Adding data-science/secrets-manager layer to be used in the database-…

…mysql layer and others

data-science/us-east-1/secrets-manager/common-variables.tf

@@ -0,0 +1,134 @@
+#================================#
+# Common variables               #
+#================================#
+
+#
+# config/backend.config
+#
+#================================#
+# Terraform AWS Backend Settings #
+#================================#
+variable "region" {
+  type        = string
+  description = "AWS Region"
+}
+
+variable "region_primary" {
+  type        = string
+  description = "AWS Region"
+}
+
+variable "profile" {
+  type        = string
+  description = "AWS Profile (required by the backend but also used for other resources)"
+}
+
+variable "bucket" {
+  type        = string
+  description = "AWS S3 TF State Backend Bucket"
+}
+
+variable "dynamodb_table" {
+  type        = string
+  description = "AWS DynamoDB TF Lock state table name"
+}
+
+variable "encrypt" {
+  type        = bool
+  description = "Enable AWS DynamoDB with server side encryption"
+}
+
+#
+# config/base.config
+#
+#=============================#
+# Project Variables           #
+#=============================#
+variable "project" {
+  type        = string
+  description = "Project Name"
+}
+
+variable "project_long" {
+  type        = string
+  description = "Project Long Name"
+}
+
+variable "environment" {
+  type        = string
+  description = "Environment Name"
+}
+
+#
+# config/extra.config
+#
+#=============================#
+# Accounts & Extra Vars       #
+#=============================#
+variable "region_secondary" {
+  type        = string
+  description = "AWS Secondary Region for HA"
+}
+
+variable "accounts" {
+  type        = map(any)
+  description = "Accounts Information"
+}
+
+variable "external_accounts" {
+  type        = map(any)
+  description = "External Accounts Information"
+  default     = {}
+}
+
+#=============================#
+# AWS SSO  Variables          #
+#=============================#
+variable "sso_role" {
+  description = "SSO Role Name"
+}
+
+variable "sso_enabled" {
+  type        = string
+  description = "Enable SSO Service"
+}
+
+variable "sso_region" {
+  type        = string
+  description = "SSO Region"
+}
+
+variable "sso_start_url" {
+  type        = string
+  description = "SSO Start Url"
+}
+
+#===========================================#
+# Networking                                #
+#===========================================#
+variable "enable_tgw" {
+  description = "Enable Transit Gateway Support"
+  type        = bool
+  default     = false
+}
+
+variable "enable_tgw_multi_region" {
+  description = "Enable Transit Gateway multi region support"
+  type        = bool
+  default     = false
+}
+
+variable "tgw_cidrs" {
+  description = "CIDRs to be added as routes to public RT"
+  type        = list(string)
+  default     = []
+}
+
+#===========================================#
+# Security compliance
+#===========================================#
+variable "enable_inspector" {
+  description = "Turn inspector on/off"
+  type        = bool
+  default     = false
+}

data-science/us-east-1/secrets-manager/config.tf

@@ -0,0 +1,48 @@
+#=============================#
+# AWS Provider Settings       #
+#=============================#
+provider "aws" {
+  region  = var.region
+  profile = var.profile
+}
+
+#=============================#
+# Backend Config (partial)    #
+#=============================#
+terraform {
+  required_version = "~> 1.3"
+
+  required_providers {
+    aws = "~> 4.10"
+  }
+
+  backend "s3" {
+    key = "data-science/secrets-manager/terraform.tfstate"
+  }
+}
+
+#=============================#
+# Data sources                #
+#=============================#
+data "terraform_remote_state" "keys" {
+  backend = "s3"
+
+  config = {
+    region  = var.region
+    profile = var.profile
+    bucket  = var.bucket
+    key     = "${var.environment}/security-keys/terraform.tfstate"
+  }
+}
+
+# Note: Commented out while database is not deployed
+# data "terraform_remote_state" "apps-devstg-aurora-pgsql" {
+#   backend = "s3"
+
+#   config = {
+#     region  = var.region
+#     profile = var.profile
+#     bucket  = var.bucket
+#     key     = "${var.environment}/databases-aurora-pgsql/terraform.tfstate"
+#   }
+# }

data-science/us-east-1/secrets-manager/locals.tf

@@ -0,0 +1,6 @@
+locals {
+  tags = {
+    Terraform   = "true"
+    Environment = var.environment
+  }
+}

data-science/us-east-1/secrets-manager/outputs.tf

@@ -0,0 +1,9 @@
+output "secret_arns" {
+  description = "Secrets arns map"
+  value       = module.secrets.secret_arns
+}
+
+output "secret_ids" {
+  description = "Secrets ids map"
+  value       = module.secrets.secret_ids
+}

data-science/us-east-1/secrets-manager/secrets.tf

@@ -0,0 +1,65 @@
+module "secrets" {
+  source = "github.com/binbashar/terraform-aws-secrets-manager.git?ref=0.6.0"
+
+  secrets = {
+    # NOTE: Fields annotated with "#@" must be commented out in the first step, when the database is not yet deployed
+    # Update the secret to a secure password via web console after applying
+    # Re-apply after db instance is created
+    "/aurora-mysql/administrator" = {
+      description             = "Apps-data-science Aurora Postgres cluster database administrator"
+      recovery_window_in_days = 7
+      secret_key_value = {
+        # engine   = data.terraform_remote_state.apps-devstg-aurora-mysql.outputs.cluster_engine, #@
+        # host     = data.terraform_remote_state.apps-devstg-aurora-mysql.outputs.cluster_endpoint,   #@
+        username = "administrator",
+        password = "alreadyRotatedPassword",
+        # dbname   = data.terraform_remote_state.apps-devstg-aurora-mysql.outputs.cluster_database_name, #@
+        # port     = data.terraform_remote_state.apps-devstg-aurora-mysql.outputs.cluster_port  #@
+      }
+      kms_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_id,
+      # https://github.com/binbashar/terraform-aws-secrets-manager#secrets-rotation
+      # rotation_lambda_arn     = "arn:aws:lambda:us-east-1:xxxxxxxxxxxx:function:lambda-rotate-secret"
+    },
+    "/mysql/administrator" = {
+      description             = "Apps-data-science Postgres database administrator"
+      recovery_window_in_days = 7
+      secret_key_value = {
+        # engine   = data.terraform_remote_state.apps-devstg-mysql.outputs.cluster_engine, #@
+        # host     = data.terraform_remote_state.apps-devstg-mysql.outputs.cluster_endpoint,   #@
+        username = "administrator",
+        password = "alreadyRotatedPassword",
+        # dbname   = data.terraform_remote_state.apps-devstg-mysql.outputs.cluster_database_name, #@
+        # port     = data.terraform_remote_state.apps-devstg-mysql.outputs.cluster_port  #@
+      }
+      kms_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_id,
+      # https://github.com/binbashar/terraform-aws-secrets-manager#secrets-rotation
+      # rotation_lambda_arn     = "arn:aws:lambda:us-east-1:xxxxxxxxxxxx:function:lambda-rotate-secret"
+    }
+  }
+
+  tags = local.tags
+
+}
+
+# Set secrets policies
+data "aws_iam_policy_document" "secret_policy" {
+  statement {
+    sid       = "GetSecret"
+    effect    = "Allow"
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = ["*"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.accounts.data-science.id}:role/DevOps",
+        "arn:aws:iam::${var.accounts.data-science.id}:role/DataScientist"
+      ]
+    }
+  }
+}
+
+resource "aws_secretsmanager_secret_policy" "secrets_policy" {
+  for_each   = module.secrets.secret_arns
+  secret_arn = each.value
+  policy     = data.aws_iam_policy_document.secret_policy.json
+}