Write atomic outputs to Secrets Manager

nulib · Nov 8, 2024 · 2db11d5 · 2db11d5
1 parent 1325f78
commit 2db11d5
Show file tree

Hide file tree

Showing 7 changed files with 96 additions and 1 deletion.
diff --git a/configuration/.terraform.lock.hcl b/configuration/.terraform.lock.hcl
diff --git a/configuration/main.tf b/configuration/main.tf
@@ -0,0 +1,35 @@
+terraform {
+  backend "s3" {
+    key    = "infrastructure_configuration.tfstate"
+  }
+
+  required_providers {
+    aws = "~> 5.19"
+  }
+  required_version = ">= 1.3.0"
+}
+
+provider "aws" {
+  default_tags {
+    tags = local.tags
+  }
+}
+
+locals {
+#  environment   = module.core.outputs.stack.environment
+  namespace     = module.core.outputs.stack.namespace
+  prefix        = module.core.outputs.stack.prefix
+  tags          = merge(
+    module.core.outputs.stack.tags, 
+    {
+      Component   = "configuration",
+      Git         = "github.com/nulib/infrastructure"
+      Project     = "Infrastructure"
+    }
+  )
+}
+
+module "core" {
+  source    = "../modules/remote_state"
+  component = "core"
+}
diff --git a/configuration/secrets.tf b/configuration/secrets.tf
@@ -0,0 +1,11 @@
+resource "aws_secretsmanager_secret" "data_services" {
+  for_each    = var.secrets
+  name        = "${local.prefix}/infrastructure/${each.key}"
+  description = "${each.key} secrets for ${local.namespace}"
+}
+
+resource "aws_secretsmanager_secret_version" "config_secrets" {
+  for_each      = var.secrets
+  secret_id     = aws_secretsmanager_secret.data_services[each.key].id
+  secret_string = jsonencode(each.value)
+}
diff --git a/configuration/variables.tf b/configuration/variables.tf
@@ -0,0 +1,3 @@
+variable "secrets" {
+  type = map(any)
+}
diff --git a/core/secrets.tf b/core/secrets.tf
@@ -0,0 +1,20 @@
+locals {
+  secrets = {
+    wildcard_cert = {
+      domain            = aws_acm_certificate.wildcard_cert.domain_name
+      certificate_arn   = aws_acm_certificate.wildcard_cert.arn
+    }
+  }
+}
+
+resource "aws_secretsmanager_secret" "data_services" {
+  for_each    = local.secrets
+  name        = "${terraform.workspace}/infrastructure/${each.key}"
+  description = "${each.key} secrets for ${terraform.workspace}"
+}
+
+resource "aws_secretsmanager_secret_version" "config_secrets" {
+  for_each      = local.secrets
+  secret_id     = aws_secretsmanager_secret.data_services[each.key].id
+  secret_string = jsonencode(each.value)
+}
diff --git a/fcrepo/secrets.tf b/fcrepo/secrets.tf
@@ -1,7 +1,7 @@
 locals {
   secrets = {
     fcrepo = {
-      endpoint = "http://${aws_service_discovery_service.fcrepo.name}.${module.core.outputs.vpc.service_discovery_dns_zone.name}:8080/rest"
+      endpoint = "http://${aws_service_discovery_service.fcrepo.name}.${module.core.outputs.vpc.service_discovery_dns_zone.name}:8080/rest/"
     }
   }
 }

diff --git a/iiif-server/template.yaml b/iiif-server/template.yaml
@@ -112,6 +112,7 @@ Resources:
     Type: AWS::SecretsManager::Secret
     Properties:
       Name: !Sub "${Namespace}/infrastructure/iiif"
+      Description: !Sub "iiif secrets for ${Namespace}"
       SecretString:
         Fn::ToJsonString:
           base: !Sub "https://${Hostname}.${DomainName}/"