-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
70 lines (58 loc) · 2.27 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
locals {
application_id = var.rotation_strategy == "single" ? "arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSPostgreSQLRotationSingleUser" : "arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSPostgreSQLRotationMultiUser"
name = "${var.name}-rotate-secret"
}
data "aws_region" "current" {}
data "aws_partition" "current" {}
resource "aws_secretsmanager_secret_rotation" "this" {
for_each = var.secrets
rotation_lambda_arn = aws_serverlessapplicationrepository_cloudformation_stack.postgres-rotator.outputs.RotationLambdaARN
secret_id = each.value.id
rotation_rules {
automatically_after_days = each.value.days
}
}
module "lambda_security_group" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = local.name
description = "Contains egress rules for secret rotation lambda"
vpc_id = var.rotation_lambda_vpc_id
egress_rules = ["https-443-tcp"]
egress_with_source_security_group_id = [
{
rule = "postgresql-tcp"
source_security_group_id = var.db_security_group_id
},
]
tags = merge(var.tags, {Name = local.name})
}
module "db_ingress" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
create_sg = false
security_group_id = var.db_security_group_id
ingress_with_source_security_group_id = [
{
description = "Secret rotation lambda"
rule = "postgresql-tcp"
source_security_group_id = module.lambda_security_group.security_group_id
},
]
}
resource "aws_serverlessapplicationrepository_cloudformation_stack" "postgres-rotator" {
name = "${var.name}-postgres-rotator"
application_id = local.application_id
capabilities = [
"CAPABILITY_IAM",
"CAPABILITY_RESOURCE_POLICY",
]
semantic_version = var.rotation_application_version
parameters = {
functionName = local.name
endpoint = "https://secretsmanager.${data.aws_region.current.name}.${data.aws_partition.current.dns_suffix}"
vpcSubnetIds = join(",", var.rotation_lambda_subnet_ids)
vpcSecurityGroupIds = module.lambda_security_group.security_group_id
superuserSecretArn = var.master_secret_arn
}
}