Move postgreSQL password into secret store

ooni · Jan 15, 2025 · faeb9ac · faeb9ac
1 parent 6b6b5ef
commit faeb9ac
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 34 deletions.
diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
@@ -208,11 +208,15 @@ resource "aws_secretsmanager_secret" "oonipg_url" {
   tags = local.tags
 }
 
+data "aws_secretsmanager_secret_version" "pg_password" {
+  secret_id = module.oonipg.secrets_manager_pg_password_id
+}
+
 resource "aws_secretsmanager_secret_version" "oonipg_url" {
   secret_id = aws_secretsmanager_secret.oonipg_url.id
   secret_string = format("postgresql://%s:%s@%s/%s",
     module.oonipg.pg_username,
-    module.oonipg.pg_password,
+    data.aws_secretsmanager_secret_version.pg_password.secret_string,
     module.oonipg.pg_endpoint,
     module.oonipg.pg_db_name
   )

diff --git a/tf/modules/postgresql/main.tf b/tf/modules/postgresql/main.tf
@@ -38,34 +38,19 @@ resource "aws_db_subnet_group" "pg" {
   )
 }
 
-resource "random_password" "pg_password" {
-  length  = 32
-  special = false
-}
-
-resource "aws_secretsmanager_secret" "pg_password" {
-  name = "oonidevops/${var.name}/pg_password"
-  tags = var.tags
-}
-
-resource "aws_secretsmanager_secret_version" "pg_password" {
-  secret_id     = aws_secretsmanager_secret.pg_password.id
-  secret_string = random_password.pg_password.result
-}
-
 ### PostgreSQL database
 resource "aws_db_instance" "pg" {
-  allocated_storage       = var.db_allocated_storage
-  max_allocated_storage   = var.db_max_allocated_storage
-  storage_type            = var.db_storage_type
-  engine                  = "postgres"
-  engine_version          = var.db_engine_version
-  instance_class          = var.db_instance_class
-  identifier              = var.name
-  multi_az                = var.db_multi_az
-  db_name                 = var.pg_db_name
-  username                = var.pg_username
-  password                = aws_secretsmanager_secret_version.pg_password.secret_string
+  allocated_storage           = var.db_allocated_storage
+  max_allocated_storage       = var.db_max_allocated_storage
+  storage_type                = var.db_storage_type
+  engine                      = "postgres"
+  engine_version              = var.db_engine_version
+  instance_class              = var.db_instance_class
+  identifier                  = var.name
+  multi_az                    = var.db_multi_az
+  db_name                     = var.pg_db_name
+  username                    = var.pg_username
+  manage_master_user_password = true
   parameter_group_name    = var.db_parameter_group
   db_subnet_group_name    = aws_db_subnet_group.pg.name
   vpc_security_group_ids  = [aws_security_group.pg.id]

diff --git a/tf/modules/postgresql/outputs.tf b/tf/modules/postgresql/outputs.tf
@@ -18,13 +18,9 @@ output "pg_username" {
   value       = aws_db_instance.pg.db_name
 }
 
-output "pg_password" {
-  sensitive   = true
-  description = "The postgres password to login as pg_username into pg_db_name"
-  value       = aws_secretsmanager_secret_version.pg_password.secret_string
-}
-
 output "secrets_manager_pg_password_id" {
   description = "The postgres password to login as pg_username into pg_db_name as a secrets_manager_id"
-  value       = aws_secretsmanager_secret.pg_password.id
+  # Due to: https://github.com/hashicorp/terraform-provider-aws/issues/34094
+  # If changing this on an old instance you have to run it manually
+  value       = aws_db_instance.pg.master_user_secret[0].secret_arn
 }