From ce7f0cfbabef475c1cd2a662e73c123e7506cdfc Mon Sep 17 00:00:00 2001 From: RB <7775707+nitrocode@users.noreply.github.com> Date: Tue, 13 May 2025 10:34:44 -0500 Subject: [PATCH 01/13] feat: allow secrets manager option --- src/asm.tf | 26 ++++++++++++++++++++++++++ src/cluster-regional.tf | 6 +++++- src/main.tf | 3 +++ src/ssm.tf | 4 +++- src/variables.tf | 11 +++++++++++ 5 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 src/asm.tf diff --git a/src/asm.tf b/src/asm.tf new file mode 100644 index 0000000..a00a962 --- /dev/null +++ b/src/asm.tf @@ -0,0 +1,26 @@ +resource "aws_secretsmanager_secret" "default" { + count = local.asm_enabled ? 1 : 0 + + name = format("%s/%s", local.ssm_path_prefix, "admin") + description = format("%s admin creds", module.cluster.id) + + # policy = "{}" + # kms_key_id = null # "aws/secretsmanager" + # recovery_window_in_days = null # 30 + + tags = module.this.tags +} + +resource "aws_secretsmanager_secret_version" "default" { + count = local.asm_enabled ? 1 : 0 + + secret_id = one(aws_secretsmanager_secret.default[*].id) + secret_string = jsonencode({ + cluster_domain = local.cluster_domain + db_host = module.aurora_mysql.master_host + db_port = local.db_port + cluster_name = module.aurora_mysql.cluster_identifier + username = local.mysql_admin_user + password = local.mysql_admin_password + }) +} diff --git a/src/cluster-regional.tf b/src/cluster-regional.tf index 6a17f41..93f46f7 100644 --- a/src/cluster-regional.tf +++ b/src/cluster-regional.tf @@ -1,3 +1,7 @@ +locals { + db_port = 3306 +} + module "aurora_mysql" { source = "cloudposse/rds-cluster/aws" version = "2.1.0" @@ -14,7 +18,7 @@ module "aurora_mysql" { instance_type = var.mysql_instance_type db_name = local.mysql_db_name - db_port = 3306 + db_port = local.db_port admin_password = local.mysql_admin_password admin_user = local.mysql_admin_user diff --git a/src/main.tf b/src/main.tf index 097d6f5..d51e97a 100644 --- a/src/main.tf +++ b/src/main.tf @@ -1,6 +1,9 @@ locals { enabled = module.this.enabled + asm_enabled = local.enabled && var.secrets_store_type == "ASM" + ssm_enabled = local.enabled && var.secrets_store_type == "SSM" + vpc_outputs = module.vpc.outputs dns_delegated_outputs = module.dns-delegated.outputs vpc_id = local.vpc_outputs.vpc_id diff --git a/src/ssm.tf b/src/ssm.tf index 2e551a8..e9ec19c 100644 --- a/src/ssm.tf +++ b/src/ssm.tf @@ -21,7 +21,7 @@ locals { }, { name = format("%s/%s", local.ssm_path_prefix, "db_port") - value = "3306" + value = local.db_port description = "Aurora MySQL DB Master TCP port" type = "String" overwrite = true @@ -75,6 +75,8 @@ module "parameter_store_write" { source = "cloudposse/ssm-parameter-store/aws" version = "0.13.0" + enabled = local.ssm_enabled + # kms_arn will only be used for SecureString parameters kms_arn = module.kms_key_rds.key_arn diff --git a/src/variables.tf b/src/variables.tf index 3297da7..a752dca 100644 --- a/src/variables.tf +++ b/src/variables.tf @@ -225,3 +225,14 @@ variable "vpc_component_name" { default = "vpc" description = "The name of the VPC component" } + +variable "secrets_store_type" { + type = string + description = "Secret Store type for Datadog API and app keys. Valid values: `SSM`, `ASM`" + default = "SSM" + + validation { + condition = var.secrets_store_type == "ASM" || var.secrets_store_type == "SSM" + error_message = "secrets_store_type must be either 'ASM' or 'SSM'." + } +} From 93338597c611301282b2e9dfe0492703a90d1d43 Mon Sep 17 00:00:00 2001 From: RB <7775707+nitrocode@users.noreply.github.com> Date: Tue, 13 May 2025 10:40:17 -0500 Subject: [PATCH 02/13] fix: reuse the same key as ssm in asm --- src/asm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/asm.tf b/src/asm.tf index a00a962..bc16691 100644 --- a/src/asm.tf +++ b/src/asm.tf @@ -1,7 +1,7 @@ resource "aws_secretsmanager_secret" "default" { count = local.asm_enabled ? 1 : 0 - name = format("%s/%s", local.ssm_path_prefix, "admin") + name = local.mysql_admin_user_key description = format("%s admin creds", module.cluster.id) # policy = "{}" From 3130d7e1ec2f34458d86b8ca37f0597f3910fe2d Mon Sep 17 00:00:00 2001 From: RB <7775707+nitrocode@users.noreply.github.com> Date: Tue, 13 May 2025 10:41:34 -0500 Subject: [PATCH 03/13] fix: use password key --- src/asm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/asm.tf b/src/asm.tf index bc16691..54a7e2d 100644 --- a/src/asm.tf +++ b/src/asm.tf @@ -1,7 +1,7 @@ resource "aws_secretsmanager_secret" "default" { count = local.asm_enabled ? 1 : 0 - name = local.mysql_admin_user_key + name = local.mysql_admin_password_key description = format("%s admin creds", module.cluster.id) # policy = "{}" From 9aeb306e7f74f6975b6e4673a4d9372cf0e80f6a Mon Sep 17 00:00:00 2001 From: RB <7775707+nitrocode@users.noreply.github.com> Date: Tue, 13 May 2025 10:42:50 -0500 Subject: [PATCH 04/13] fix: asm output --- src/outputs.tf | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/outputs.tf b/src/outputs.tf index eafb28a..4755e79 100644 --- a/src/outputs.tf +++ b/src/outputs.tf @@ -24,16 +24,21 @@ output "aurora_mysql_master_hostname" { } output "aurora_mysql_master_password" { - value = local.mysql_db_enabled ? "Password for admin user ${module.aurora_mysql.master_username} is stored in SSM at ${local.mysql_admin_password_key}" : null + value = local.mysql_db_enabled ? "Password for admin user ${module.aurora_mysql.master_username} is stored in ${var.secrets_store_type} at ${local.mysql_admin_password_key}" : null description = "Location of admin password in SSM" sensitive = true } output "aurora_mysql_master_password_ssm_key" { - value = local.mysql_db_enabled ? local.mysql_admin_password_key : null + value = local.ssm_enabled && local.mysql_db_enabled ? local.mysql_admin_password_key : null description = "SSM key for admin password" } +output "aurora_mysql_master_password_asm_key" { + value = local.asm_enabled && local.mysql_db_enabled ? local.mysql_admin_password_key : null + description = "ASM key for admin password" +} + output "aurora_mysql_master_username" { value = local.enabled ? module.aurora_mysql.master_username : null description = "Aurora MySQL username for the master DB user" From 1226a7f441e3f5a90e473f765263f3b4a18ac9b9 Mon Sep 17 00:00:00 2001 From: RB <7775707+nitrocode@users.noreply.github.com> Date: Tue, 13 May 2025 10:43:49 -0500 Subject: [PATCH 05/13] fix: tostring(port) --- src/ssm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssm.tf b/src/ssm.tf index e9ec19c..e4e1e3c 100644 --- a/src/ssm.tf +++ b/src/ssm.tf @@ -21,7 +21,7 @@ locals { }, { name = format("%s/%s", local.ssm_path_prefix, "db_port") - value = local.db_port + value = tostring(local.db_port) description = "Aurora MySQL DB Master TCP port" type = "String" overwrite = true From bda9119e2f16f4e4cba4b6172735bd96c7c6d1a4 Mon Sep 17 00:00:00 2001 From: RB <7775707+nitrocode@users.noreply.github.com> Date: Tue, 13 May 2025 10:44:13 -0500 Subject: [PATCH 06/13] fix: var description --- src/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/variables.tf b/src/variables.tf index a752dca..d362579 100644 --- a/src/variables.tf +++ b/src/variables.tf @@ -228,7 +228,7 @@ variable "vpc_component_name" { variable "secrets_store_type" { type = string - description = "Secret Store type for Datadog API and app keys. Valid values: `SSM`, `ASM`" + description = "Secret Store type to save database credentials. Valid values: `SSM`, `ASM`" default = "SSM" validation { From 4629302d984255c4d00e1cce667f07b004e03fda Mon Sep 17 00:00:00 2001 From: RB <7775707+nitrocode@users.noreply.github.com> Date: Tue, 13 May 2025 10:44:44 -0500 Subject: [PATCH 07/13] fix: output description --- src/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/outputs.tf b/src/outputs.tf index 4755e79..7cfc576 100644 --- a/src/outputs.tf +++ b/src/outputs.tf @@ -25,7 +25,7 @@ output "aurora_mysql_master_hostname" { output "aurora_mysql_master_password" { value = local.mysql_db_enabled ? "Password for admin user ${module.aurora_mysql.master_username} is stored in ${var.secrets_store_type} at ${local.mysql_admin_password_key}" : null - description = "Location of admin password in SSM" + description = "Location of admin password" sensitive = true } From 27bb736c25ce1740f07d93665826aac9c0ac20e0 Mon Sep 17 00:00:00 2001 From: RB <7775707+nitrocode@users.noreply.github.com> Date: Tue, 3 Jun 2025 08:48:09 -0500 Subject: [PATCH 08/13] fix: add mysql_db_port --- src/variables.tf | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/variables.tf b/src/variables.tf index d362579..81f62eb 100644 --- a/src/variables.tf +++ b/src/variables.tf @@ -33,10 +33,16 @@ variable "mysql_name" { variable "mysql_db_name" { type = string - description = "Database name (default is not to create a database" + description = "Database name (default is not to create a database)" default = "" } +variable "mysql_db_port" { + type = number + description = "Database port" + default = 3306 +} + variable "mysql_admin_user" { type = string description = "MySQL admin user name" From c4a9c54f8a1d0246d8c6eb516f31b801c5b75187 Mon Sep 17 00:00:00 2001 From: RB <7775707+nitrocode@users.noreply.github.com> Date: Tue, 3 Jun 2025 08:49:00 -0500 Subject: [PATCH 09/13] fix: use var.mysql_db_port --- src/cluster-regional.tf | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/cluster-regional.tf b/src/cluster-regional.tf index 93f46f7..27cb36a 100644 --- a/src/cluster-regional.tf +++ b/src/cluster-regional.tf @@ -1,7 +1,3 @@ -locals { - db_port = 3306 -} - module "aurora_mysql" { source = "cloudposse/rds-cluster/aws" version = "2.1.0" @@ -18,7 +14,7 @@ module "aurora_mysql" { instance_type = var.mysql_instance_type db_name = local.mysql_db_name - db_port = local.db_port + db_port = var.mysql_db_port admin_password = local.mysql_admin_password admin_user = local.mysql_admin_user From 4671b6c66cf35f48ceb9e62cc1945b3ee0edaad0 Mon Sep 17 00:00:00 2001 From: RB <7775707+nitrocode@users.noreply.github.com> Date: Tue, 3 Jun 2025 08:51:33 -0500 Subject: [PATCH 10/13] fix: use output for port --- src/ssm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssm.tf b/src/ssm.tf index e4e1e3c..3997573 100644 --- a/src/ssm.tf +++ b/src/ssm.tf @@ -21,7 +21,7 @@ locals { }, { name = format("%s/%s", local.ssm_path_prefix, "db_port") - value = tostring(local.db_port) + value = module.aurora_mysql.port description = "Aurora MySQL DB Master TCP port" type = "String" overwrite = true From ccd966a0c5e2444ce561a55813fdb4d2197f115f Mon Sep 17 00:00:00 2001 From: RB <7775707+nitrocode@users.noreply.github.com> Date: Tue, 3 Jun 2025 08:54:29 -0500 Subject: [PATCH 11/13] fix: tf fmt Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- src/asm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/asm.tf b/src/asm.tf index 54a7e2d..5e2c240 100644 --- a/src/asm.tf +++ b/src/asm.tf @@ -14,7 +14,7 @@ resource "aws_secretsmanager_secret" "default" { resource "aws_secretsmanager_secret_version" "default" { count = local.asm_enabled ? 1 : 0 - secret_id = one(aws_secretsmanager_secret.default[*].id) + secret_id = one(aws_secretsmanager_secret.default[*].id) secret_string = jsonencode({ cluster_domain = local.cluster_domain db_host = module.aurora_mysql.master_host From 609d482cac8f0b3c95bff6caf193a47cd3bccb39 Mon Sep 17 00:00:00 2001 From: RB <7775707+nitrocode@users.noreply.github.com> Date: Tue, 3 Jun 2025 08:55:40 -0500 Subject: [PATCH 12/13] fix: use output --- src/asm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/asm.tf b/src/asm.tf index 5e2c240..6c6cd62 100644 --- a/src/asm.tf +++ b/src/asm.tf @@ -18,7 +18,7 @@ resource "aws_secretsmanager_secret_version" "default" { secret_string = jsonencode({ cluster_domain = local.cluster_domain db_host = module.aurora_mysql.master_host - db_port = local.db_port + db_port = module.aurora_mysql.port cluster_name = module.aurora_mysql.cluster_identifier username = local.mysql_admin_user password = local.mysql_admin_password From b679d9ca7910e5d49a533ace9f1d7106f07b265c Mon Sep 17 00:00:00 2001 From: RB <7775707+nitrocode@users.noreply.github.com> Date: Tue, 3 Jun 2025 09:02:41 -0500 Subject: [PATCH 13/13] fix: address feedback for vars --- src/variables.tf | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/variables.tf b/src/variables.tf index 81f62eb..e8fff25 100644 --- a/src/variables.tf +++ b/src/variables.tf @@ -41,6 +41,11 @@ variable "mysql_db_port" { type = number description = "Database port" default = 3306 + + validation { + condition = var.mysql_db_port >= 1 && var.mysql_db_port <= 65535 + error_message = "mysql_db_port must be between 1 and 65535." + } } variable "mysql_admin_user" { @@ -238,7 +243,7 @@ variable "secrets_store_type" { default = "SSM" validation { - condition = var.secrets_store_type == "ASM" || var.secrets_store_type == "SSM" - error_message = "secrets_store_type must be either 'ASM' or 'SSM'." + condition = contains(["SSM", "ASM"], var.secrets_store_type) + error_message = "secrets_store_type must be one of: SSM, ASM." } }