Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optional user and password #119

Closed
wants to merge 12 commits into from
Closed

Optional user and password #119

wants to merge 12 commits into from

Conversation

nitrocode
Copy link
Member

@nitrocode nitrocode commented Jul 7, 2021
edited
Loading

what

why

  • This will allow the user and password to be autogenerated and optionally saved as an SSM parameter

references

notes

  • SSM
    1. Should this even use SSM ? I thought it should if we made the module generate a random password.
    2. SSM param creation is disabled by default
    3. Should ssm_enabled be renamed to ssm_parameters_enabled to be more explicit ?
    4. Should there also be a ssm_key_prefix instead of having to modify the ssm_key_format ?
    5. Should I also save the module.rds_instance.hostname and var.database_port to ssm ?
    6. Should all the SSM logic be put into its own systems-manager.tf file ?
    7. Should the SSM logic require its own aws provider passed in so it can use its own region ? or should it use its own provider in the module itself via var.ssm_region and if one isn't passed in, it could use the current region ?
  • If the database_name = "" or null, should the name of the database be the module.this.id ?
    • This could be done in a follow up PR
    • The issue is with SQL server which requires the database_name = null so that means the ssm key itself would have the term null in there. Perhaps for ssm, if the database_name == null then we can use the unique module.this.id or module.this.name ?
    • Decided to use module.this.name
  • Bridgecrew fixes
    • This could be done in a follow up PR

output

enable ssm with defaults

With ssm_parameters_enabled = true

$ terraform plan
Terraform will perform the following actions:

  # module.rds_instance.aws_ssm_parameter.rds_database["hostname"] will be created
  + resource "aws_ssm_parameter" "rds_database" {
      + arn         = (known after apply)
      + data_type   = (known after apply)
      + description = "RDS DB hostname"
      + id          = (known after apply)
      + key_id      = (known after apply)
      + name        = "/rds/mydb/admin/db_hostname"
      + overwrite   = true
      + tags_all    = (known after apply)
      + tier        = "Standard"
      + type        = "String"
      + value       = (sensitive value)
      + version     = (known after apply)
    }

  # module.rds_instance.aws_ssm_parameter.rds_database["password"] will be created
  + resource "aws_ssm_parameter" "rds_database" {
      + arn         = (known after apply)
      + data_type   = (known after apply)
      + description = "RDS DB password"
      + id          = (known after apply)
      + key_id      = "alias/aws/ssm"
      + name        = "/rds/mydb/admin/db_password"
      + overwrite   = true
      + tags_all    = (known after apply)
      + tier        = "Standard"
      + type        = "SecureString"
      + value       = (sensitive value)
      + version     = (known after apply)
    }

  # module.rds_instance.aws_ssm_parameter.rds_database["port"] will be created
  + resource "aws_ssm_parameter" "rds_database" {
      + arn         = (known after apply)
      + data_type   = (known after apply)
      + description = "RDS DB port"
      + id          = (known after apply)
      + key_id      = (known after apply)
      + name        = "/rds/mydb/admin/db_port"
      + overwrite   = true
      + tags_all    = (known after apply)
      + tier        = "Standard"
      + type        = "String"
      + value       = (sensitive value)
      + version     = (known after apply)
    }

  # module.rds_instance.aws_ssm_parameter.rds_database["user"] will be created
  + resource "aws_ssm_parameter" "rds_database" {
      + arn         = (known after apply)
      + data_type   = (known after apply)
      + description = "RDS DB user"
      + id          = (known after apply)
      + key_id      = (known after apply)
      + name        = "/rds/mydb/admin/db_user"
      + overwrite   = true
      + tags_all    = (known after apply)
      + tier        = "Standard"
      + type        = "String"
      + value       = (sensitive value)
      + version     = (known after apply)
    }

Plan: 4 to add, 0 to change, 0 to destroy.
enable ssm with merge defaults

With ssm_parameters_enabled = true and

  save_parameter_ssm_map_merge = {
    user = {
      suffix      = "admin/db_user_hello"
      description = "RDS DB user hihi"
    }
  }
$ terraform plan

  # hide previous 3 as seen above and only show the 1 difference

  # module.rds_instance.aws_ssm_parameter.rds_database["user"] will be created
  + resource "aws_ssm_parameter" "rds_database" {
      + arn         = (known after apply)
      + data_type   = (known after apply)
      + description = "RDS DB user hihi"
      + id          = (known after apply)
      + key_id      = (known after apply)
      + name        = "/rds/mydb/admin/db_user_hello"
      + overwrite   = true
      + tags_all    = (known after apply)
      + tier        = "Standard"
      + type        = "String"
      + value       = (sensitive value)
      + version     = (known after apply)
    }

bridgecrew[bot]
bridgecrew bot reviewed Jul 7, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed Jul 7, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed Jul 7, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed Jul 7, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed Jul 7, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed Jul 7, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed Jul 7, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed Jul 7, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed Jul 7, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed Jul 7, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
@nitrocode nitrocode marked this pull request as ready for review July 7, 2021 23:20
@nitrocode nitrocode requested review from a team as code owners July 7, 2021 23:20
bridgecrew[bot]
bridgecrew bot reviewed Jul 7, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed Jul 7, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed Jul 7, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed Jul 7, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
@nitrocode
Copy link
Member Author

/test terratest

bridgecrew[bot]
bridgecrew bot reviewed Jul 8, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
@nitrocode nitrocode requested a review from korenyoni July 8, 2021 03:05
jamengual
jamengual previously approved these changes Jul 8, 2021
View reviewed changes
systems-manager.tf Outdated Show resolved Hide resolved
nitrocode
nitrocode commented Jul 8, 2021
View reviewed changes
systems-manager.tf Outdated Show resolved Hide resolved
@nitrocode nitrocode requested a review from jamengual July 8, 2021 21:46
@nitrocode nitrocode dismissed jamengual’s stale review July 8, 2021 21:47

See comment above regarding database_name = null

bridgecrew[bot]
bridgecrew bot reviewed Jul 9, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 2 infrastructure configuration errors in this PR ⬇️

main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
@nitrocode nitrocode requested a review from Gowiem July 9, 2021 00:05
@nitrocode
Copy link
Member Author

/test all

Gowiem
Gowiem reviewed Jul 19, 2021
View reviewed changes
main.tf
# Leave special characters out to avoid quoting and other issues.
# Special characters have no additional security compared to increasing length.
special = false
override_special = "!#$%^&*()<>-_"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIU, you don't need override_specialif you includespecial = false`. No harm no foul, but just mentioning.

Gowiem
Gowiem reviewed Jul 19, 2021
View reviewed changes
systems-manager.tf
@@ -0,0 +1,96 @@
# AWS KMS alias used for encryption/decryption of SSM secure strings
variable "kms_alias_name_ssm" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why put the variable and output block into this file? I get that they're isolated to systems manager related functionality, but I'd still prefer to see them all live in their typical places (i.e. variables.tf and outputs.tf).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think because this was a precursor to putting it in its own module eventually. That way it would be easier to migrate. We can put it into variables.tf, it would just make migration slightly more difficult.

We frequently do this in our components. Have a specific <service>-variables.tf or variables-<service>.tf file so it's easier for copy pasta. I figured the same methodology could be applied in the modules too.

Gowiem
Gowiem reviewed Jul 19, 2021
View reviewed changes
systems-manager.tf Outdated
variable "ssm_parameters_enabled" {
type = bool
default = false
description = "If `true` create SSM keys for the database user and password."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is controlling more than just the PStore params for user + pass since you're also including hostname + port. I'd update or better yet make this a more generic "for the database info".

Gowiem
Gowiem reviewed Jul 19, 2021
View reviewed changes
Copy link
Member

@Gowiem Gowiem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nitrocode looks good overall. One thing that bugs me is co-locating vars + outputs in the systems-manager.tf file. I don't like that because even with autogenerated READMEs, in small child modules like this it means I need to dig around when I can't find a variable block.

Also, I wonder if outputting important values like you're doing here to SSM PStore is something only components should do and the child modules should be simpler? Thoughts?

@nitrocode
Copy link
Member Author

nitrocode commented Jul 20, 2021
edited
Loading

I think we need a separated module for SSM / Secrets Manager like @jamengual mentioned. Then we can easily turn it on and off and have the variables located in the upstream module instead of here.

We can do some of it by using https://github.com/cloudposse/terraform-aws-ssm-parameter-store but not the password creation.

I was thinking about doing that later but maybe it should be a prerequisite for this PR.

@nitrocode nitrocode requested a review from Gowiem July 20, 2021 16:50
@cloudposse cloudposse deleted a comment from mergify bot Aug 11, 2021
@mergify
Copy link

mergify bot commented Aug 24, 2021

This pull request is now in conflict. Could you fix it @nitrocode? 🙏

@arischow
Copy link

@nitrocode It would be great if you could make database_name optional as well by specifying an empty string default value in variables.tf.

Possible scenario would be I would like to do some modifications after I created the db instance from a snapshot and if database_name is required and then it would force a replacement.

Thanks!

@nitrocode
Copy link
Member Author

@arischow thanks for the suggestion. This PR is only for generating password credentials. Could you write that into a separate issue so we can track it?

@mergify
Copy link

mergify bot commented Dec 3, 2021

This pull request is now in conflict. Could you fix it @nitrocode? 🙏

@hans-d hans-d closed this Mar 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bridgecrew bridgecrew[bot] bridgecrew[bot] left review comments

@joe-niland joe-niland Awaiting requested review from joe-niland

@korenyoni korenyoni Awaiting requested review from korenyoni

@jamengual jamengual Awaiting requested review from jamengual

@Gowiem Gowiem Awaiting requested review from Gowiem

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Generate database password
7 participants
@nitrocode @arischow @Gowiem @jamengual @korenyoni @hans-d @cloudpossebot