Skip to content

Commit 67fc7cd

Browse files
davidcheungdavidcheung
authored
Merge pull request #14 from commitdev/merge-secret
Merge secret
2 parents 4aee158 + 359884e commit 67fc7cd

8 files changed

Lines changed: 63 additions & 59 deletions

File tree

Makefile

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,4 +22,22 @@ apply-k8s-utils:
2222
terraform init; \
2323
terraform apply
2424

25-
.PHONY: apply apply-remote-state apply-secrets apply-env apply-k8s-utils
25+
teardown: teardown-k8s-utils teardown-env teardown-secrets teardown-remote-state
26+
27+
teardown-remote-state:
28+
pushd terraform/bootstrap/remote-state; \
29+
terraform destroy;
30+
31+
teardown-secrets:
32+
pushd terraform/bootstrap/secrets; \
33+
terraform destroy -auto-approve;
34+
35+
teardown-env:
36+
pushd terraform/environments/$(ENV); \
37+
terraform destroy -auto-approve;
38+
39+
teardown-k8s-utils:
40+
pushd kubernetes/terraform/environments/$(ENV); \
41+
terraform destroy;
42+
43+
.PHONY: apply apply-remote-state apply-secrets apply-env apply-k8s-utils teardown-k8s-utils teardown-env teardown-secrets teardown-remote-state

terraform/bootstrap/secrets/main.tf

Lines changed: 26 additions & 48 deletions
Original file line numberDiff line numberDiff line change
@@ -1,48 +1,26 @@
1-
provider "aws" {
2-
region = "<% index .Params `region` %>"
3-
}
4-
5-
terraform {
6-
required_version = ">= 0.12"
7-
}
8-
9-
# Create the CI User
10-
resource "aws_iam_user" "ci_user" {
11-
name = "ci-user"
12-
}
13-
14-
# Create a keypair to be used by CI systems
15-
resource "aws_iam_access_key" "ci_user" {
16-
user = aws_iam_user.ci_user.name
17-
}
18-
19-
# Add the keys to AWS secrets manager
20-
module "ci_user_keys" {
21-
source = "../../modules/secret"
22-
23-
name = "ci-user-aws-keys"
24-
type = "map"
25-
values = map("access_key_id", aws_iam_access_key.ci_user.id, "secret_key", aws_iam_access_key.ci_user.secret)
26-
}
27-
28-
29-
# Create db credentials
30-
# Unfortunately tf doesn't yet allow you to use for_each with calls to modules
31-
locals {
32-
project = "<% .Name %>"
33-
}
34-
35-
module "db_password-staging" {
36-
source = "../../modules/secret"
37-
38-
name = "${local.project}-staging-rds-master-password"
39-
type = "random"
40-
}
41-
42-
module "db_password-production" {
43-
source = "../../modules/secret"
44-
45-
name = "${local.project}-production-rds-master-password"
46-
type = "random"
47-
random_length = 32
48-
}
1+
provider "aws" {
2+
region = "<% index .Params `region` %>"
3+
}
4+
5+
terraform {
6+
required_version = ">= 0.12"
7+
}
8+
9+
# Create the CI User
10+
resource "aws_iam_user" "ci_user" {
11+
name = "${var.project}-ci-user"
12+
}
13+
14+
# Create a keypair to be used by CI systems
15+
resource "aws_iam_access_key" "ci_user" {
16+
user = aws_iam_user.ci_user.name
17+
}
18+
19+
# Add the keys to AWS secrets manager
20+
module "ci_user_keys" {
21+
source = "../../modules/secret"
22+
23+
name_prefix = "ci-user-aws-keys"
24+
type = "map"
25+
values = map("access_key_id", aws_iam_access_key.ci_user.id, "secret_key", aws_iam_access_key.ci_user.secret)
26+
}

terraform/environments/production/main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ module "production" {
1919
region = "<% index .Params `region` %>"
2020
allowed_account_ids = ["<% index .Params `accountId` %>"]
2121
# ECR configuration
22-
ecr_repositories = ["production"]
22+
ecr_repositories = ["<% .Name %>-production"]
2323

2424
# EKS configuration
2525
eks_cluster_version = "1.15"

terraform/environments/staging/main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ module "staging" {
1919
region = "<% index .Params `region` %>"
2020
allowed_account_ids = ["<% index .Params `accountId` %>"]
2121
# ECR configuration
22-
ecr_repositories = [ "gql-server" ]
22+
ecr_repositories = [ "<% .Name %>-staging" ]
2323

2424
# EKS configuration
2525
eks_cluster_version = "1.15"

terraform/modules/database/main.tf

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,9 +28,16 @@ module "rds_security_group" {
2828
data "aws_caller_identity" "current" {
2929
}
3030

31-
# This is created by bootstrap/secrets
31+
# creating RDS password in secret-manager
32+
module "db_password" {
33+
source = "../secret"
34+
name_prefix = "${var.project}-${var.environment}-rds-master-password"
35+
type = "random"
36+
}
37+
38+
# RDS does not support secret-manager, have to provide the actual string
3239
data "aws_secretsmanager_secret_version" "rds_master_secret" {
33-
secret_id = "${var.project}-${var.environment}-rds-master-password"
40+
secret_id = module.db_password.secret_name
3441
}
3542

3643
module "rds" {
@@ -64,7 +71,7 @@ module "rds" {
6471

6572
# DB parameter and option group
6673
family = "postgres11"
67-
major_engine_version = "11.5"
74+
major_engine_version = "11"
6875

6976
final_snapshot_identifier = "final-snapshot"
7077
deletion_protection = true

terraform/modules/environment/main.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ module "eks" {
5151
}
5252

5353
data "aws_iam_user" "ci_user" {
54-
user_name = "ci-user" # Should have been created in the bootstrap process
54+
user_name = "${var.project}-ci-user" # Should have been created in the bootstrap process
5555
}
5656

5757
module "wildcard_domain" {
@@ -97,5 +97,5 @@ module "ecr" {
9797

9898
environment = var.environment
9999
ecr_repositories = var.ecr_repositories
100-
ecr_principals = [data.aws_iam_user.ci_user.arn]
100+
ecr_principals = [aws_iam_user.ci_user.arn]
101101
}

terraform/modules/secret/main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Add the keys to AWS secrets manager
22
resource "aws_secretsmanager_secret" "secret" {
3-
name = var.name
3+
name_prefix = var.name_prefix
44
}
55

66
resource "aws_secretsmanager_secret_version" "string_secret" {

terraform/modules/secret/variables.tf

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
1-
variable "name" {
2-
description = "The name of the secret in Secrets Manager"
1+
variable "name_prefix" {
2+
default = "secret-key"
3+
description = "The name prefix of the secret in Secrets Manager"
34
}
45

56
variable type {

0 commit comments

Comments
 (0)