Merge pull request #325 from alphagov/bilbof/secrets-autogenerate-sec…

…ret_key_base Autogenerate remaining secret_key_base secrets
alphagov · Jun 14, 2021 · 9fc9e62 · 9fc9e62
2 parents 5782d80 + 3fab7e5
commit 9fc9e62
Show file tree

Hide file tree

Showing 9 changed files with 46 additions and 76 deletions.
diff --git a/terraform/deployments/govuk-publishing-platform/app_authenticating_proxy.tf b/terraform/deployments/govuk-publishing-platform/app_authenticating_proxy.tf
@@ -25,7 +25,7 @@ locals {
         GDS_SSO_OAUTH_ID     = module.oauth_applications["authenticating_proxy"].id_arn,
         GDS_SSO_OAUTH_SECRET = module.oauth_applications["authenticating_proxy"].secret_arn,
         JWT_AUTH_SECRET      = data.aws_secretsmanager_secret.authenticating_proxy_jwt_auth_secret.arn,
-        SECRET_KEY_BASE      = data.aws_secretsmanager_secret.authenticating_proxy_secret_key_base.arn,
+        SECRET_KEY_BASE      = aws_secretsmanager_secret.secret_key_base["authenticating_proxy"].arn,
       }
     )
   }

diff --git a/terraform/deployments/govuk-publishing-platform/app_content_store.tf b/terraform/deployments/govuk-publishing-platform/app_content_store.tf
@@ -19,12 +19,7 @@ locals {
       }
     )
 
-    secrets_from_arns = merge(
-      local.defaults.secrets_from_arns,
-      {
-        SECRET_KEY_BASE = data.aws_secretsmanager_secret.content_store_secret_key_base.arn,
-      }
-    )
+    secrets_from_arns = local.defaults.secrets_from_arns
 
     mongodb_url = format(
       "mongodb://%s,%s,%s",
@@ -69,6 +64,7 @@ module "content_store" {
       GDS_SSO_OAUTH_SECRET        = module.oauth_applications["content_store"].secret_arn,
       PUBLISHING_API_BEARER_TOKEN = module.signon_bearer_tokens.cs_to_pub_api.secret_arn
       ROUTER_API_BEARER_TOKEN     = module.signon_bearer_tokens.cs_to_router_api.secret_arn
+      SECRET_KEY_BASE             = aws_secretsmanager_secret.secret_key_base["content_store"].arn
     }
   )
   splunk_url_secret_arn   = local.defaults.splunk_url_secret_arn
@@ -121,6 +117,7 @@ module "draft_content_store" {
       GDS_SSO_OAUTH_SECRET        = module.oauth_applications["draft_content_store"].secret_arn,
       PUBLISHING_API_BEARER_TOKEN = module.signon_bearer_tokens.dcs_to_pub_api.secret_arn
       ROUTER_API_BEARER_TOKEN     = module.signon_bearer_tokens.dcs_to_draft_router_api.secret_arn
+      SECRET_KEY_BASE             = aws_secretsmanager_secret.secret_key_base["draft_content_store"].arn
     }
   )
   splunk_url_secret_arn   = local.defaults.splunk_url_secret_arn

diff --git a/terraform/deployments/govuk-publishing-platform/app_frontend.tf b/terraform/deployments/govuk-publishing-platform/app_frontend.tf
@@ -29,7 +29,6 @@ locals {
       {
         # TODO Should frontend and draft frontend share a bearer token for publishing api?
         PUBLISHING_API_BEARER_TOKEN = module.signon_bearer_tokens.frontend_to_pub_api.secret_arn
-        SECRET_KEY_BASE             = aws_secretsmanager_secret.secret_key_base["frontend"].arn
       }
     )
 
@@ -59,19 +58,24 @@ module "frontend" {
   subnets                          = local.private_subnets
   extra_security_groups            = [aws_security_group.mesh_ecs_service.id]
   environment_variables            = local.frontend_defaults.environment_variables
-  secrets_from_arns                = local.frontend_defaults.secrets_from_arns
-  splunk_url_secret_arn            = local.defaults.splunk_url_secret_arn
-  splunk_token_secret_arn          = local.defaults.splunk_token_secret_arn
-  splunk_index                     = local.defaults.splunk_index
-  splunk_sourcetype                = local.defaults.splunk_sourcetype
-  aws_region                       = data.aws_region.current.name
-  cpu                              = local.frontend_defaults.cpu
-  memory                           = local.frontend_defaults.memory
-  task_role_arn                    = aws_iam_role.task.arn
-  execution_role_arn               = aws_iam_role.execution.arn
-  additional_tags                  = local.additional_tags
-  environment                      = var.govuk_environment
-  workspace                        = local.workspace
+  secrets_from_arns = merge(
+    local.frontend_defaults.secrets_from_arns,
+    {
+      SECRET_KEY_BASE = aws_secretsmanager_secret.secret_key_base["frontend"].arn
+    },
+  )
+  splunk_url_secret_arn   = local.defaults.splunk_url_secret_arn
+  splunk_token_secret_arn = local.defaults.splunk_token_secret_arn
+  splunk_index            = local.defaults.splunk_index
+  splunk_sourcetype       = local.defaults.splunk_sourcetype
+  aws_region              = data.aws_region.current.name
+  cpu                     = local.frontend_defaults.cpu
+  memory                  = local.frontend_defaults.memory
+  task_role_arn           = aws_iam_role.task.arn
+  execution_role_arn      = aws_iam_role.execution.arn
+  additional_tags         = local.additional_tags
+  environment             = var.govuk_environment
+  workspace               = local.workspace
 }
 
 module "draft_frontend" {
@@ -99,7 +103,12 @@ module "draft_frontend" {
       PLEK_SERVICE_STATIC_URI        = local.defaults.draft_static_uri
     }
   )
-  secrets_from_arns       = local.frontend_defaults.secrets_from_arns
+  secrets_from_arns = merge(
+    local.frontend_defaults.secrets_from_arns,
+    {
+      SECRET_KEY_BASE = aws_secretsmanager_secret.secret_key_base["draft_frontend"].arn
+    },
+  )
   splunk_url_secret_arn   = local.defaults.splunk_url_secret_arn
   splunk_token_secret_arn = local.defaults.splunk_token_secret_arn
   splunk_index            = local.defaults.splunk_index

diff --git a/terraform/deployments/govuk-publishing-platform/app_publisher.tf b/terraform/deployments/govuk-publishing-platform/app_publisher.tf
@@ -57,7 +57,7 @@ locals {
         GDS_SSO_OAUTH_ID            = module.oauth_applications["publisher"].id_arn
         GDS_SSO_OAUTH_SECRET        = module.oauth_applications["publisher"].secret_arn
         PUBLISHING_API_BEARER_TOKEN = module.signon_bearer_tokens.pub_to_pub_api.secret_arn
-        SECRET_KEY_BASE             = data.aws_secretsmanager_secret.publisher_secret_key_base.arn,
+        SECRET_KEY_BASE             = aws_secretsmanager_secret.secret_key_base["publisher"].arn
       }
     )
   }

diff --git a/terraform/deployments/govuk-publishing-platform/app_publishing_api.tf b/terraform/deployments/govuk-publishing-platform/app_publishing_api.tf
@@ -46,7 +46,7 @@ locals {
         GDS_SSO_OAUTH_SECRET             = module.oauth_applications["publishing_api"].secret_arn
         RABBITMQ_PASSWORD                = data.aws_secretsmanager_secret.publishing_api_rabbitmq_password.arn
         ROUTER_API_BEARER_TOKEN          = module.signon_bearer_tokens.pub_api_to_router_api.secret_arn
-        SECRET_KEY_BASE                  = data.aws_secretsmanager_secret.publishing_api_secret_key_base.arn
+        SECRET_KEY_BASE                  = aws_secretsmanager_secret.secret_key_base["publishing_api"].arn
       }
     )
   }

diff --git a/terraform/deployments/govuk-publishing-platform/app_router_api.tf b/terraform/deployments/govuk-publishing-platform/app_router_api.tf
@@ -54,7 +54,7 @@ module "router_api" {
     {
       GDS_SSO_OAUTH_ID     = module.oauth_applications["router_api"].id_arn,
       GDS_SSO_OAUTH_SECRET = module.oauth_applications["router_api"].secret_arn,
-      SECRET_KEY_BASE      = data.aws_secretsmanager_secret.router_api_secret_key_base.arn,
+      SECRET_KEY_BASE      = aws_secretsmanager_secret.secret_key_base["router_api"].arn
     },
   )
   splunk_url_secret_arn   = local.defaults.splunk_url_secret_arn
@@ -97,7 +97,7 @@ module "draft_router_api" {
     {
       GDS_SSO_OAUTH_ID     = module.oauth_applications["draft_router_api"].id_arn,
       GDS_SSO_OAUTH_SECRET = module.oauth_applications["draft_router_api"].secret_arn,
-      SECRET_KEY_BASE      = data.aws_secretsmanager_secret.draft_router_api_secret_key_base.arn,
+      SECRET_KEY_BASE      = aws_secretsmanager_secret.secret_key_base["draft_router_api"].arn
     },
   )
   splunk_url_secret_arn   = local.defaults.splunk_url_secret_arn

diff --git a/terraform/deployments/govuk-publishing-platform/app_signon.tf b/terraform/deployments/govuk-publishing-platform/app_signon.tf
@@ -19,7 +19,7 @@ locals {
     secrets_from_arns = merge(
       local.defaults.secrets_from_arns,
       {
-        SECRET_KEY_BASE       = data.aws_secretsmanager_secret.signon_secret_key_base.arn
+        SECRET_KEY_BASE       = aws_secretsmanager_secret.secret_key_base["signon"].arn,
         SENTRY_DSN            = data.aws_secretsmanager_secret.sentry_dsn.arn
         DATABASE_URL          = data.aws_secretsmanager_secret.signon_database_url.arn
         DEVISE_PEPPER         = data.aws_secretsmanager_secret.signon_devise_pepper.arn

diff --git a/terraform/deployments/govuk-publishing-platform/app_static.tf b/terraform/deployments/govuk-publishing-platform/app_static.tf
@@ -42,7 +42,7 @@ module "static" {
   secrets_from_arns = merge(
     local.static_defaults.secrets_from_arns,
     {
-      SECRET_KEY_BASE = data.aws_secretsmanager_secret.static_secret_key_base.arn,
+      SECRET_KEY_BASE = aws_secretsmanager_secret.secret_key_base["static"].arn,
     },
   )
   splunk_url_secret_arn   = local.defaults.splunk_url_secret_arn
@@ -84,7 +84,7 @@ module "draft_static" {
   secrets_from_arns = merge(
     local.static_defaults.secrets_from_arns,
     {
-      SECRET_KEY_BASE = data.aws_secretsmanager_secret.draft_static_secret_key_base.arn,
+      SECRET_KEY_BASE = aws_secretsmanager_secret.secret_key_base["draft_static"].arn,
     },
   )
   splunk_url_secret_arn   = local.defaults.splunk_url_secret_arn

diff --git a/terraform/deployments/govuk-publishing-platform/secret_key_base.tf b/terraform/deployments/govuk-publishing-platform/secret_key_base.tf
@@ -1,17 +1,17 @@
 resource "aws_secretsmanager_secret" "secret_key_base" {
   for_each = toset([
-    # "authenticating_proxy",
-    # "content_store",
-    # "draft_content_store", # new
-    # "draft_frontend", # new
-    # "draft_static",
-    # "draft_router_api",
+    "authenticating_proxy",
+    "content_store",
+    "draft_content_store",
+    "draft_frontend",
+    "draft_static",
+    "draft_router_api",
     "frontend",
-    # "publisher",
-    # "publishing_api",
-    # "signon",
-    # "static",
-    # "router_api",
+    "publisher",
+    "publishing_api",
+    "signon",
+    "static",
+    "router_api",
   ])
 
   name = "${each.key}-${local.workspace}-SECRET_KEY_BASE"
@@ -27,39 +27,3 @@ resource "aws_secretsmanager_secret" "secret_key_base" {
     },
   )
 }
-
-data "aws_secretsmanager_secret" "authenticating_proxy_secret_key_base" {
-  name = "authenticating-proxy_SECRET_KEY_BASE" # pragma: allowlist secret
-}
-
-data "aws_secretsmanager_secret" "content_store_secret_key_base" {
-  name = "content-store_SECRET_KEY_BASE" # pragma: allowlist secret
-}
-
-data "aws_secretsmanager_secret" "publisher_secret_key_base" {
-  name = "publisher_app-SECRET_KEY_BASE" # pragma: allowlist secret
-}
-
-data "aws_secretsmanager_secret" "publishing_api_secret_key_base" {
-  name = "publishing_api_app-SECRET_KEY_BASE" # pragma: allowlist secret
-}
-
-data "aws_secretsmanager_secret" "signon_secret_key_base" {
-  name = "signon_app-SECRET_KEY_BASE" # pragma: allowlist secret
-}
-
-data "aws_secretsmanager_secret" "static_secret_key_base" {
-  name = "static_SECRET_KEY_BASE" # pragma: allowlist secret
-}
-
-data "aws_secretsmanager_secret" "draft_static_secret_key_base" {
-  name = "draft-static_SECRET_KEY_BASE" # pragma: allowlist secret
-}
-
-data "aws_secretsmanager_secret" "router_api_secret_key_base" {
-  name = "router-api_SECRET_KEY_BASE" # pragma: allowlist secret
-}
-
-data "aws_secretsmanager_secret" "draft_router_api_secret_key_base" {
-  name = "draft-router-api_SECRET_KEY_BASE" # pragma: allowlist secret
-}