improve secrets management

SpectralOps · May 27, 2024 · fdafa31 · fdafa31
1 parent 4f62c8e
commit fdafa31
Show file tree

Hide file tree

Showing 10 changed files with 73 additions and 78 deletions.
diff --git a/locals.tf b/locals.tf
@@ -5,4 +5,8 @@ locals {
   api_triggered_function_arn  = local.single_lambda_integration ? module.lambda_function[0].lambda_function_arn : module.frontend_lambda_function[0].lambda_function_arn
   frontend_lambda_handler     = contains(["github"], var.integration_type) ? "index.handler" : "frontend.app"
   backend_lambda_handler      = contains(["github"], var.integration_type) ? "index.handler" : "backend.app"
+  default_secrets_names = {
+    "github" = coalesce(var.secrets_names, ["Spectral_GithubBot_GithubToken", "Spectral_GithubBot_WebhookSecret"]),
+    "gitlab" = coalesce(var.secrets_names, ["Spectral_GitlabBot_GitlabToken", "Spectral_GitlabBot_WebhookSecret"])
+  }
 }
diff --git a/modules/lambda/variables.tf b/modules/lambda/variables.tf
@@ -71,11 +71,6 @@ variable "secrets_arns" {
   default     = []
 }
 
-variable "store_secret_in_secrets_manager" {
-  description = "Whether to store your secrets in secrets manager, default is false"
-  type        = bool
-}
-
 variable "lambda_source_code_filename" {
   type        = string
   description = "The lambda source code filename"

diff --git a/modules/secrets_manager/gitlab/main.tf b/modules/secrets_manager/gitlab/main.tf
diff --git a/modules/secrets_manager/gitlab/outputs.tf b/modules/secrets_manager/gitlab/outputs.tf
diff --git a/modules/secrets_manager/secrets.tf b/modules/secrets_manager/secrets.tf
@@ -1,6 +1,6 @@
 locals {
   secrets_arns = concat(
-    try(module.gitlab[0].secrets_arns, []),
+    [for secret in aws_secretsmanager_secret.general_secret : secret.arn],
     [aws_secretsmanager_secret.spectral_dsn.arn]
   )
 }
@@ -9,7 +9,7 @@ resource "aws_secretsmanager_secret" "spectral_dsn" {
   name = "Spectral_Dsn"
 }
 
-module "gitlab" {
-  count  = var.integration_type == "gitlab" ? 1 : 0
-  source = "./gitlab"
+resource "aws_secretsmanager_secret" "general_secret" {
+  count = length(var.secrets_names)
+  name  = var.secrets_names[count.index]
 }
diff --git a/modules/secrets_manager/variables.tf b/modules/secrets_manager/variables.tf
@@ -1,4 +1,9 @@
 variable "integration_type" {
   description = "Integration type to create secrets for"
   type        = string
+}
+
+variable "secrets_names" {
+  description = "Names of secrets to create"
+  type        = list(string)
 }
diff --git a/multiple-lambdas-integration.tf b/multiple-lambdas-integration.tf
@@ -1,45 +1,43 @@
 module "frontend_lambda_function" {
-  count                           = local.multiple_lambda_integration ? 1 : 0
-  source                          = "./modules/lambda"
-  global_tags                     = var.global_tags
-  tags                            = var.tags
-  environment                     = var.environment
-  integration_type                = var.integration_type
-  resource_name_pattern           = "${local.resource_name_pattern}-frontend"
-  env_vars                        = var.env_vars
-  logs_retention_in_days          = var.lambda_logs_retention_in_days
-  should_write_logs               = var.lambda_enable_logs
-  lambda_handler                  = local.frontend_lambda_handler
-  timeout                         = var.lambda_function_timeout
-  memory_size                     = var.lambda_function_memory_size
-  publish                         = var.lambda_publish
-  secrets_arns                    = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
-  store_secret_in_secrets_manager = var.store_secret_in_secrets_manager
-  lambda_source_code_filename     = "frontend.zip"
-  lambda_source_code_path         = var.frontend_lambda_source_code_path
-  role_arn                        = module.lambda_role.lambda_role_arn
+  count                       = local.multiple_lambda_integration ? 1 : 0
+  source                      = "./modules/lambda"
+  global_tags                 = var.global_tags
+  tags                        = var.tags
+  environment                 = var.environment
+  integration_type            = var.integration_type
+  resource_name_pattern       = "${local.resource_name_pattern}-frontend"
+  env_vars                    = var.env_vars
+  logs_retention_in_days      = var.lambda_logs_retention_in_days
+  should_write_logs           = var.lambda_enable_logs
+  lambda_handler              = local.frontend_lambda_handler
+  timeout                     = var.lambda_function_timeout
+  memory_size                 = var.lambda_function_memory_size
+  publish                     = var.lambda_publish
+  secrets_arns                = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
+  lambda_source_code_filename = "frontend.zip"
+  lambda_source_code_path     = var.frontend_lambda_source_code_path
+  role_arn                    = module.lambda_role.lambda_role_arn
 }
 
 module "backend_lambda_function" {
-  count                           = local.multiple_lambda_integration ? 1 : 0
-  source                          = "./modules/lambda"
-  global_tags                     = var.global_tags
-  tags                            = var.tags
-  environment                     = var.environment
-  integration_type                = var.integration_type
-  resource_name_pattern           = "${local.resource_name_pattern}-backend"
-  env_vars                        = var.env_vars
-  logs_retention_in_days          = var.lambda_logs_retention_in_days
-  should_write_logs               = var.lambda_enable_logs
-  lambda_handler                  = local.backend_lambda_handler
-  timeout                         = var.lambda_function_timeout
-  memory_size                     = var.lambda_function_memory_size
-  publish                         = var.lambda_publish
-  secrets_arns                    = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
-  store_secret_in_secrets_manager = var.store_secret_in_secrets_manager
-  lambda_source_code_filename     = "backend.zip"
-  lambda_source_code_path         = var.backend_lambda_source_code_path
-  role_arn                        = module.lambda_role.lambda_role_arn
+  count                       = local.multiple_lambda_integration ? 1 : 0
+  source                      = "./modules/lambda"
+  global_tags                 = var.global_tags
+  tags                        = var.tags
+  environment                 = var.environment
+  integration_type            = var.integration_type
+  resource_name_pattern       = "${local.resource_name_pattern}-backend"
+  env_vars                    = var.env_vars
+  logs_retention_in_days      = var.lambda_logs_retention_in_days
+  should_write_logs           = var.lambda_enable_logs
+  lambda_handler              = local.backend_lambda_handler
+  timeout                     = var.lambda_function_timeout
+  memory_size                 = var.lambda_function_memory_size
+  publish                     = var.lambda_publish
+  secrets_arns                = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
+  lambda_source_code_filename = "backend.zip"
+  lambda_source_code_path     = var.backend_lambda_source_code_path
+  role_arn                    = module.lambda_role.lambda_role_arn
 }
 
 data "aws_iam_policy_document" "lambda_invoke_policy_document" {

diff --git a/shared.tf b/shared.tf
@@ -19,6 +19,7 @@ module "secrets_manager" {
   count            = var.store_secret_in_secrets_manager ? 1 : 0
   integration_type = var.integration_type
   source           = "./modules/secrets_manager"
+  secrets_names    = local.default_secrets_names[var.integration_type]
 }
 
 module "lambda_role" {

diff --git a/single-lambda-integration.tf b/single-lambda-integration.tf
@@ -1,20 +1,19 @@
 module "lambda_function" {
-  count                           = local.single_lambda_integration ? 1 : 0
-  source                          = "./modules/lambda"
-  global_tags                     = var.global_tags
-  tags                            = var.tags
-  environment                     = var.environment
-  integration_type                = var.integration_type
-  resource_name_pattern           = local.resource_name_pattern
-  env_vars                        = var.env_vars
-  logs_retention_in_days          = var.lambda_logs_retention_in_days
-  should_write_logs               = var.lambda_enable_logs
-  timeout                         = var.lambda_function_timeout
-  memory_size                     = var.lambda_function_memory_size
-  publish                         = var.lambda_publish
-  secrets_arns                    = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
-  store_secret_in_secrets_manager = var.store_secret_in_secrets_manager
-  lambda_source_code_filename     = "app.zip"
-  lambda_source_code_path         = var.lambda_source_code_path
-  role_arn                        = module.lambda_role.lambda_role_arn
+  count                       = local.single_lambda_integration ? 1 : 0
+  source                      = "./modules/lambda"
+  global_tags                 = var.global_tags
+  tags                        = var.tags
+  environment                 = var.environment
+  integration_type            = var.integration_type
+  resource_name_pattern       = local.resource_name_pattern
+  env_vars                    = var.env_vars
+  logs_retention_in_days      = var.lambda_logs_retention_in_days
+  should_write_logs           = var.lambda_enable_logs
+  timeout                     = var.lambda_function_timeout
+  memory_size                 = var.lambda_function_memory_size
+  publish                     = var.lambda_publish
+  secrets_arns                = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
+  lambda_source_code_filename = "app.zip"
+  lambda_source_code_path     = var.lambda_source_code_path
+  role_arn                    = module.lambda_role.lambda_role_arn
 }
diff --git a/variables.tf b/variables.tf
@@ -103,4 +103,10 @@ variable "resource_name_common_part" {
   type        = string
   description = "A common part for all resources created under the stack"
   default     = null
+}
+
+variable "secrets_names" {
+  description = "Names of secrets to create"
+  type        = list(string)
+  default     = null
 }