From fdafa312b2dde4258c6c3d06a49df0b5873b8b91 Mon Sep 17 00:00:00 2001 From: chenga Date: Tue, 28 May 2024 01:06:26 +0300 Subject: [PATCH] improve secrets management --- locals.tf | 4 ++ modules/lambda/variables.tf | 5 -- modules/secrets_manager/gitlab/main.tf | 7 --- modules/secrets_manager/gitlab/outputs.tf | 6 -- modules/secrets_manager/secrets.tf | 8 +-- modules/secrets_manager/variables.tf | 5 ++ multiple-lambdas-integration.tf | 74 +++++++++++------------ shared.tf | 1 + single-lambda-integration.tf | 35 ++++++----- variables.tf | 6 ++ 10 files changed, 73 insertions(+), 78 deletions(-) delete mode 100644 modules/secrets_manager/gitlab/main.tf delete mode 100644 modules/secrets_manager/gitlab/outputs.tf diff --git a/locals.tf b/locals.tf index 2319c18..5479c8a 100644 --- a/locals.tf +++ b/locals.tf @@ -5,4 +5,8 @@ locals { api_triggered_function_arn = local.single_lambda_integration ? module.lambda_function[0].lambda_function_arn : module.frontend_lambda_function[0].lambda_function_arn frontend_lambda_handler = contains(["github"], var.integration_type) ? "index.handler" : "frontend.app" backend_lambda_handler = contains(["github"], var.integration_type) ? "index.handler" : "backend.app" + default_secrets_names = { + "github" = coalesce(var.secrets_names, ["Spectral_GithubBot_GithubToken", "Spectral_GithubBot_WebhookSecret"]), + "gitlab" = coalesce(var.secrets_names, ["Spectral_GitlabBot_GitlabToken", "Spectral_GitlabBot_WebhookSecret"]) + } } \ No newline at end of file diff --git a/modules/lambda/variables.tf b/modules/lambda/variables.tf index 766e710..45a13c1 100644 --- a/modules/lambda/variables.tf +++ b/modules/lambda/variables.tf @@ -71,11 +71,6 @@ variable "secrets_arns" { default = [] } -variable "store_secret_in_secrets_manager" { - description = "Whether to store your secrets in secrets manager, default is false" - type = bool -} - variable "lambda_source_code_filename" { type = string description = "The lambda source code filename" diff --git a/modules/secrets_manager/gitlab/main.tf b/modules/secrets_manager/gitlab/main.tf deleted file mode 100644 index 81b49bb..0000000 --- a/modules/secrets_manager/gitlab/main.tf +++ /dev/null @@ -1,7 +0,0 @@ -resource "aws_secretsmanager_secret" "gitlab_webhook_secret" { - name = "Spectral_GitlabBot_WebhookSecret" -} - -resource "aws_secretsmanager_secret" "gitlab_token" { - name = "Spectral_GitlabBot_GitlabToken" -} \ No newline at end of file diff --git a/modules/secrets_manager/gitlab/outputs.tf b/modules/secrets_manager/gitlab/outputs.tf deleted file mode 100644 index b8f9c4f..0000000 --- a/modules/secrets_manager/gitlab/outputs.tf +++ /dev/null @@ -1,6 +0,0 @@ -output "secrets_arns" { - value = [ - aws_secretsmanager_secret.gitlab_token.arn, - aws_secretsmanager_secret.gitlab_webhook_secret.arn - ] -} diff --git a/modules/secrets_manager/secrets.tf b/modules/secrets_manager/secrets.tf index f6cc84b..587488b 100644 --- a/modules/secrets_manager/secrets.tf +++ b/modules/secrets_manager/secrets.tf @@ -1,6 +1,6 @@ locals { secrets_arns = concat( - try(module.gitlab[0].secrets_arns, []), + [for secret in aws_secretsmanager_secret.general_secret : secret.arn], [aws_secretsmanager_secret.spectral_dsn.arn] ) } @@ -9,7 +9,7 @@ resource "aws_secretsmanager_secret" "spectral_dsn" { name = "Spectral_Dsn" } -module "gitlab" { - count = var.integration_type == "gitlab" ? 1 : 0 - source = "./gitlab" +resource "aws_secretsmanager_secret" "general_secret" { + count = length(var.secrets_names) + name = var.secrets_names[count.index] } \ No newline at end of file diff --git a/modules/secrets_manager/variables.tf b/modules/secrets_manager/variables.tf index 68768fa..7dac6d0 100644 --- a/modules/secrets_manager/variables.tf +++ b/modules/secrets_manager/variables.tf @@ -1,4 +1,9 @@ variable "integration_type" { description = "Integration type to create secrets for" type = string +} + +variable "secrets_names" { + description = "Names of secrets to create" + type = list(string) } \ No newline at end of file diff --git a/multiple-lambdas-integration.tf b/multiple-lambdas-integration.tf index afc554a..9292f00 100644 --- a/multiple-lambdas-integration.tf +++ b/multiple-lambdas-integration.tf @@ -1,45 +1,43 @@ module "frontend_lambda_function" { - count = local.multiple_lambda_integration ? 1 : 0 - source = "./modules/lambda" - global_tags = var.global_tags - tags = var.tags - environment = var.environment - integration_type = var.integration_type - resource_name_pattern = "${local.resource_name_pattern}-frontend" - env_vars = var.env_vars - logs_retention_in_days = var.lambda_logs_retention_in_days - should_write_logs = var.lambda_enable_logs - lambda_handler = local.frontend_lambda_handler - timeout = var.lambda_function_timeout - memory_size = var.lambda_function_memory_size - publish = var.lambda_publish - secrets_arns = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : [] - store_secret_in_secrets_manager = var.store_secret_in_secrets_manager - lambda_source_code_filename = "frontend.zip" - lambda_source_code_path = var.frontend_lambda_source_code_path - role_arn = module.lambda_role.lambda_role_arn + count = local.multiple_lambda_integration ? 1 : 0 + source = "./modules/lambda" + global_tags = var.global_tags + tags = var.tags + environment = var.environment + integration_type = var.integration_type + resource_name_pattern = "${local.resource_name_pattern}-frontend" + env_vars = var.env_vars + logs_retention_in_days = var.lambda_logs_retention_in_days + should_write_logs = var.lambda_enable_logs + lambda_handler = local.frontend_lambda_handler + timeout = var.lambda_function_timeout + memory_size = var.lambda_function_memory_size + publish = var.lambda_publish + secrets_arns = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : [] + lambda_source_code_filename = "frontend.zip" + lambda_source_code_path = var.frontend_lambda_source_code_path + role_arn = module.lambda_role.lambda_role_arn } module "backend_lambda_function" { - count = local.multiple_lambda_integration ? 1 : 0 - source = "./modules/lambda" - global_tags = var.global_tags - tags = var.tags - environment = var.environment - integration_type = var.integration_type - resource_name_pattern = "${local.resource_name_pattern}-backend" - env_vars = var.env_vars - logs_retention_in_days = var.lambda_logs_retention_in_days - should_write_logs = var.lambda_enable_logs - lambda_handler = local.backend_lambda_handler - timeout = var.lambda_function_timeout - memory_size = var.lambda_function_memory_size - publish = var.lambda_publish - secrets_arns = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : [] - store_secret_in_secrets_manager = var.store_secret_in_secrets_manager - lambda_source_code_filename = "backend.zip" - lambda_source_code_path = var.backend_lambda_source_code_path - role_arn = module.lambda_role.lambda_role_arn + count = local.multiple_lambda_integration ? 1 : 0 + source = "./modules/lambda" + global_tags = var.global_tags + tags = var.tags + environment = var.environment + integration_type = var.integration_type + resource_name_pattern = "${local.resource_name_pattern}-backend" + env_vars = var.env_vars + logs_retention_in_days = var.lambda_logs_retention_in_days + should_write_logs = var.lambda_enable_logs + lambda_handler = local.backend_lambda_handler + timeout = var.lambda_function_timeout + memory_size = var.lambda_function_memory_size + publish = var.lambda_publish + secrets_arns = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : [] + lambda_source_code_filename = "backend.zip" + lambda_source_code_path = var.backend_lambda_source_code_path + role_arn = module.lambda_role.lambda_role_arn } data "aws_iam_policy_document" "lambda_invoke_policy_document" { diff --git a/shared.tf b/shared.tf index 124b840..e39efb8 100644 --- a/shared.tf +++ b/shared.tf @@ -19,6 +19,7 @@ module "secrets_manager" { count = var.store_secret_in_secrets_manager ? 1 : 0 integration_type = var.integration_type source = "./modules/secrets_manager" + secrets_names = local.default_secrets_names[var.integration_type] } module "lambda_role" { diff --git a/single-lambda-integration.tf b/single-lambda-integration.tf index 2cf9299..2875f7e 100644 --- a/single-lambda-integration.tf +++ b/single-lambda-integration.tf @@ -1,20 +1,19 @@ module "lambda_function" { - count = local.single_lambda_integration ? 1 : 0 - source = "./modules/lambda" - global_tags = var.global_tags - tags = var.tags - environment = var.environment - integration_type = var.integration_type - resource_name_pattern = local.resource_name_pattern - env_vars = var.env_vars - logs_retention_in_days = var.lambda_logs_retention_in_days - should_write_logs = var.lambda_enable_logs - timeout = var.lambda_function_timeout - memory_size = var.lambda_function_memory_size - publish = var.lambda_publish - secrets_arns = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : [] - store_secret_in_secrets_manager = var.store_secret_in_secrets_manager - lambda_source_code_filename = "app.zip" - lambda_source_code_path = var.lambda_source_code_path - role_arn = module.lambda_role.lambda_role_arn + count = local.single_lambda_integration ? 1 : 0 + source = "./modules/lambda" + global_tags = var.global_tags + tags = var.tags + environment = var.environment + integration_type = var.integration_type + resource_name_pattern = local.resource_name_pattern + env_vars = var.env_vars + logs_retention_in_days = var.lambda_logs_retention_in_days + should_write_logs = var.lambda_enable_logs + timeout = var.lambda_function_timeout + memory_size = var.lambda_function_memory_size + publish = var.lambda_publish + secrets_arns = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : [] + lambda_source_code_filename = "app.zip" + lambda_source_code_path = var.lambda_source_code_path + role_arn = module.lambda_role.lambda_role_arn } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 0a35933..8d57172 100644 --- a/variables.tf +++ b/variables.tf @@ -103,4 +103,10 @@ variable "resource_name_common_part" { type = string description = "A common part for all resources created under the stack" default = null +} + +variable "secrets_names" { + description = "Names of secrets to create" + type = list(string) + default = null } \ No newline at end of file