moved secret env vars into AWS SM

PUGX · Dec 30, 2024 · 50b3134 · 50b3134
1 parent 2c4bb65
commit 50b3134
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 36 deletions.
diff --git a/sys/terraform/ecs.tf b/sys/terraform/ecs.tf
@@ -85,17 +85,10 @@ resource "aws_ecs_task_definition" "ecstask" {
     cloudwatchloggroup      = aws_cloudwatch_log_group.cloudwatchloggroup.name
     env_appdebug            = var.env_appdebug
     env_appenv              = var.env_appenv
-    env_appsecret           = var.env_appsecret
     env_appxdebug           = var.env_appxdebug
     env_appxdebughost       = var.env_appxdebughost
     env_bitbucketauthmethod = var.env_bitbucketauthmethod
-    env_bitbucketsecret     = var.env_bitbucketsecret
-    env_bitbuckettoken      = var.env_bitbuckettoken
-    env_circlecitoken       = var.env_circlecitoken
     env_githubauthmethod    = var.env_githubauthmethod
-    env_githubsecret        = var.env_githubsecret
-    env_githubusername      = var.env_githubusername
-    env_gitlabtoken         = var.env_gitlabtoken
     env_phpfpmhost          = var.env_phpfpmhost
     env_redishost           = var.env_redishost
     env_redishost           = var.env_redishost

diff --git a/sys/terraform/ecs/task-definition.json b/sys/terraform/ecs/task-definition.json
@@ -23,10 +23,6 @@
       "name": "APP_DEBUG",
       "value": "${env_appdebug}"
     },
-    {
-      "name": "APP_SECRET",
-      "value": "${env_appsecret}"
-    },
     {
       "name": "APP_XDEBUG",
       "value": "${env_appxdebug}"
@@ -44,49 +40,54 @@
       "value": "${env_githubauthmethod}"
     },
     {
-      "name": "GITHUB_USERNAME",
-      "value": "${env_githubusername}"
+      "name": "SENTRY_DSN",
+      "value": "${env_sentrydsn}"
     },
     {
-      "name": "GITHUB_SECRET",
-      "value": "${env_githubsecret}"
+      "name": "BITBUCKET_AUTH_METHOD",
+      "value": "${env_bitbucketauthmethod}"
     },
     {
-      "name": "CIRCLE_CI_TOKEN",
-      "value": "${env_circlecitoken}"
+      "name": "TRUSTED_PROXIES",
+      "value": "${env_trustedproxies}"
+    }
+  ],
+  "image": "${account_id}.dkr.ecr.${aws_region}.amazonaws.com/${service_name}:phpfpm-${ecr_image_tag_php}",
+  "essential": true,
+  "environmentFiles": [],
+  "extraHosts": [],
+  "links": [],
+  "mountPoints": [],
+  "secrets": [
+    {
+      "name": "APP_SECRET",
+      "valueFrom": "arn:aws:secretsmanager:${aws_region}:${account_id}:secret:${service_name}:APP_SECRET::"
     },
     {
-      "name": "SENTRY_DSN",
-      "value": "${env_sentrydsn}"
+      "name": "GITHUB_USERNAME",
+      "valueFrom": "arn:aws:secretsmanager:${aws_region}:${account_id}:secret:${service_name}:GITHUB_USERNAME::"
     },
     {
-      "name": "BITBUCKET_AUTH_METHOD",
-      "value": "${env_bitbucketauthmethod}"
+      "name": "GITHUB_SECRET",
+      "valueFrom": "arn:aws:secretsmanager:${aws_region}:${account_id}:secret:${service_name}:GITHUB_SECRET::"
     },
     {
-      "name": "BITBUCKET_SECRET",
-      "value": "${env_bitbucketsecret}"
+      "name": "CIRCLE_CI_TOKEN",
+      "valueFrom": "arn:aws:secretsmanager:${aws_region}:${account_id}:secret:${service_name}:CIRCLE_CI_TOKEN::"
     },
     {
-      "name": "BITBUCKET_TOKEN",
-      "value": "${env_bitbuckettoken}"
+      "name": "BITBUCKET_SECRET",
+      "valueFrom": "arn:aws:secretsmanager:${aws_region}:${account_id}:secret:${service_name}:BITBUCKET_SECRET::"
     },
     {
-      "name": "TRUSTED_PROXIES",
-      "value": "${env_trustedproxies}"
+      "name": "BITBUCKET_TOKEN",
+      "valueFrom": "arn:aws:secretsmanager:${aws_region}:${account_id}:secret:${service_name}:BITBUCKET_TOKEN::"
     },
     {
       "name": "GITLAB_TOKEN",
-      "value": "${env_gitlabtoken}"
+      "valueFrom": "arn:aws:secretsmanager:${aws_region}:${account_id}:secret:${service_name}:GITLAB_TOKEN::"
     }
   ],
-  "image": "${account_id}.dkr.ecr.${aws_region}.amazonaws.com/${service_name}:phpfpm-${ecr_image_tag_php}",
-  "essential": true,
-  "environmentFiles": [],
-  "extraHosts": [],
-  "links": [],
-  "mountPoints": [],
-  "secrets": [],
   "systemControls": [],
   "ulimits": [],
   "volumesFrom": [],

diff --git a/sys/terraform/elb.tf b/sys/terraform/elb.tf
@@ -73,7 +73,7 @@ resource "aws_appautoscaling_target" "asscalabletarget" {
   max_capacity       = 1
   min_capacity       = 1
   resource_id        = "service/${var.service_name}-cluster-${var.environment}/${var.service_name}"
-  role_arn           = var.exec_role_arn
+  role_arn           = var.exec_role_arn_autoscale
   scalable_dimension = "ecs:service:DesiredCount"
   service_namespace  = "ecs"
 }

diff --git a/sys/terraform/secret.tf b/sys/terraform/secret.tf
@@ -0,0 +1,16 @@
+resource "aws_secretsmanager_secret" "poser" {
+  name = var.service_name
+}
+
+resource "aws_secretsmanager_secret_version" "poser" {
+  secret_id     = aws_secretsmanager_secret.poser.id
+  secret_string = jsonencode({
+    APP_SECRET       = var.env_appsecret
+    GITHUB_SECRET    = var.env_githubsecret
+    GITHUB_USERNAME  = var.env_githubusername
+    CIRCLE_CI_TOKEN  = var.env_circlecitoken
+    BITBUCKET_SECRET = var.env_bitbucketsecret
+    BITBUCKET_TOKEN  = var.env_bitbuckettoken
+    GITLAB_TOKEN     = var.env_gitlabtoken
+  })
+}
diff --git a/sys/terraform/variables.tf b/sys/terraform/variables.tf
@@ -23,6 +23,11 @@ variable "exec_role_arn" {
   type        = string
 }
 
+variable "exec_role_arn_autoscale" {
+  description = "Specifies the ARN of the Execution Role for Autoscaling."
+  type        = string
+}
+
 variable "service_name" {
   description = "The name of the service being created. It identifies all the resources related to it."
   type        = string