Fix "invalid count argument" error

[lorenyu]

Ticket

Resolves #475

Changes

• Fix "invalid count argument" error

Additional changes

• Remove "password_ts" event from role manager lambda
• Merge redundant IAM policies for role manager ssm access
• Clean up DEBUG log level configuration in role manager

Context for reviewers

In #475, @rocketnova discovered a bug that prevents terraform from creating a plan for the database layer. The module sets the count for the db password secret to be length(aws_rds_cluster.db.master_user_secret), but this is unnecessary since aws_rds_cluster.db.master_user_secret will always be available as long as the rds_cluster's manage_master_user_password is set to true which will always be the case since it is hardcoded to true (see

template-infra/infra/modules/database/main.tf

Line 31 in 6b3588c

manage_master_user_password = true

).

This changeset removes the unnecessary count which fixes the terraform plan.

This changeset also includes a number of minor cleanup changes:

• Remove the "password_ts" event from the role manager lambda that was introduced in PR 461 and isn't needed.
• Merge the IAM policy that was newly created in PR 469 with the existing one that is conceptually identical.
• Clean up the DEBUG log level configuration in the role manager that was introduced in PR 469

Testing and Migration notes

Developed and tested on platform-test in this PR: navapbc/platform-test#66

Copied here for convenience:

1. created new workspace lyfxcnt ("lorenyu fix count")
   
2. in new workspace, create db layer. screenshots of plan and results below
   
   
3. Created db roles with make infra-update-app-database-roles APP_NAME=app ENVIRONMENT=dev
   
4. Checked roles (checking that we can connect with IAM auth and that the roles have proper permissions) with make infra-check-app-database-roles APP_NAME=app ENVIRONMENT=dev
   
5. Cleaned up by remove deletion protection, deleting the db cluster and workspace
   
   
   
   
   
   

Migration notes

If the rds database cluster already exists and has manage_master_user_password set to false, the terraform plan will fail with the following error:

thus, in order to migrate, we'll need to follow the following steps:

1. first do a targeted apply of the aws_rds_cluster by running the following command (replace ENVIRONMENT_NAME with the correct environment)

   TF_CLI_ARGS_apply='-target="module.database.aws_rds_cluster.db"' make infra-update-app-database APP_NAME=app ENVIRONMENT=<ENVIRONMENT_NAME>
   

   

2. Then you can apply the rest of the changes normally with make infra-update-app-database APP_NAME=app ENVIRONMENT=<ENVIRONMENT_NAME>

   

[lorenyu]

@shawnvanderjagt @jamesbursa tagged you two since you reviewed the related PRs, and @charles-nava tagged you since you worked on those PRs.

@rocketnova FYI this PR should address the issue you ran into

[rocketnova]

Looks great to me! Verified by doing a deploy of our set up steps up through database role update to my AWS instance.