Update production deployment to use new postgres config

ooni · Jan 15, 2025 · 8ff2345 · 8ff2345
1 parent 8536e8e
commit 8ff2345
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 21 deletions.
diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
@@ -164,6 +164,10 @@ module "oonipg" {
   db_storage_type          = "gp3"
   db_allocated_storage     = "50"
   db_max_allocated_storage = null
+
+  allow_cidr_blocks     = module.network.vpc_subnet_private[*].cidr_block
+  allow_security_groups = []
+
   tags = merge(
     local.tags,
     { Name = "ooni-tier0-postgres" }
@@ -220,11 +224,15 @@ resource "aws_secretsmanager_secret" "oonipg_url" {
   tags = local.tags
 }
 
+data "aws_secretsmanager_secret_version" "pg_login" {
+  secret_id = module.oonipg.secrets_manager_pg_login_id
+}
+
 resource "aws_secretsmanager_secret_version" "oonipg_url" {
   secret_id = aws_secretsmanager_secret.oonipg_url.id
   secret_string = format("postgresql://%s:%s@%s/%s",
-    module.oonipg.pg_username,
-    module.oonipg.pg_password,
+    jsondecode(data.aws_secretsmanager_secret_version.pg_login.secret_string)["username"],
+    jsondecode(data.aws_secretsmanager_secret_version.pg_login.secret_string)["password"],
     module.oonipg.pg_endpoint,
     module.oonipg.pg_db_name
   )
@@ -330,9 +338,7 @@ module "ooniapi_reverseproxy" {
   # First run should be set on first run to bootstrap the task definition
   # first_run = true
 
-  vpc_id             = module.network.vpc_id
-  public_subnet_ids  = module.network.vpc_subnet_public[*].id
-  private_subnet_ids = module.network.vpc_subnet_private[*].id
+  vpc_id = module.network.vpc_id
 
   service_name             = "reverseproxy"
   default_docker_image_url = "ooni/api-reverseproxy:latest"
@@ -346,7 +352,7 @@ module "ooniapi_reverseproxy" {
   }
 
   task_environment = {
-    TARGET_URL               = "https://backend-fsn.ooni.org/"
+    TARGET_URL = "https://backend-fsn.ooni.org/"
   }
 
   ooniapi_service_security_groups = [
@@ -407,9 +413,7 @@ module "ooniapi_ooniprobe" {
   # First run should be set on first run to bootstrap the task definition
   #first_run = true
 
-  vpc_id             = module.network.vpc_id
-  private_subnet_ids = module.network.vpc_subnet_private[*].id
-  public_subnet_ids  = module.network.vpc_subnet_public[*].id
+  vpc_id = module.network.vpc_id
 
   service_name             = "ooniprobe"
   default_docker_image_url = "ooni/api-ooniprobe:latest"
@@ -458,9 +462,7 @@ module "ooniapi_oonirun" {
   source = "../../modules/ooniapi_service"
   #first_run = true
 
-  vpc_id             = module.network.vpc_id
-  private_subnet_ids = module.network.vpc_subnet_private[*].id
-  public_subnet_ids  = module.network.vpc_subnet_public[*].id
+  vpc_id = module.network.vpc_id
 
   service_name             = "oonirun"
   default_docker_image_url = "ooni/api-oonirun:latest"
@@ -508,9 +510,7 @@ module "ooniapi_oonifindings" {
   source = "../../modules/ooniapi_service"
 
   # first_run          = true
-  vpc_id             = module.network.vpc_id
-  public_subnet_ids  = module.network.vpc_subnet_public[*].id
-  private_subnet_ids = module.network.vpc_subnet_private[*].id
+  vpc_id = module.network.vpc_id
 
   service_name             = "oonifindings"
   default_docker_image_url = "ooni/api-oonifindings:latest"
@@ -557,9 +557,7 @@ module "ooniapi_ooniauth" {
   source = "../../modules/ooniapi_service"
   # first_run = true
 
-  vpc_id             = module.network.vpc_id
-  private_subnet_ids = module.network.vpc_subnet_private[*].id
-  public_subnet_ids  = module.network.vpc_subnet_public[*].id
+  vpc_id = module.network.vpc_id
 
   service_name             = "ooniauth"
   default_docker_image_url = "ooni/api-ooniauth:latest"
@@ -662,7 +660,7 @@ locals {
 }
 
 resource "aws_route53_record" "ooniapi_frontend_main" {
-  name    = local.ooniapi_frontend_main_domain_name
+  name = local.ooniapi_frontend_main_domain_name
 
   zone_id = local.ooniapi_frontend_main_domain_name_zone_id
   type    = "A"

diff --git a/tf/environments/prod/outputs.tf b/tf/environments/prod/outputs.tf
@@ -10,8 +10,8 @@ output "oonidevops_deploy_key_arn" {
   value = module.adm_iam_roles.oonidevops_deploy_key_arn
 }
 
-output "oonipg_pg_password_arn" {
-  value = module.oonipg.secrets_manager_pg_password_id
+output "oonipg_pg_login_arn" {
+  value = module.oonipg.secrets_manager_pg_login_id
 }
 
 # output "oonidataapi_alb_hostname" {