Create discrete secrets for each deployed component

nulib · Sep 18, 2024 · db5faf2 · db5faf2
1 parent c0b3e3f
commit db5faf2
Show file tree

Hide file tree

Showing 8 changed files with 39 additions and 74 deletions.
diff --git a/README.md b/README.md
@@ -19,10 +19,6 @@ Each folder should follow the same naming conventions:
 * `data.tf` – Contains terraform `data` sources, if there are enough of them to warrant splitting them out
 * `outputs.tf` – Contains only terraform outputs
 
-## Secrets
-
-Instead of using Terraform variables (and `.tfvars` files), which come with a host of security/maintenance/synchronization issues, each component or project should store a JSON string of their secrets in [AWS Server Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) under the `/tfvars/` namespace. These secrets can be referenced using the [`secrets` module](modules/secrets/README.md) in this repository. Please see that module's README file and other components within this repository for examples.
-
 ## Common Configuration
 
 Each folder should be initialized the same way:

diff --git a/core/main.tf b/core/main.tf
@@ -19,7 +19,6 @@ locals {
   environment   = coalesce(var.environment, substr(terraform.workspace, 0, 1))
   namespace     = join("-", [var.stack_name, local.environment])
   common_tags   = {
-    Department  = "RDC"
     Environment = terraform.workspace
     Terraform   = "true"
   }

diff --git a/fcrepo/secrets.tf b/fcrepo/secrets.tf
@@ -0,0 +1,19 @@
+locals {
+  secrets = {
+    fcrepo = {
+      endpoint = "http://${aws_service_discovery_service.fcrepo.name}.${module.core.outputs.vpc.service_discovery_dns_zone.name}:8080/rest"
+    }
+  }
+}
+
+resource "aws_secretsmanager_secret" "data_services" {
+  for_each    = local.secrets
+  name        = "${local.namespace}/infrastructure/${each.key}"
+  description = "${each.key} secrets for ${local.namespace}"
+}
+
+resource "aws_secretsmanager_secret_version" "config_secrets" {
+  for_each      = local.secrets
+  secret_id     = aws_secretsmanager_secret.data_services[each.key].id
+  secret_string = jsonencode(each.value)
+}
diff --git a/modules/secrets/README.md b/modules/secrets/README.md
diff --git a/modules/secrets/main.tf b/modules/secrets/main.tf
diff --git a/modules/secrets/outputs.tf b/modules/secrets/outputs.tf
diff --git a/modules/secrets/variables.tf b/modules/secrets/variables.tf
diff --git a/solrcloud/secrets.tf b/solrcloud/secrets.tf
@@ -0,0 +1,20 @@
+locals {
+  secrets = {
+    solrcloud = {
+      solr_url            = local.solr_endpoint
+      zookeeper_servers   = local.zookeeper_servers
+    }
+  }
+}
+
+resource "aws_secretsmanager_secret" "data_services" {
+  for_each    = local.secrets
+  name        = "${local.namespace}/infrastructure/${each.key}"
+  description = "${each.key} secrets for ${local.namespace}"
+}
+
+resource "aws_secretsmanager_secret_version" "config_secrets" {
+  for_each      = local.secrets
+  secret_id     = aws_secretsmanager_secret.data_services[each.key].id
+  secret_string = jsonencode(each.value)
+}