Merge pull request #371 from ministryofjustice/ND-440

Remove plain text secrets
ministryofjustice · Dec 19, 2024 · 63dee31 · 63dee31
2 parents 9da492a + 775694b
commit 63dee31
Show file tree

Hide file tree

Showing 4 changed files with 75 additions and 21 deletions.
diff --git a/locals.tf b/locals.tf
@@ -38,11 +38,14 @@ locals {
   tags_dns_minus_name   = { for k, v in module.dns_label.tags : k => v if !contains(["Name"], k) }
 
   secret_manager_arns = {
-    codebuild_dhcp_env_admin_db   = aws_secretsmanager_secret.codebuild_dhcp_env_admin_db.arn
-    codebuild_dhcp_env_db         = aws_secretsmanager_secret.codebuild_dhcp_env_db.arn
-    staff_device_dhcp_sentry_dsn  = aws_secretsmanager_secret.staff_device_dhcp_sentry_dsn.arn
-    staff_device_dns_sentry_dsn   = aws_secretsmanager_secret.staff_device_dns_sentry_dsn_1.arn
-    staff_device_admin_sentry_dsn = aws_secretsmanager_secret.staff_device_admin_sentry_dsn_1.arn
-    codebuild_dhcp_env_admin_api  = aws_secretsmanager_secret.codebuild_dhcp_env_admin_api.arn
+    codebuild_dhcp_env_admin_db                  = aws_secretsmanager_secret.codebuild_dhcp_env_admin_db.arn
+    codebuild_dhcp_env_db                        = aws_secretsmanager_secret.codebuild_dhcp_env_db.arn
+    staff_device_dhcp_sentry_dsn                 = aws_secretsmanager_secret.staff_device_dhcp_sentry_dsn.arn
+    staff_device_dns_sentry_dsn                  = aws_secretsmanager_secret.staff_device_dns_sentry_dsn_1.arn
+    staff_device_admin_sentry_dsn                = aws_secretsmanager_secret.staff_device_admin_sentry_dsn_1.arn
+    codebuild_dhcp_env_admin_api                 = aws_secretsmanager_secret.codebuild_dhcp_env_admin_api.arn
+    staff_device_admin_env_cognito_client_id     = aws_secretsmanager_secret.staff_device_admin_env_cognito_client_id.arn
+    staff_device_admin_env_cognito_client_secret = aws_secretsmanager_secret.staff_device_admin_env_cognito_client_secret.arn
+    staff_device_admin_env_cognito_userpool_id   = aws_secretsmanager_secret.staff_device_admin_env_cognito_userpool_id.arn
   }
 }
diff --git a/modules/admin/cluster.tf b/modules/admin/cluster.tf
@@ -156,22 +156,10 @@ resource "aws_ecs_task_definition" "admin_task" {
           "name": "KEA_CONFIG_BUCKET",
           "value": "${var.kea_config_bucket_name}"
         },
-        {
-          "name": "COGNITO_CLIENT_ID",
-          "value": "${var.cognito_user_pool_client_id}"
-        },
-        {
-          "name": "COGNITO_CLIENT_SECRET",
-          "value": "${var.cognito_user_pool_client_secret}"
-        },
         {
           "name": "COGNITO_USER_POOL_SITE",
           "value": "https://${var.cognito_user_pool_domain}.auth.${var.region}.amazoncognito.com"
         },
-        {
-          "name": "COGNITO_USER_POOL_ID",
-          "value": "${var.cognito_user_pool_id}"
-        },
         {
           "name": "DHCP_CLUSTER_NAME",
           "value": "${var.dhcp_cluster_name}"
@@ -226,6 +214,18 @@ resource "aws_ecs_task_definition" "admin_task" {
         {
           "name": "API_BASIC_AUTH_PASSWORD",
           "valueFrom": "${var.secret_arns["codebuild_dhcp_env_admin_api"]}:basic_auth_password::"
+        },
+        {
+          "name": "COGNITO_USER_POOL_ID",
+          "valueFrom": "${var.secret_arns["staff_device_admin_env_cognito_userpool_id"]}"
+        },
+        {
+          "name": "COGNITO_CLIENT_SECRET",
+          "valueFrom": "${var.secret_arns["staff_device_admin_env_cognito_client_secret"]}"
+        },
+        {
+          "name": "COGNITO_CLIENT_ID",
+          "valueFrom": "${var.secret_arns["staff_device_admin_env_cognito_client_id"]}"
         }
     ],
       "image": "${aws_ecr_repository.admin_ecr.repository_url}",

diff --git a/secrets_manager.admin.tf b/secrets_manager.admin.tf
@@ -82,3 +82,54 @@ resource "aws_secretsmanager_secret_version" "staff_device_admin_sentry_dsn" {
   secret_id     = aws_secretsmanager_secret.staff_device_admin_sentry_dsn_1.id
   secret_string = "REPLACE_ME"
 }
+
+resource "aws_secretsmanager_secret" "staff_device_admin_env_cognito_client_id" {
+  name = "/staff_device/admin/${terraform.workspace}/cognito/cognito_client_id"
+  #  description = "Admin - Cognito client id"
+  provider = aws.env
+}
+
+resource "aws_secretsmanager_secret_version" "staff_device_admin_env_cognito_client_id" {
+  provider      = aws.env
+  secret_id     = aws_secretsmanager_secret.staff_device_admin_env_cognito_client_id.id
+  secret_string = "REPLACE_ME"
+}
+
+data "aws_secretsmanager_secret_version" "staff_device_admin_env_cognito_client_id" {
+  secret_id = aws_secretsmanager_secret.staff_device_admin_env_cognito_client_id.id
+  provider  = aws.env
+}
+
+resource "aws_secretsmanager_secret" "staff_device_admin_env_cognito_userpool_id" {
+  name = "/staff_device/admin/${terraform.workspace}/cognito/cognito_userpool_id"
+  #  description = "Admin - Cognito user pool id"
+  provider = aws.env
+}
+
+resource "aws_secretsmanager_secret_version" "staff_device_admin_env_cognito_userpool_id" {
+  provider      = aws.env
+  secret_id     = aws_secretsmanager_secret.staff_device_admin_env_cognito_userpool_id.id
+  secret_string = "REPLACE_ME"
+}
+
+data "aws_secretsmanager_secret_version" "staff_device_admin_env_cognito_userpool_id" {
+  secret_id = aws_secretsmanager_secret.staff_device_admin_env_cognito_userpool_id.id
+  provider  = aws.env
+}
+
+resource "aws_secretsmanager_secret" "staff_device_admin_env_cognito_client_secret" {
+  name = "/staff_device/admin/${terraform.workspace}/cognito/cognito_client_secret"
+  #  description = "Admin - Cognito client secret"
+  provider = aws.env
+}
+
+resource "aws_secretsmanager_secret_version" "staff_device_admin_env_cognito_client_secret" {
+  provider      = aws.env
+  secret_id     = aws_secretsmanager_secret.staff_device_admin_env_cognito_client_secret.id
+  secret_string = "REPLACE_ME"
+}
+
+data "aws_secretsmanager_secret_version" "staff_device_admin_env_cognito_client_secret" {
+  secret_id = aws_secretsmanager_secret.staff_device_admin_env_cognito_client_secret.id
+  provider  = aws.env
+}
diff --git a/service_admin.tf b/service_admin.tf
@@ -8,10 +8,10 @@ module "admin" {
   bind_config_bucket_arn               = module.dns.bind_config_bucket_arn
   bind_config_bucket_key_arn           = module.dns.bind_config_bucket_key_arn
   bind_config_bucket_name              = module.dns.bind_config_bucket_name
-  cognito_user_pool_client_id          = module.authentication.cognito_user_pool_client_id
-  cognito_user_pool_client_secret      = module.authentication.cognito_user_pool_client_secret
+  cognito_user_pool_client_id          = data.aws_secretsmanager_secret_version.staff_device_admin_env_cognito_userpool_id.secret_string
+  cognito_user_pool_client_secret      = data.aws_secretsmanager_secret_version.staff_device_admin_env_cognito_client_secret.secret_string
   cognito_user_pool_domain             = module.authentication.cognito_user_pool_domain
-  cognito_user_pool_id                 = module.authentication.cognito_user_pool_id
+  cognito_user_pool_id                 = data.aws_secretsmanager_secret_version.staff_device_admin_env_cognito_client_id.secret_string
   dhcp_cluster_name                    = module.dhcp.ecs.cluster_name
   dhcp_config_bucket_key_arn           = module.dhcp.dhcp_config_bucket_key_arn
   dhcp_http_api_load_balancer_arn      = module.dhcp.http_api_load_balancer_arn