f25ecf0a --- /dev/null +++ b/terraform/environments/oasys/locals_secrets.tf @@ -0,0 +1,52 @@ +locals { + + database_ssm_parameters = { + parameters = { + passwords = { description = "database passwords" } + } + } + + share_secret_principal_ids_db = [ + "arn:aws:iam::${local.account_id}:role/ec2-database-*" + ] + + + secret_policy_write_db = { + effect = "Allow" + actions = [ + "secretsmanager:PutSecretValue", + ] + principals = { + type = "AWS" + identifiers = [ + "arn:aws:iam::${local.account_id}:role/ec2-database-*" + ] + } + resources = ["*"] + } + secret_policy_read_db = { + effect = "Allow" + actions = [ + "secretsmanager:GetSecretValue", + ] + principals = { + type = "AWS" + identifiers = [ + "arn:aws:iam::${local.account_id}:role/ec2-database-*" + ] + } + resources = ["*"] + } + + + secretsmanager_secrets_db = { + policy = [ + local.secret_policy_read_db, + local.secret_policy_write_db, + ] + secrets = { + passwords = {} + } + } + +} \ No newline at end of file diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 7a6e6735355..1a3c7e3655c 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -27,6 +27,23 @@ locals { "/oracle/database/T2ONRAUD" = local.database_ssm_parameters "/oracle/database/T2ONRBDS" = local.database_ssm_parameters } + baseline_secretsmanager_secrets = { + "/oracle/database/T1OASYS" = local.secretsmanager_secrets_db + "/oracle/database/T1OASREP" = local.secretsmanager_secrets_db + "/oracle/database/T1AZBIPI" = local.secretsmanager_secrets_db + "/oracle/database/T1MISTRN" = local.secretsmanager_secrets_db + "/oracle/database/T1ONRSYS" = local.secretsmanager_secrets_db + "/oracle/database/T1ONRAUD" = local.secretsmanager_secrets_db + "/oracle/database/T1ONRBDS" = local.secretsmanager_secrets_db + + "/oracle/database/T2OASYS" = local.secretsmanager_secrets_db + "/oracle/database/T2OASREP" = local.secretsmanager_secrets_db + "/oracle/database/T2AZBIPI" = local.secretsmanager_secrets_db + "/oracle/database/T2MISTRN" = local.secretsmanager_secrets_db + "/oracle/database/T2ONRSYS" = local.secretsmanager_secrets_db + "/oracle/database/T2ONRAUD" = local.secretsmanager_secrets_db + "/oracle/database/T2ONRBDS" = local.secretsmanager_secrets_db + } baseline_ec2_instances = { ## diff --git a/terraform/environments/oasys/main.tf b/terraform/environments/oasys/main.tf index c4c1519acb9..399144b9833 100644 --- a/terraform/environments/oasys/main.tf +++ b/terraform/environments/oasys/main.tf @@ -83,4 +83,5 @@ module "baseline" { s3_buckets = merge(local.baseline_s3_buckets, module.baseline_presets.s3_buckets, lookup(local.environment_config, "baseline_s3_buckets", {})) security_groups = local.baseline_security_groups ssm_parameters = merge(module.baseline_presets.ssm_parameters, lookup(local.environment_config, "baseline_ssm_parameters", {})) + secretsmanager_secrets = merge(local.baseline_secretsmanager_secrets, lookup(local.baseline_environment_config, "baseline_secretsmanager_secrets", {})) } From dc7c89fbddcaec3de75a1698ec0980da5a23371d Mon Sep 17 00:00:00 2001 From: wullub Date: Fri, 13 Oct 2023 14:05:40 +0100 Subject: [PATCH 05/24] Update locals.tf --- terraform/environments/oasys/locals.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/environments/oasys/locals.tf b/terraform/environments/oasys/locals.tf index 5a46bdd627b..3613ea30bbd 100644 --- a/terraform/environments/oasys/locals.tf +++ b/terraform/environments/oasys/locals.tf @@ -243,5 +243,7 @@ locals { }) }) + baseline_secretsmanager_secrets = {} + public_key_data = jsondecode(file("./files/bastion_linux.json")) } \ No newline at end of file From c3515d560769120ac26fe606f20c207ba115bfdb Mon Sep 17 00:00:00 2001 From: wullub Date: Fri, 13 Oct 2023 14:09:28 +0100 Subject: [PATCH 06/24] Update main.tf --- terraform/environments/oasys/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/oasys/main.tf b/terraform/environments/oasys/main.tf index 399144b9833..081e51844ee 100644 --- a/terraform/environments/oasys/main.tf +++ b/terraform/environments/oasys/main.tf @@ -83,5 +83,5 @@ module "baseline" { s3_buckets = merge(local.baseline_s3_buckets, module.baseline_presets.s3_buckets, lookup(local.environment_config, "baseline_s3_buckets", {})) security_groups = local.baseline_security_groups ssm_parameters = merge(module.baseline_presets.ssm_parameters, lookup(local.environment_config, "baseline_ssm_parameters", {})) - secretsmanager_secrets = merge(local.baseline_secretsmanager_secrets, lookup(local.baseline_environment_config, "baseline_secretsmanager_secrets", {})) + secretsmanager_secrets = merge(local.baseline_secretsmanager_secrets, lookup(local.environment_config, "baseline_secretsmanager_secrets", {})) } From 7d6a5c3e2f98305a6e4338f427b5b260ce4e84eb Mon Sep 17 00:00:00 2001 From: wullub Date: Mon, 16 Oct 2023 15:19:35 +0100 Subject: [PATCH 07/24] Update variables.tf --- terraform/modules/baseline/variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/modules/baseline/variables.tf b/terraform/modules/baseline/variables.tf index 3907ff763e7..63d48c67f4b 100644 --- a/terraform/modules/baseline/variables.tf +++ b/terraform/modules/baseline/variables.tf @@ -901,6 +901,7 @@ variable "secretsmanager_secrets" { })) })) default = {} + sensitive = false } variable "security_groups" { From b5e5b72f4a08538fec77fe3ebe04fe1a9e23406e Mon Sep 17 00:00:00 2001 From: wullub Date: Mon, 16 Oct 2023 15:43:07 +0100 Subject: [PATCH 08/24] .. --- terraform/environments/oasys/locals_test.tf | 28 ++++++++++----------- terraform/modules/baseline/variables.tf | 1 - 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 1a3c7e3655c..2c6b0804305 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -28,21 +28,21 @@ locals { "/oracle/database/T2ONRBDS" = local.database_ssm_parameters } baseline_secretsmanager_secrets = { - "/oracle/database/T1OASYS" = local.secretsmanager_secrets_db - "/oracle/database/T1OASREP" = local.secretsmanager_secrets_db - "/oracle/database/T1AZBIPI" = local.secretsmanager_secrets_db - "/oracle/database/T1MISTRN" = local.secretsmanager_secrets_db - "/oracle/database/T1ONRSYS" = local.secretsmanager_secrets_db - "/oracle/database/T1ONRAUD" = local.secretsmanager_secrets_db - "/oracle/database/T1ONRBDS" = local.secretsmanager_secrets_db + # "/oracle/database/T1OASYS" = local.secretsmanager_secrets_db + # "/oracle/database/T1OASREP" = local.secretsmanager_secrets_db + # "/oracle/database/T1AZBIPI" = local.secretsmanager_secrets_db + # "/oracle/database/T1MISTRN" = local.secretsmanager_secrets_db + # "/oracle/database/T1ONRSYS" = local.secretsmanager_secrets_db + # "/oracle/database/T1ONRAUD" = local.secretsmanager_secrets_db + # "/oracle/database/T1ONRBDS" = local.secretsmanager_secrets_db - "/oracle/database/T2OASYS" = local.secretsmanager_secrets_db - "/oracle/database/T2OASREP" = local.secretsmanager_secrets_db - "/oracle/database/T2AZBIPI" = local.secretsmanager_secrets_db - "/oracle/database/T2MISTRN" = local.secretsmanager_secrets_db - "/oracle/database/T2ONRSYS" = local.secretsmanager_secrets_db - "/oracle/database/T2ONRAUD" = local.secretsmanager_secrets_db - "/oracle/database/T2ONRBDS" = local.secretsmanager_secrets_db + # "/oracle/database/T2OASYS" = local.secretsmanager_secrets_db + # "/oracle/database/T2OASREP" = local.secretsmanager_secrets_db + # "/oracle/database/T2AZBIPI" = local.secretsmanager_secrets_db + # "/oracle/database/T2MISTRN" = local.secretsmanager_secrets_db + # "/oracle/database/T2ONRSYS" = local.secretsmanager_secrets_db + # "/oracle/database/T2ONRAUD" = local.secretsmanager_secrets_db + # "/oracle/database/T2ONRBDS" = local.secretsmanager_secrets_db } baseline_ec2_instances = { diff --git a/terraform/modules/baseline/variables.tf b/terraform/modules/baseline/variables.tf index 63d48c67f4b..3907ff763e7 100644 --- a/terraform/modules/baseline/variables.tf +++ b/terraform/modules/baseline/variables.tf @@ -901,7 +901,6 @@ variable "secretsmanager_secrets" { })) })) default = {} - sensitive = false } variable "security_groups" { From 707491389cbe4400a7d39952dc8b42039f6517ca Mon Sep 17 00:00:00 2001 From: wullub Date: Mon, 16 Oct 2023 15:52:39 +0100 Subject: [PATCH 09/24] Update locals.tf --- terraform/environments/oasys/locals.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/environments/oasys/locals.tf b/terraform/environments/oasys/locals.tf index 3613ea30bbd..bb72963e237 100644 --- a/terraform/environments/oasys/locals.tf +++ b/terraform/environments/oasys/locals.tf @@ -221,7 +221,9 @@ locals { cloudwatch_metric_alarms = {} user_data_cloud_init = module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags autoscaling_schedules = module.baseline_presets.ec2_autoscaling_schedules.working_hours - autoscaling_group = module.baseline_presets.ec2_autoscaling_group.default + autoscaling_group = merge(module.baseline_presets.ec2_autoscaling_group.default, { + desired_capacity = 2 + }) lb_target_groups = {} tags = { backup = "false" # opt out of mod platform default backup plan From d9de45d6d7396cb918d631cdb298f787a7e3623c Mon Sep 17 00:00:00 2001 From: wullub Date: Mon, 16 Oct 2023 16:00:20 +0100 Subject: [PATCH 10/24] Update locals.tf --- terraform/environments/oasys/locals.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/oasys/locals.tf b/terraform/environments/oasys/locals.tf index bb72963e237..09a1558e059 100644 --- a/terraform/environments/oasys/locals.tf +++ b/terraform/environments/oasys/locals.tf @@ -223,6 +223,7 @@ locals { autoscaling_schedules = module.baseline_presets.ec2_autoscaling_schedules.working_hours autoscaling_group = merge(module.baseline_presets.ec2_autoscaling_group.default, { desired_capacity = 2 + max_size = 2 }) lb_target_groups = {} tags = { From 78584fbaf2c22c6498c9c70a37632d961a0d133b Mon Sep 17 00:00:00 2001 From: W Date: Tue, 17 Oct 2023 10:08:01 +0100 Subject: [PATCH 11/24] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 2c6b0804305..9ea020ae9a1 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -28,7 +28,7 @@ locals { "/oracle/database/T2ONRBDS" = local.database_ssm_parameters } baseline_secretsmanager_secrets = { - # "/oracle/database/T1OASYS" = local.secretsmanager_secrets_db + "/oracle/database/T1OASYS" = local.secretsmanager_secrets_db # "/oracle/database/T1OASREP" = local.secretsmanager_secrets_db # "/oracle/database/T1AZBIPI" = local.secretsmanager_secrets_db # "/oracle/database/T1MISTRN" = local.secretsmanager_secrets_db From cd4469b2cc35822931590c0cfeb709d5c8b4e4c5 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 17 Oct 2023 11:23:17 +0100 Subject: [PATCH 12/24] Update locals_secrets.tf --- terraform/environments/oasys/locals_secrets.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/oasys/locals_secrets.tf b/terraform/environments/oasys/locals_secrets.tf index 8e1f25ecf0a..56279a08de3 100644 --- a/terraform/environments/oasys/locals_secrets.tf +++ b/terraform/environments/oasys/locals_secrets.tf @@ -41,8 +41,8 @@ locals { secretsmanager_secrets_db = { policy = [ - local.secret_policy_read_db, - local.secret_policy_write_db, + # local.secret_policy_read_db, + # local.secret_policy_write_db, ] secrets = { passwords = {} From ab74f422400f99cc9dc2742944090821e4f2c970 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 17 Oct 2023 11:35:52 +0100 Subject: [PATCH 13/24] Update locals_secrets.tf --- terraform/environments/oasys/locals_secrets.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environments/oasys/locals_secrets.tf b/terraform/environments/oasys/locals_secrets.tf index 56279a08de3..a38baeff545 100644 --- a/terraform/environments/oasys/locals_secrets.tf +++ b/terraform/environments/oasys/locals_secrets.tf @@ -7,7 +7,7 @@ locals { } share_secret_principal_ids_db = [ - "arn:aws:iam::${local.account_id}:role/ec2-database-*" + "arn:aws:iam::${module.environment.account_id}:role/ec2-database-*" ] @@ -41,8 +41,8 @@ locals { secretsmanager_secrets_db = { policy = [ - # local.secret_policy_read_db, - # local.secret_policy_write_db, + local.secret_policy_read_db, + local.secret_policy_write_db, ] secrets = { passwords = {} From 6c294cf6dc0a6322e2c9573e6e0dc58194695cf6 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 17 Oct 2023 11:36:37 +0100 Subject: [PATCH 14/24] Update locals_secrets.tf --- terraform/environments/oasys/locals_secrets.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/oasys/locals_secrets.tf b/terraform/environments/oasys/locals_secrets.tf index a38baeff545..e6f18d1a2cc 100644 --- a/terraform/environments/oasys/locals_secrets.tf +++ b/terraform/environments/oasys/locals_secrets.tf @@ -19,7 +19,7 @@ locals { principals = { type = "AWS" identifiers = [ - "arn:aws:iam::${local.account_id}:role/ec2-database-*" + "arn:aws:iam::${module.environment.account_id}:role/ec2-database-*" ] } resources = ["*"] @@ -32,7 +32,7 @@ locals { principals = { type = "AWS" identifiers = [ - "arn:aws:iam::${local.account_id}:role/ec2-database-*" + "arn:aws:iam::${module.environment.account_id}:role/ec2-database-*" ] } resources = ["*"] From 06af78ba82bcf66d49999622ec1241a88bca29eb Mon Sep 17 00:00:00 2001 From: W Date: Tue, 17 Oct 2023 11:39:17 +0100 Subject: [PATCH 15/24] Update locals.tf --- terraform/environments/oasys/locals.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/oasys/locals.tf b/terraform/environments/oasys/locals.tf index 09a1558e059..6fcb3aa1aae 100644 --- a/terraform/environments/oasys/locals.tf +++ b/terraform/environments/oasys/locals.tf @@ -22,7 +22,6 @@ locals { production = local.production_config } - account_id = local.environment_management.account_ids[terraform.workspace] environment_config = local.accounts[local.environment] region = "eu-west-2" From 04038bdcb7d1d20ae1bf336278d74e6e1c84b862 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 17 Oct 2023 12:07:37 +0100 Subject: [PATCH 16/24] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 26 ++++++++++----------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 9ea020ae9a1..1a3c7e3655c 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -29,20 +29,20 @@ locals { } baseline_secretsmanager_secrets = { "/oracle/database/T1OASYS" = local.secretsmanager_secrets_db - # "/oracle/database/T1OASREP" = local.secretsmanager_secrets_db - # "/oracle/database/T1AZBIPI" = local.secretsmanager_secrets_db - # "/oracle/database/T1MISTRN" = local.secretsmanager_secrets_db - # "/oracle/database/T1ONRSYS" = local.secretsmanager_secrets_db - # "/oracle/database/T1ONRAUD" = local.secretsmanager_secrets_db - # "/oracle/database/T1ONRBDS" = local.secretsmanager_secrets_db + "/oracle/database/T1OASREP" = local.secretsmanager_secrets_db + "/oracle/database/T1AZBIPI" = local.secretsmanager_secrets_db + "/oracle/database/T1MISTRN" = local.secretsmanager_secrets_db + "/oracle/database/T1ONRSYS" = local.secretsmanager_secrets_db + "/oracle/database/T1ONRAUD" = local.secretsmanager_secrets_db + "/oracle/database/T1ONRBDS" = local.secretsmanager_secrets_db - # "/oracle/database/T2OASYS" = local.secretsmanager_secrets_db - # "/oracle/database/T2OASREP" = local.secretsmanager_secrets_db - # "/oracle/database/T2AZBIPI" = local.secretsmanager_secrets_db - # "/oracle/database/T2MISTRN" = local.secretsmanager_secrets_db - # "/oracle/database/T2ONRSYS" = local.secretsmanager_secrets_db - # "/oracle/database/T2ONRAUD" = local.secretsmanager_secrets_db - # "/oracle/database/T2ONRBDS" = local.secretsmanager_secrets_db + "/oracle/database/T2OASYS" = local.secretsmanager_secrets_db + "/oracle/database/T2OASREP" = local.secretsmanager_secrets_db + "/oracle/database/T2AZBIPI" = local.secretsmanager_secrets_db + "/oracle/database/T2MISTRN" = local.secretsmanager_secrets_db + "/oracle/database/T2ONRSYS" = local.secretsmanager_secrets_db + "/oracle/database/T2ONRAUD" = local.secretsmanager_secrets_db + "/oracle/database/T2ONRBDS" = local.secretsmanager_secrets_db } baseline_ec2_instances = { From 1e7e9b91be2471138d5936f75918aa6536f3e772 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 17 Oct 2023 12:33:30 +0100 Subject: [PATCH 17/24] Update locals_secrets.tf --- terraform/environments/oasys/locals_secrets.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/oasys/locals_secrets.tf b/terraform/environments/oasys/locals_secrets.tf index e6f18d1a2cc..b0e8a3b7373 100644 --- a/terraform/environments/oasys/locals_secrets.tf +++ b/terraform/environments/oasys/locals_secrets.tf @@ -41,8 +41,8 @@ locals { secretsmanager_secrets_db = { policy = [ - local.secret_policy_read_db, - local.secret_policy_write_db, + # local.secret_policy_read_db, + # local.secret_policy_write_db, ] secrets = { passwords = {} From 4556764ac0ef370d02e2399b45b65b6081510328 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 17 Oct 2023 13:15:46 +0100 Subject: [PATCH 18/24] Update locals_secrets.tf --- terraform/environments/oasys/locals_secrets.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/terraform/environments/oasys/locals_secrets.tf b/terraform/environments/oasys/locals_secrets.tf index b0e8a3b7373..82acd7aa2d7 100644 --- a/terraform/environments/oasys/locals_secrets.tf +++ b/terraform/environments/oasys/locals_secrets.tf @@ -40,13 +40,13 @@ locals { secretsmanager_secrets_db = { - policy = [ - # local.secret_policy_read_db, - # local.secret_policy_write_db, - ] - secrets = { - passwords = {} - } + # policy = [ + # # local.secret_policy_read_db, + # # local.secret_policy_write_db, + # ] + # secrets = { + # passwords = {} + # } } } \ No newline at end of file From 37d8653766370ee9dddb23ba50f1ba5ffe85dc7f Mon Sep 17 00:00:00 2001 From: W Date: Tue, 17 Oct 2023 13:48:02 +0100 Subject: [PATCH 19/24] Update locals_secrets.tf --- terraform/environments/oasys/locals_secrets.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environments/oasys/locals_secrets.tf b/terraform/environments/oasys/locals_secrets.tf index 82acd7aa2d7..07f4a76bd0e 100644 --- a/terraform/environments/oasys/locals_secrets.tf +++ b/terraform/environments/oasys/locals_secrets.tf @@ -44,9 +44,9 @@ locals { # # local.secret_policy_read_db, # # local.secret_policy_write_db, # ] - # secrets = { - # passwords = {} - # } + secrets = { + passwords = {} + } } } \ No newline at end of file From 23e4573f5b9e66922db6132533cbd167009ab35e Mon Sep 17 00:00:00 2001 From: W Date: Wed, 18 Oct 2023 13:27:55 +0100 Subject: [PATCH 20/24] Update locals_security_groups.tf --- terraform/environments/oasys/locals_security_groups.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/oasys/locals_security_groups.tf b/terraform/environments/oasys/locals_security_groups.tf index 4d92aee40ba..0668c2b6ca6 100644 --- a/terraform/environments/oasys/locals_security_groups.tf +++ b/terraform/environments/oasys/locals_security_groups.tf @@ -256,7 +256,7 @@ locals { cidr_blocks = local.security_group_cidrs.oracle_db security_groups = [ "private_lb", - # "private-jumpserver", + "bip", # "private-web", # "bastion-linux", ] From 4da48a22dea6df005ef8894fec3854cd05739de2 Mon Sep 17 00:00:00 2001 From: W Date: Wed, 18 Oct 2023 15:04:15 +0100 Subject: [PATCH 21/24] Create putsecret-ssm-parameters.sh --- .../nomis/scripts/putsecret-ssm-parameters.sh | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 terraform/environments/nomis/scripts/putsecret-ssm-parameters.sh diff --git a/terraform/environments/nomis/scripts/putsecret-ssm-parameters.sh b/terraform/environments/nomis/scripts/putsecret-ssm-parameters.sh new file mode 100644 index 00000000000..105c873d8ed --- /dev/null +++ b/terraform/environments/nomis/scripts/putsecret-ssm-parameters.sh @@ -0,0 +1,63 @@ +#!/bin/bash +# Upload parameters to secretsmanager +# For example, first call describe-ssm-parameters.sh and get-ssm-parameters.sh +# to get existing parameters. Create new parameters as required and add into +# the ssm-parameters/profile.txt file. Then use this script to upload them to secretsmanager + +MODE=safe # force +PROFILE=$1 +PREFIX=$2 + +if [[ -z $PROFILE ]]; then + echo "Usage: $0 []" >&2 + exit 1 +fi + +if [[ ! -e ssm-parameters/$PROFILE.txt ]]; then + echo "Could not find ssm-parameters/$PROFILE.txt" >&2 + exit 1 +fi + +params=$(cat ssm-parameters/$PROFILE.txt | grep -v '^$' | grep "^$PREFIX") + +if [[ $MODE == "force" ]]; then + for param in $params; do + if [[ ! -e ssm-parameters/$PROFILE/$param ]]; then + echo "skipping $param as file does not exist" >&2 + else + value=$(cat ssm-parameters/$PROFILE/$param) + echo aws secretsmanager put-secret-value --secret-id $param --secret-string "$value" --profile $PROFILE >&2 + fi + done + echo Press RETURN to put-parameters, CTRL-C to cancel + read + + for param in $params; do + if [[ ! -e ssm-parameters/$PROFILE/$param ]]; then + echo "skipping $param as file does not exist" >&2 + else + value=$(cat ssm-parameters/$PROFILE/$param) + echo aws secretsmanager put-secret-value --secret-id $param --secret-string "$value" --profile $PROFILE >&2 + aws secretsmanager put-secret-value --secret-id $param --secret-string "$value" --profile $PROFILE + fi + done +elif [[ $MODE == "safe" ]]; then + for param in $params; do + if [[ ! -e ssm-parameters/$PROFILE/$param ]]; then + echo "skipping $param as file does not exist" >&2 + else + echo aws secretsmanager get-secret-value --secret-id $param --query SecretString --output text --profile $PROFILE >&2 + oldvalue=$(aws secretsmanager get-secret-value --secret-id $param --query SecretString --output text --profile $PROFILE) + newvalue=$(cat ssm-parameters/$PROFILE/$param) + if [[ "$oldvalue" == "$newvalue" ]]; then + echo "No change" + else + echo "Change from $oldvalue to $newvalue" + echo aws secretsmanager put-secret-value --secret-id $param --secret-string "$value" --profile $PROFILE >&2 + echo Press RETURN to put-parameters, CTRL-C to cancel + read + aws secretsmanager put-secret-value --secret-id $param --secret-string "$value" --profile $PROFILE + fi + fi + done +fi From 93d4a6fac990b2a450f69b42b911ddd4573b8892 Mon Sep 17 00:00:00 2001 From: W Date: Wed, 18 Oct 2023 18:09:33 +0100 Subject: [PATCH 22/24] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 48 +++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 1a3c7e3655c..57c8d88b756 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -43,6 +43,54 @@ locals { "/oracle/database/T2ONRSYS" = local.secretsmanager_secrets_db "/oracle/database/T2ONRAUD" = local.secretsmanager_secrets_db "/oracle/database/T2ONRBDS" = local.secretsmanager_secrets_db + + "/database/t1/T1OASYS" = { + secrets = { + apex_listenerpassword = {} + apex_public_userpassword = {} + apex_rest_publicpassword = {} + } + } + "/database/t2/T2OASYS" = { + secrets = { + apex_listenerpassword = {} + apex_public_userpassword = {} + apex_rest_publicpassword = {} + } + } + "/database/t2-oasys-db-a/T2BIPINF" = { + secrets = { + systempassword = {} + } + } + "/ec2/t1-oasys-db-a" = { + secrets = { + asm-passwords = {} + } + } + "/ec2/t2-oasys-db-a" = { + secrets = { + asm-passwords = {} + } + } + "/weblogic/test-oasys-bip-b" = { + secrets = { + admin_password = {} + admin_username = {} + biplatformpassword = {} + db_username = {} + mdspassword = {} + syspassword = {} + } + } + "" = { + secrets = { + account_ids = {} + ec2-user_pem = {} + environment_management_arn = {} + modernisation_platform_account_id = {} + } + } } baseline_ec2_instances = { From d0013c7ccb5e775ac4b82f7aae4b0866a1dbe143 Mon Sep 17 00:00:00 2001 From: W Date: Wed, 18 Oct 2023 18:21:52 +0100 Subject: [PATCH 23/24] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 57c8d88b756..fe2f388ee87 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -84,6 +84,7 @@ locals { } } "" = { + postfix = "" secrets = { account_ids = {} ec2-user_pem = {} From 34c9a4c08b1243c2ad526398892739cdd241cc21 Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 18 Oct 2023 18:43:00 +0100 Subject: [PATCH 24/24] Update putsecret-ssm-parameters.sh --- .../environments/nomis/scripts/putsecret-ssm-parameters.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) mode change 100644 => 100755 terraform/environments/nomis/scripts/putsecret-ssm-parameters.sh diff --git a/terraform/environments/nomis/scripts/putsecret-ssm-parameters.sh b/terraform/environments/nomis/scripts/putsecret-ssm-parameters.sh old mode 100644 new mode 100755 index 105c873d8ed..580f45120e8 --- a/terraform/environments/nomis/scripts/putsecret-ssm-parameters.sh +++ b/terraform/environments/nomis/scripts/putsecret-ssm-parameters.sh @@ -53,10 +53,10 @@ elif [[ $MODE == "safe" ]]; then echo "No change" else echo "Change from $oldvalue to $newvalue" - echo aws secretsmanager put-secret-value --secret-id $param --secret-string "$value" --profile $PROFILE >&2 + echo aws secretsmanager put-secret-value --secret-id $param --secret-string "$newvalue" --profile $PROFILE >&2 echo Press RETURN to put-parameters, CTRL-C to cancel read - aws secretsmanager put-secret-value --secret-id $param --secret-string "$value" --profile $PROFILE + aws secretsmanager put-secret-value --secret-id $param --secret-string "$newvalue" --profile $PROFILE fi fi done