Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add secretmanager secrets #3655

Merged
merged 26 commits into from
Oct 19, 2023
Merged

add secretmanager secrets #3655

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
555bec8
add secretmanager secrets
wullub Oct 13, 2023
a2fd8db
Update locals.tf
wullub Oct 13, 2023
e0e80b7
Update main.tf
wullub Oct 13, 2023
22ecdd6
add secretmanager secrets
wullub Oct 13, 2023
dc7c89f
Update locals.tf
wullub Oct 13, 2023
c3515d5
Update main.tf
wullub Oct 13, 2023
9eba566
Merge branch 'add-secretmanager-secrets' of https://github.com/minist…
wullub Oct 16, 2023
7d6a5c3
Update variables.tf
wullub Oct 16, 2023
b5e5b72
..
wullub Oct 16, 2023
7074913
Update locals.tf
wullub Oct 16, 2023
d9de45d
Update locals.tf
wullub Oct 16, 2023
78584fb
Update locals_test.tf
wullub Oct 17, 2023
cd4469b
Update locals_secrets.tf
wullub Oct 17, 2023
ab74f42
Update locals_secrets.tf
wullub Oct 17, 2023
6c294cf
Update locals_secrets.tf
wullub Oct 17, 2023
06af78b
Update locals.tf
wullub Oct 17, 2023
04038bd
Update locals_test.tf
wullub Oct 17, 2023
1e7e9b9
Update locals_secrets.tf
wullub Oct 17, 2023
4556764
Update locals_secrets.tf
wullub Oct 17, 2023
37d8653
Update locals_secrets.tf
wullub Oct 17, 2023
23e4573
Update locals_security_groups.tf
wullub Oct 18, 2023
4da48a2
Create putsecret-ssm-parameters.sh
wullub Oct 18, 2023
93d4a6f
Update locals_test.tf
wullub Oct 18, 2023
d0013c7
Update locals_test.tf
wullub Oct 18, 2023
34c9a4c
Update putsecret-ssm-parameters.sh
wullub Oct 18, 2023
460964f
Merge branch 'add-secretmanager-secrets' of https://github.com/minist…
wullub Oct 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions terraform/environments/nomis/scripts/putsecret-ssm-parameters.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
#!/bin/bash
# Upload parameters to secretsmanager
# For example, first call describe-ssm-parameters.sh and get-ssm-parameters.sh
# to get existing parameters. Create new parameters as required and add into
# the ssm-parameters/profile.txt file. Then use this script to upload them to secretsmanager

MODE=safe # force
PROFILE=$1
PREFIX=$2

if [[ -z $PROFILE ]]; then
echo "Usage: $0 <profile> [<prefix>]" >&2
exit 1
fi

if [[ ! -e ssm-parameters/$PROFILE.txt ]]; then
echo "Could not find ssm-parameters/$PROFILE.txt" >&2
exit 1
fi

params=$(cat ssm-parameters/$PROFILE.txt | grep -v '^$' | grep "^$PREFIX")

if [[ $MODE == "force" ]]; then
for param in $params; do
if [[ ! -e ssm-parameters/$PROFILE/$param ]]; then
echo "skipping $param as file does not exist" >&2
else
value=$(cat ssm-parameters/$PROFILE/$param)
echo aws secretsmanager put-secret-value --secret-id $param --secret-string "$value" --profile $PROFILE >&2
fi
done
echo Press RETURN to put-parameters, CTRL-C to cancel
read

for param in $params; do
if [[ ! -e ssm-parameters/$PROFILE/$param ]]; then
echo "skipping $param as file does not exist" >&2
else
value=$(cat ssm-parameters/$PROFILE/$param)
echo aws secretsmanager put-secret-value --secret-id $param --secret-string "$value" --profile $PROFILE >&2
aws secretsmanager put-secret-value --secret-id $param --secret-string "$value" --profile $PROFILE
fi
done
elif [[ $MODE == "safe" ]]; then
for param in $params; do
if [[ ! -e ssm-parameters/$PROFILE/$param ]]; then
echo "skipping $param as file does not exist" >&2
else
echo aws secretsmanager get-secret-value --secret-id $param --query SecretString --output text --profile $PROFILE >&2
oldvalue=$(aws secretsmanager get-secret-value --secret-id $param --query SecretString --output text --profile $PROFILE)
newvalue=$(cat ssm-parameters/$PROFILE/$param)
if [[ "$oldvalue" == "$newvalue" ]]; then
echo "No change"
else
echo "Change from $oldvalue to $newvalue"
echo aws secretsmanager put-secret-value --secret-id $param --secret-string "$newvalue" --profile $PROFILE >&2
echo Press RETURN to put-parameters, CTRL-C to cancel
read
aws secretsmanager put-secret-value --secret-id $param --secret-string "$newvalue" --profile $PROFILE
fi
fi
done
fi
16 changes: 7 additions & 9 deletions terraform/environments/oasys/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ locals {
production = local.production_config
}

account_id = local.environment_management.account_ids[terraform.workspace]
environment_config = local.accounts[local.environment]

region = "eu-west-2"
Expand Down Expand Up @@ -99,12 +98,6 @@ locals {
}
}

database_ssm_parameters = {
parameters = {
passwords = { description = "database passwords" }
}
}

database_a = {
config = merge(module.baseline_presets.ec2_instance.config.db, {
ami_name = "oasys_oracle_db_release_2023-06-26T10-16-03.670Z"
Expand Down Expand Up @@ -227,7 +220,10 @@ locals {
cloudwatch_metric_alarms = {}
user_data_cloud_init = module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags
autoscaling_schedules = module.baseline_presets.ec2_autoscaling_schedules.working_hours
autoscaling_group = module.baseline_presets.ec2_autoscaling_group.default
autoscaling_group = merge(module.baseline_presets.ec2_autoscaling_group.default, {
desired_capacity = 2
max_size = 2
})
lb_target_groups = {}
tags = {
backup = "false" # opt out of mod platform default backup plan
Expand All @@ -249,5 +245,7 @@ locals {
})
})

baseline_secretsmanager_secrets = {}

public_key_data = jsondecode(file("./files/bastion_linux.json"))
}
}
52 changes: 52 additions & 0 deletions terraform/environments/oasys/locals_secrets.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
locals {

database_ssm_parameters = {
parameters = {
passwords = { description = "database passwords" }
}
}

share_secret_principal_ids_db = [
"arn:aws:iam::${module.environment.account_id}:role/ec2-database-*"
]


secret_policy_write_db = {
effect = "Allow"
actions = [
"secretsmanager:PutSecretValue",
]
principals = {
type = "AWS"
identifiers = [
"arn:aws:iam::${module.environment.account_id}:role/ec2-database-*"
]
}
resources = ["*"]
}
secret_policy_read_db = {
effect = "Allow"
actions = [
"secretsmanager:GetSecretValue",
]
principals = {
type = "AWS"
identifiers = [
"arn:aws:iam::${module.environment.account_id}:role/ec2-database-*"
]
}
resources = ["*"]
}


secretsmanager_secrets_db = {
# policy = [
# # local.secret_policy_read_db,
# # local.secret_policy_write_db,
# ]
secrets = {
passwords = {}
}
}

}
2 changes: 1 addition & 1 deletion terraform/environments/oasys/locals_security_groups.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,7 @@ locals {
cidr_blocks = local.security_group_cidrs.oracle_db
security_groups = [
"private_lb",
# "private-jumpserver",
"bip",
# "private-web",
# "bastion-linux",
]
Expand Down
66 changes: 66 additions & 0 deletions terraform/environments/oasys/locals_test.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,72 @@ locals {
"/oracle/database/T2ONRAUD" = local.database_ssm_parameters
"/oracle/database/T2ONRBDS" = local.database_ssm_parameters
}
baseline_secretsmanager_secrets = {
"/oracle/database/T1OASYS" = local.secretsmanager_secrets_db
"/oracle/database/T1OASREP" = local.secretsmanager_secrets_db
"/oracle/database/T1AZBIPI" = local.secretsmanager_secrets_db
"/oracle/database/T1MISTRN" = local.secretsmanager_secrets_db
"/oracle/database/T1ONRSYS" = local.secretsmanager_secrets_db
"/oracle/database/T1ONRAUD" = local.secretsmanager_secrets_db
"/oracle/database/T1ONRBDS" = local.secretsmanager_secrets_db

"/oracle/database/T2OASYS" = local.secretsmanager_secrets_db
"/oracle/database/T2OASREP" = local.secretsmanager_secrets_db
"/oracle/database/T2AZBIPI" = local.secretsmanager_secrets_db
"/oracle/database/T2MISTRN" = local.secretsmanager_secrets_db
"/oracle/database/T2ONRSYS" = local.secretsmanager_secrets_db
"/oracle/database/T2ONRAUD" = local.secretsmanager_secrets_db
"/oracle/database/T2ONRBDS" = local.secretsmanager_secrets_db

"/database/t1/T1OASYS" = {
secrets = {
apex_listenerpassword = {}
apex_public_userpassword = {}
apex_rest_publicpassword = {}
}
}
"/database/t2/T2OASYS" = {
secrets = {
apex_listenerpassword = {}
apex_public_userpassword = {}
apex_rest_publicpassword = {}
}
}
"/database/t2-oasys-db-a/T2BIPINF" = {
secrets = {
systempassword = {}
}
}
"/ec2/t1-oasys-db-a" = {
secrets = {
asm-passwords = {}
}
}
"/ec2/t2-oasys-db-a" = {
secrets = {
asm-passwords = {}
}
}
"/weblogic/test-oasys-bip-b" = {
secrets = {
admin_password = {}
admin_username = {}
biplatformpassword = {}
db_username = {}
mdspassword = {}
syspassword = {}
}
}
"" = {
postfix = ""
secrets = {
account_ids = {}
ec2-user_pem = {}
environment_management_arn = {}
modernisation_platform_account_id = {}
}
}
}

baseline_ec2_instances = {
##
Expand Down
1 change: 1 addition & 0 deletions terraform/environments/oasys/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,4 +83,5 @@ module "baseline" {
s3_buckets = merge(local.baseline_s3_buckets, module.baseline_presets.s3_buckets, lookup(local.environment_config, "baseline_s3_buckets", {}))
security_groups = local.baseline_security_groups
ssm_parameters = merge(module.baseline_presets.ssm_parameters, lookup(local.environment_config, "baseline_ssm_parameters", {}))
secretsmanager_secrets = merge(local.baseline_secretsmanager_secrets, lookup(local.environment_config, "baseline_secretsmanager_secrets", {}))
}
Loading