Skip to content

Commit f3ab47c

Browse files
razorsedgerazorsedge
authored
Deal with references to Secrets Manager secrets (#2)
Correctly deal with referencing SecretsManager secrets
1 parent bbf908a commit f3ab47c

File tree

2 files changed

+58
-6
lines changed

2 files changed

+58
-6
lines changed

main.tf

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,16 @@ locals {
88
// Master user password
99
master_password_in_ssm_param = var.db_master_password_ssm_param != null ? true : false
1010
master_password_ssm_param_ecnrypted = var.db_master_password_ssm_param_kms_key != null ? true : false
11+
# Replace null with empty string so that the following regexall will work.
12+
db_master_password_ssm_param = var.db_master_password_ssm_param == null ? "" : var.db_master_password_ssm_param
13+
master_password_in_secretsmanager = length(regexall("/aws/reference/secretsmanager/", local.db_master_password_ssm_param)) > 0
1114

1215
// Provisioned user password
1316
user_password_in_ssm_param = var.db_user_password_ssm_param != null ? true : false
1417
user_password_ssm_param_ecnrypted = var.db_user_password_ssm_param_kms_key != null ? true : false
18+
# Replace null with empty string so that the following regexall will work.
19+
db_user_password_ssm_param = var.db_user_password_ssm_param == null ? "" : var.db_user_password_ssm_param
20+
user_password_in_secretsmanager = length(regexall("/aws/reference/secretsmanager/", local.db_user_password_ssm_param)) > 0
1521
}
1622

1723
#############################################################
@@ -30,6 +36,12 @@ data "aws_ssm_parameter" "master_password" {
3036
name = var.db_master_password_ssm_param
3137
}
3238

39+
data "aws_secretsmanager_secret" "master_password" {
40+
count = var.enabled && local.master_password_in_secretsmanager ? 1 : 0
41+
42+
name = trimprefix(var.db_master_password_ssm_param, "/aws/reference/secretsmanager/")
43+
}
44+
3345
data "aws_kms_key" "master_password" {
3446
count = var.enabled && local.master_password_in_ssm_param && local.master_password_ssm_param_ecnrypted ? 1 : 0
3547

@@ -42,6 +54,12 @@ data "aws_ssm_parameter" "user_password" {
4254
name = var.db_user_password_ssm_param
4355
}
4456

57+
data "aws_secretsmanager_secret" "user_password" {
58+
count = var.enabled && local.user_password_in_secretsmanager ? 1 : 0
59+
60+
name = trimprefix(var.db_user_password_ssm_param, "/aws/reference/secretsmanager/")
61+
}
62+
4563
data "aws_kms_key" "user_password" {
4664
count = var.enabled && local.user_password_in_ssm_param && local.user_password_ssm_param_ecnrypted ? 1 : 0
4765

@@ -253,6 +271,18 @@ data "aws_iam_policy_document" "master_password_ssm_permissions" {
253271
}
254272
}
255273

274+
data "aws_iam_policy_document" "master_password_secretsmanager_permissions" {
275+
count = var.enabled && local.master_password_in_secretsmanager ? 1 : 0
276+
277+
statement {
278+
effect = "Allow"
279+
actions = [
280+
"secretsmanager:GetSecretValue",
281+
]
282+
resources = [join("", data.aws_secretsmanager_secret.master_password.*.arn)]
283+
}
284+
}
285+
256286
data "aws_iam_policy_document" "master_password_kms_permissions" {
257287
count = var.enabled && local.master_password_in_ssm_param && local.master_password_ssm_param_ecnrypted ? 1 : 0
258288

@@ -277,6 +307,18 @@ data "aws_iam_policy_document" "user_password_ssm_permissions" {
277307
}
278308
}
279309

310+
data "aws_iam_policy_document" "user_password_secretsmanager_permissions" {
311+
count = var.enabled && local.user_password_in_secretsmanager ? 1 : 0
312+
313+
statement {
314+
effect = "Allow"
315+
actions = [
316+
"secretsmanager:GetSecretValue",
317+
]
318+
resources = [join("", data.aws_secretsmanager_secret.user_password.*.arn)]
319+
}
320+
}
321+
280322
data "aws_iam_policy_document" "user_password_kms_permissions" {
281323
count = var.enabled && local.user_password_in_ssm_param && local.user_password_ssm_param_ecnrypted ? 1 : 0
282324

@@ -297,8 +339,10 @@ module "aggregated_policy" {
297339
join("", data.aws_iam_policy_document.lambda_kms_permissions.*.json),
298340
join("", data.aws_iam_policy_document.master_password_ssm_permissions.*.json),
299341
join("", data.aws_iam_policy_document.master_password_kms_permissions.*.json),
342+
join("", data.aws_iam_policy_document.master_password_secretsmanager_permissions.*.json),
300343
join("", data.aws_iam_policy_document.user_password_ssm_permissions.*.json),
301344
join("", data.aws_iam_policy_document.user_password_kms_permissions.*.json),
345+
join("", data.aws_iam_policy_document.user_password_secretsmanager_permissions.*.json),
302346
])
303347
}
304348

source-code/main.py

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
just need to pass db instance identifier.
99

1010
Master user will be granted all permissions to the created database.
11-
If user or database already exist - they won't be created.
11+
If user or database already exists - they won't be created.
1212

1313
Author: [email protected]
1414

@@ -20,6 +20,7 @@
2020
import os
2121
from dataclasses import dataclass
2222
from typing import List
23+
import json
2324

2425
import psycopg2
2526
import pymysql
@@ -55,7 +56,14 @@ def get_ssm_parameter_value(self, name: str) -> str:
5556
Name=name,
5657
WithDecryption=True
5758
)
58-
return response.get('Parameter').get('Value')
59+
returnval = response.get('Parameter').get('Value')
60+
if (name.startswith('/aws/reference/secretsmanager')):
61+
try:
62+
val = json.loads(returnval)
63+
returnval = val['password']
64+
except ValueError as e:
65+
pass
66+
return returnval
5967

6068
@staticmethod
6169
def _get_pg_usernames(cursor) -> List[str]:
@@ -95,7 +103,7 @@ def provision_postgres_db(self, info: DBInfo):
95103
if info.provision_user:
96104
usernames = self._get_pg_usernames(cursor)
97105
if info.provision_user in usernames:
98-
self.logger.warning("User '{}' won't be created because it's already exist".format(info.provision_user))
106+
self.logger.warning("User '{}' won't be created because it already exists".format(info.provision_user))
99107
else:
100108
self.logger.info("Creating user '{}'".format(info.provision_user))
101109

@@ -110,7 +118,7 @@ def provision_postgres_db(self, info: DBInfo):
110118

111119
if info.provision_db_name in databases_names:
112120
self.logger.warning(
113-
"Database '{}' won't be created because it's already exist".format(info.provision_db_name))
121+
"Database '{}' won't be created because it already exists".format(info.provision_db_name))
114122
else:
115123
self.logger.info("Creating database '{}'".format(info.provision_db_name))
116124

@@ -172,7 +180,7 @@ def provision_mysql_db(self, info: DBInfo):
172180
if info.provision_user:
173181
usernames = self._get_mysql_usernames(cursor)
174182
if info.provision_user in usernames:
175-
self.logger.warning("User '{}' won't be created because it's already exist".format(info.provision_user))
183+
self.logger.warning("User '{}' won't be created because it already exists".format(info.provision_user))
176184
else:
177185
self.logger.info("Creating user '{}'".format(info.provision_user))
178186

@@ -192,7 +200,7 @@ def provision_mysql_db(self, info: DBInfo):
192200
databases_names = self._get_mysql_databases_names(cursor)
193201

194202
if info.provision_db_name in databases_names:
195-
self.logger.warning("Database '{}' won't be created because it's already exist".format(
203+
self.logger.warning("Database '{}' won't be created because it already exists".format(
196204
info.provision_db_name
197205
))
198206
else:

0 commit comments

Comments
 (0)