diff --git a/rds-postgres/admin-login/main.tf b/rds-postgres/admin-login/main.tf index 4ad1b59..6e127fe 100644 --- a/rds-postgres/admin-login/main.tf +++ b/rds-postgres/admin-login/main.tf @@ -8,6 +8,7 @@ module "secret" { resource_tags = var.tags trust_tags = var.trust_tags + # initial_value = jsonencode(local.initial_secret_value) initial_value = jsonencode({ dbname = var.database_name engine = data.aws_db_instance.this.engine @@ -40,6 +41,7 @@ module "rotation" { variables = { ALTERNATE_USERNAME = coalesce(var.alternate_username, "${var.username}_alt") PRIMARY_USERNAME = var.username + REPLICA_HOST = can(var.replica_host) ? var.replica_host : "" } } @@ -79,4 +81,15 @@ data "aws_db_instance" "this" { locals { full_name = join("-", ["rds-postgres", var.identifier]) + + # base_value = { + # dbname = var.database_name + # engine = data.aws_db_instance.this.engine + # host = data.aws_db_instance.this.address + # password = var.initial_password + # port = tostring(data.aws_db_instance.this.port) + # username = var.username + # } + + # initial_secret_value = can(var.replica_host) ? merge(local.base_value, { replica_host = var.replica_host }) : local.base_value } diff --git a/rds-postgres/admin-login/rotation/lambda_function.py b/rds-postgres/admin-login/rotation/lambda_function.py index 76e621f..b1a6bbd 100644 --- a/rds-postgres/admin-login/rotation/lambda_function.py +++ b/rds-postgres/admin-login/rotation/lambda_function.py @@ -13,6 +13,7 @@ ALTERNATE_USERNAME = os.environ['ALTERNATE_USERNAME'] PRIMARY_USERNAME = os.environ['PRIMARY_USERNAME'] +REPLICA_HOST = os.environ['REPLICA_HOST'] def lambda_handler(event, context): @@ -31,7 +32,7 @@ def lambda_handler(event, context): 'username': , 'password': , 'dbname': , - 'port': + 'port': , } Args: @@ -126,7 +127,11 @@ def create_secret(service_client, arn, token): current_dict['password'] = passwd['RandomPassword'] # Add DATABASE_URL to secret - current_dict['DATABASE_URL'] = dict_to_url(current_dict) + current_dict['DATABASE_URL'] = dict_to_url(current_dict, False) + + if REPLICA_HOST: + # Add DATABASE_REPLICA_URL to secret + current_dict['DATABASE_REPLICA_URL'] = dict_to_url(current_dict, True) # Put the secret service_client.put_secret_value(SecretId=arn, ClientRequestToken=token, SecretString=json.dumps(current_dict), VersionStages=['AWSPENDING']) @@ -278,7 +283,7 @@ def finish_secret(service_client, arn, token): service_client.update_secret_version_stage(SecretId=arn, VersionStage="AWSCURRENT", MoveToVersionId=token, RemoveFromVersionId=current_version) logger.info("finishSecret: Successfully set AWSCURRENT stage to version %s for secret %s." % (token, arn)) -def dict_to_url(secret): +def dict_to_url(secret, replica): """Reformats connection details as a URL string Generate a Heroku-style DATABASE_URL with connection details @@ -289,9 +294,13 @@ def dict_to_url(secret): Returns: url: DATABASE_URL-style string """ + if replica: + host = REPLICA_HOST + else: + host = secret['host'] return "postgres://%s:%s@%s:%s/%s" % (secret['username'], - secret['password'], secret['host'], secret['port'], + secret['password'], host, secret['port'], secret['dbname']) def get_connection(secret_dict): diff --git a/rds-postgres/admin-login/variables.tf b/rds-postgres/admin-login/variables.tf index ea01d32..012e784 100644 --- a/rds-postgres/admin-login/variables.tf +++ b/rds-postgres/admin-login/variables.tf @@ -31,6 +31,12 @@ variable "read_principals" { default = null } +variable "replica_host" { + description = "Hostname to use when connecting to the database replica" + type = string + default = null +} + variable "secret_name" { description = "Override the name for this secret" type = string