diff --git a/infra/modules/database/main.tf b/infra/modules/database/main.tf index c3b2251f..b5913d75 100644 --- a/infra/modules/database/main.tf +++ b/infra/modules/database/main.tf @@ -23,14 +23,14 @@ resource "aws_rds_cluster" "db" { # https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.CreateInstance.html cluster_identifier = var.name - engine = "aurora-postgresql" - engine_mode = "provisioned" - database_name = var.database_name - port = var.port - master_username = local.master_username - master_password = aws_ssm_parameter.random_db_password.value - storage_encrypted = true - kms_key_id = aws_kms_key.db.arn + engine = "aurora-postgresql" + engine_mode = "provisioned" + database_name = var.database_name + port = var.port + master_username = local.master_username + manage_master_user_password = true + storage_encrypted = true + kms_key_id = aws_kms_key.db.arn # checkov:skip=CKV_AWS_128:Auth decision needs to be ironed out # checkov:skip=CKV_AWS_162:Auth decision needs to be ironed out @@ -61,18 +61,6 @@ resource "aws_rds_cluster_instance" "primary" { monitoring_interval = 30 } -resource "random_password" "random_db_password" { - length = 48 - # Remove '@' sign from allowed characters since only printable ASCII characters besides '/', '@', '"', ' ' may be used. - override_special = "!#$%&*()-_=+[]{}<>:?" -} - -resource "aws_ssm_parameter" "random_db_password" { - name = "/db/${var.name}/master-password" - type = "SecureString" - value = random_password.random_db_password.result -} - resource "aws_kms_key" "db" { description = "Key for RDS cluster ${var.name}" enable_key_rotation = true @@ -83,7 +71,7 @@ resource "aws_kms_key" "db" { resource "aws_rds_cluster_parameter_group" "rds_query_logging" { name = var.name - family = "aurora-postgresql13" + family = "aurora-postgresql14" description = "Default cluster parameter group" parameter { diff --git a/infra/modules/database/role-manager.tf b/infra/modules/database/role-manager.tf index 11f41772..1b29abf3 100644 --- a/infra/modules/database/role-manager.tf +++ b/infra/modules/database/role-manager.tf @@ -29,7 +29,7 @@ resource "aws_lambda_function" "role_manager" { DB_PORT = aws_rds_cluster.db.port DB_USER = local.master_username DB_NAME = aws_rds_cluster.db.database_name - DB_PASSWORD_PARAM_NAME = aws_ssm_parameter.random_db_password.name + DB_PASSWORD_PARAM_NAME = "/aws/reference/secretsmanager/${data.aws_secretsmanager_secret.db_pass.name}" DB_SCHEMA = var.schema_name APP_USER = var.app_username MIGRATOR_USER = var.migrator_username @@ -94,6 +94,10 @@ resource "aws_iam_role" "role_manager" { ] } +data "aws_secretsmanager_secret" "db_pass" { + arn = aws_rds_cluster.db.master_user_secret[0].secret_arn +} + resource "aws_iam_role_policy" "ssm_access" { name = "${var.name}-role-manager-ssm-access" role = aws_iam_role.role_manager.id @@ -103,8 +107,8 @@ resource "aws_iam_role_policy" "ssm_access" { Statement = [ { Effect = "Allow" - Action = ["ssm:GetParameter*"] - Resource = "${aws_ssm_parameter.random_db_password.arn}" + Action = ["secretsmanager:GetSecretValue"] + Resource = [data.aws_secretsmanager_secret.db_pass.arn] }, { Effect = "Allow" diff --git a/infra/modules/database/role_manager/role_manager.py b/infra/modules/database/role_manager/role_manager.py index 4081724f..373c3218 100644 --- a/infra/modules/database/role_manager/role_manager.py +++ b/infra/modules/database/role_manager/role_manager.py @@ -11,6 +11,9 @@ def lambda_handler(event, context): if event == "check": return check() + elif event == "password_ts": + connect_as_master_user() + return "Succeeded" else: return manage() @@ -115,11 +118,11 @@ def get_password() -> str: ssm = boto3.client("ssm") param_name = os.environ["DB_PASSWORD_PARAM_NAME"] logger.info("Fetching password from parameter store") - result = ssm.get_parameter( + result = json.loads(ssm.get_parameter( Name=param_name, WithDecryption=True, - ) - return result["Parameter"]["Value"] + )["Parameter"]["Value"]) + return result["password"] def get_roles(conn: Connection) -> list[str]: