Skip to content

Commit

Permalink
[#103] Improve SSM module
Browse files Browse the repository at this point in the history
  • Loading branch information
hoangmirs committed Sep 21, 2022
1 parent cdc6e4d commit b6b9ed6
Show file tree
Hide file tree
Showing 7 changed files with 48 additions and 44 deletions.
3 changes: 2 additions & 1 deletion skeleton/aws/modules/ecs/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ locals {
aws_cloudwatch_log_group_name = var.aws_cloudwatch_log_group_name

environment_variables = setunion(local.environment_variables, var.environment_variables)
secrets_variables = var.secrets_variables
}

container_definitions = templatefile("${path.module}/service.json.tftpl", merge(local.container_vars, var.aws_parameter_store))
Expand All @@ -37,7 +38,7 @@ locals {
Action = [
"ssm:GetParameters"
],
Resource = "*"
Resource = var.parameter_store_arns
}
]
}
Expand Down
3 changes: 1 addition & 2 deletions skeleton/aws/modules/ecs/service.json.tftpl
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,7 @@
}
},
"environment": ${jsonencode(environment_variables)},
"secrets": [
],
"secrets": ${jsonencode(secrets_variables)},
"ulimits": [
{
"name": "nofile",
Expand Down
15 changes: 10 additions & 5 deletions skeleton/aws/modules/ecs/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -77,15 +77,20 @@ variable "aws_cloudwatch_log_group_name" {
type = string
}

variable "aws_parameter_store" {
description = "AWS parameter store"
type = map(any)
}

variable "environment_variables" {
description = "List of [{name = \"\", value = \"\"}] pairs of environment variables"
type = set(object({
name = string
value = string
}))
}

variable "secrets_variables" {
description = "List of [{name = \"\", valueFrom = \"\"}] pairs of secret variables"
type = list(any)
}

variable "parameter_store_arns" {
description = "The ARNs of the SSM Parameter Store parameters"
type = list(string)
}
26 changes: 19 additions & 7 deletions skeleton/aws/modules/ssm/main.tf
Original file line number Diff line number Diff line change
@@ -1,11 +1,23 @@
resource "aws_ssm_parameter" "secret_key_base" {
name = "/${var.namespace}/SECRET_KEY_BASE"
resource "aws_ssm_parameter" "secret_parameters" {
for_each = var.secrets

name = "/${var.namespace}/${each.key}"
type = "String"
value = var.secret_key_base
value = each.value
}

resource "aws_ssm_parameter" "database_url" {
name = "/${var.namespace}/DATABASE_URL"
type = "String"
value = "postgresql://${var.rds_username}:${var.rds_password}@${var.rds_endpoint}/${var.rds_database_name}"
locals {
# Create a list of parameter store ARNs for granting access to ECS task execution role
parameter_store_arns = [for parameter in aws_ssm_parameter.secret_parameters : parameter.arn]

# Get secret names array
secret_names = keys(var.secrets)

# Create a map {secret_name: secret_arn} using zipmap function for iteration
secret_arns = zipmap(local.secret_names, local.parameter_store_arns)

# Create the formatted secrets for ECS task definition
secrets_variables = [for secret_key, secret_arn in local.secrets_name_arn_map :
tomap({ "name" = upper(secret_key), "valueFrom" = secret_arn })
]
}
13 changes: 7 additions & 6 deletions skeleton/aws/modules/ssm/outputs.tf
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
output "parameter_store" {
description = "ARNs of the parameters"
output "secrets_variables" {
description = "The formatted secrets for ECS task definition"
value = local.secrets_variables
}

value = {
secret_base_ssm_arn = aws_ssm_parameter.secret_key_base.arn
database_url_ssm_arn = aws_ssm_parameter.database_url.arn
}
output "parameter_store_arns" {
description = "List of parameter store ARNs for granting access to ECS task execution role"
value = local.parameter_store_arns
}
27 changes: 4 additions & 23 deletions skeleton/aws/modules/ssm/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,27 +3,8 @@ variable "namespace" {
type = string
}

variable "secret_key_base" {
description = "The Secret key base for the application"
type = string
}

variable "rds_username" {
description = "The DB username for building DB URL"
type = string
}

variable "rds_password" {
description = "The DB password for building DB URL"
type = string
}

variable "rds_endpoint" {
description = "The DB endpoint for building DB URL"
type = string
}

variable "rds_database_name" {
description = "The DB name for building DB URL"
type = string
variable "secrets" {
description = "Map of secrets to keep in AWS SSM Parameter Store"
type = map(string)
default = {}
}
5 changes: 5 additions & 0 deletions src/templates/aws/addons/ssm.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@ const ssmModuleContent = dedent`
rds_password = var.rds_password
rds_database_name = var.rds_database_name
rds_endpoint = module.rds.db_endpoint
secrets = {
database_url = "postgres://\${var.rds_username}:\${var.rds_password}@\${module.rds.db_endpoint}/\${var.rds_database_name}"
secret_key_base = var.secret_key_base
}
}
\n`;

Expand Down

0 comments on commit b6b9ed6

Please sign in to comment.