fix: Randomize SSM parameter name for Grafana token (#272)

* Randomize SSM parameter name for GF token * Run pre-commit * Add versions
aws-observability · May 10, 2024 · 7100649 · 7100649
1 parent cc82136
commit 7100649
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 3 deletions.
diff --git a/examples/existing-cluster-with-base-and-infra/cleanup.sh b/examples/existing-cluster-with-base-and-infra/cleanup.sh
@@ -28,4 +28,4 @@ if [[ $? -eq 0 && $destroy_output == *"Destroy complete!"* ]]; then
 else
   echo "FAILED: Terraform destroy of all targets failed"
   exit 1
-fi
+fi
diff --git a/examples/existing-cluster-with-base-and-infra/install.sh b/examples/existing-cluster-with-base-and-infra/install.sh
@@ -29,4 +29,4 @@ if [[ ${PIPESTATUS[0]} -eq 0 && $apply_output == *"Apply complete"* ]]; then
 else
   echo "FAILED: Terraform apply of all modules failed"
   exit 1
-fi
+fi
diff --git a/modules/eks-monitoring/add-ons/external-secrets/README.md b/modules/eks-monitoring/add-ons/external-secrets/README.md
@@ -11,13 +11,15 @@ This deploys an EKS Cluster with the External Secrets Operator. The cluster is p
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72 |
 | <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | >= 2.0.3 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.6.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.72 |
 | <a name="provider_kubectl"></a> [kubectl](#provider\_kubectl) | >= 2.0.3 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.6.1 |
 
 ## Modules
 
@@ -35,6 +37,7 @@ This deploys an EKS Cluster with the External Secrets Operator. The cluster is p
 | [aws_ssm_parameter.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [kubectl_manifest.cluster_secretstore](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.secret](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
+| [random_uuid.grafana_key_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs

diff --git a/modules/eks-monitoring/add-ons/external-secrets/main.tf b/modules/eks-monitoring/add-ons/external-secrets/main.tf
@@ -76,8 +76,11 @@ YAML
   depends_on = [module.external_secrets]
 }
 
+resource "random_uuid" "grafana_key_suffix" {
+}
+
 resource "aws_ssm_parameter" "secret" {
-  name        = "/terraform-accelerator/grafana-api-key"
+  name        = "/terraform-accelerator/grafana-api-key/${random_uuid.grafana_key_suffix.result}"
   description = "SSM Secret to store grafana API Key"
   type        = "SecureString"
   value = jsonencode({

diff --git a/modules/eks-monitoring/add-ons/external-secrets/versions.tf b/modules/eks-monitoring/add-ons/external-secrets/versions.tf
@@ -14,5 +14,9 @@ terraform {
       source  = "alekc/kubectl"
       version = ">= 2.0.3"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6.1"
+    }
   }
 }
-Original file line number
+Diff line change
@@ Expand Up @@
     else
       echo "FAILED: Terraform destroy of all targets failed"
       exit 1
-    fi
+    fi