Merge pull request #7 from digorgonzola/db_aws_secret

Db aws secret
aodn · Nov 23, 2023 · b2d2d38 · b2d2d38
2 parents 346fa27 + 53f2fd5
commit b2d2d38
Show file tree

Hide file tree

Showing 8 changed files with 98 additions and 9 deletions.
diff --git a/app/app/aws_secrets.py b/app/app/aws_secrets.py
@@ -0,0 +1,28 @@
+import boto3
+from botocore.exceptions import ClientError
+
+
+def get_secret(secret_name, region_name):
+
+    secret_name = secret_name
+    region_name = region_name
+
+    # Create a Secrets Manager client
+    session = boto3.session.Session()
+    client = session.client(
+        service_name='secretsmanager',
+        region_name=region_name
+    )
+
+    try:
+        get_secret_value_response = client.get_secret_value(
+            SecretId=secret_name
+        )
+    except ClientError as e:
+        # For a list of exceptions thrown, see
+        # https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
+        raise e
+
+    secret = get_secret_value_response['SecretString']
+
+    return secret
diff --git a/app/app/settings.py b/app/app/settings.py
@@ -11,6 +11,8 @@
 """
 
 import os
+from .aws_secrets import get_secret
+import json
 
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
@@ -40,7 +42,7 @@
     )
 )
 
-DEFAULT_AUTO_FIELD='django.db.models.AutoField'
+DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'
 
 # Application definition
 INSTALLED_APPS = [
@@ -90,6 +92,13 @@
 WSGI_APPLICATION = 'app.wsgi.application'
 
 
+# Retrieve the database secret
+db_secret = None
+if bool(int(os.environ.get('GET_DB_SECRET', 1))):
+    db_secret = json.loads(get_secret(os.environ.get('DB_SECRET_NAME'), os.environ.get('DB_SECRET_REGION')))
+
+db_pass = os.environ.get('DB_PASS') if db_secret is None else db_secret['password']
+
 # Database
 # https://docs.djangoproject.com/en/2.1/ref/settings/#databases
 
@@ -99,7 +108,7 @@
         'HOST': os.environ.get('DB_HOST'),
         'NAME': os.environ.get('DB_NAME'),
         'USER': os.environ.get('DB_USER'),
-        'PASSWORD': os.environ.get('DB_PASS'),
+        'PASSWORD': db_pass,
     }
 }
 
@@ -132,7 +141,6 @@
 
 USE_I18N = True
 
-
 USE_TZ = True
 
 

diff --git a/docker-compose-aws-secret.yml b/docker-compose-aws-secret.yml
@@ -0,0 +1,40 @@
+version: "3"
+
+services:
+  app:
+    build:
+      context: .
+    image: api
+    ports:
+      - "8000:8000"
+    volumes:
+      - ./app:/app
+      - ${HOME}/.aws:/home/user/.aws
+    command: >
+      sh -c "python manage.py wait_for_db &&
+             python manage.py migrate &&
+             python manage.py runserver 0.0.0.0:8000"
+    environment:
+      - AWS_PROFILE=YOUR_AWS_PROFILE
+      - DB_HOST=db
+      - DB_NAME=api
+      - DB_USER=postgres
+      - DB_SECRET_NAME=/your/rds/secret
+      - DB_SECRET_REGION=aa-something-1
+      - DEBUG=1
+      - S3_STORAGE_BACKEND=0
+    depends_on:
+      db:
+        condition: service_healthy
+
+  db:
+    image: postgres:12-alpine
+    environment:
+      - POSTGRES_DB=api
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=PUT_THE_SECRET_PASSWORD_VALUE_HERE
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
diff --git a/docker-compose-proxy.yml b/docker-compose-proxy.yml
@@ -12,9 +12,10 @@ services:
       - static_data:/vol/web
     environment:
       - DB_HOST=db
-      - DB_NAME=app
+      - DB_NAME=api
       - DB_USER=postgres
       - DB_PASS=supersecretpassword
+      - GET_DB_SECRET=0
       - ALLOWED_HOSTS=*
       - ALLOWED_CIDR_NETS=127.0.0.0/8
       - S3_STORAGE_BACKEND=0
@@ -36,7 +37,7 @@ services:
   db:
     image: postgres:10-alpine
     environment:
-      - POSTGRES_DB=app
+      - POSTGRES_DB=api
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=supersecretpassword
     healthcheck:

diff --git a/docker-compose-s3.yml b/docker-compose-s3.yml
@@ -15,9 +15,10 @@ services:
              python manage.py runserver 0.0.0.0:8000"
     environment:
       - DB_HOST=db
-      - DB_NAME=app
+      - DB_NAME=api
       - DB_USER=postgres
       - DB_PASS=supersecretpassword
+      - GET_DB_SECRET=0
       - DEBUG=1
       - S3_STORAGE_BACKEND=1
       - S3_STORAGE_BUCKET_NAME=static
@@ -47,7 +48,7 @@ services:
   db:
     image: postgres:12-alpine
     environment:
-      - POSTGRES_DB=app
+      - POSTGRES_DB=api
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=supersecretpassword
     healthcheck:

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -15,9 +15,10 @@ services:
              python manage.py runserver 0.0.0.0:8000"
     environment:
       - DB_HOST=db
-      - DB_NAME=app
+      - DB_NAME=api
       - DB_USER=postgres
       - DB_PASS=supersecretpassword
+      - GET_DB_SECRET=0
       - DEBUG=1
       - S3_STORAGE_BACKEND=0
     depends_on:
@@ -27,7 +28,7 @@ services:
   db:
     image: postgres:12-alpine
     environment:
-      - POSTGRES_DB=app
+      - POSTGRES_DB=api
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=supersecretpassword
     healthcheck:

diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,6 @@
+aws-secretsmanager-caching>=1.1.1.5,<1.1.2.0
 boto3>=1.29.4,<1.30.0
+botocore>=1.32.6,<1.33.0
 Django>=4.2.7,<4.3.0
 djangorestframework>=3.14.0,<3.15.0
 django-allow-cidr>=0.7.1,<0.8.0

diff --git a/tests/config.yaml b/tests/config.yaml
@@ -1,10 +1,18 @@
 schemaVersion: 2.0.0
 
 commandTests:
+  - name: check aws-secretsmanager-caching is installed
+    command: pip
+    args: [ "show", "-q", "aws-secretsmanager-caching" ]
+    exitCode: 0
   - name: check boto3 is installed
     command: pip
     args: [ "show", "-q", "boto3" ]
     exitCode: 0
+  - name: check botocore is installed
+    command: pip
+    args: [ "show", "-q", "botocore" ]
+    exitCode: 0
   - name: check django is installed
     command: pip
     args: ["show", "-q", "Django"]