Merge pull request #546 from trade-tariff/bau-supply-postgres-url

BAU: Add Postgres URL

terraform/README.md

@@ -35,6 +35,7 @@ Terraform to deploy the service into AWS.
 | [aws_secretsmanager_secret.admin_oauth_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_secretsmanager_secret.admin_oauth_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_secretsmanager_secret.admin_secret_key_base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
+| [aws_secretsmanager_secret.postgres](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_secretsmanager_secret.redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_ssm_parameter.ecr_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |

terraform/data.tf

@@ -37,6 +37,10 @@ data "aws_secretsmanager_secret" "admin_bearer_token" {
   name = "admin-bearer-token"
 }
 
+data "aws_secretsmanager_secret" "postgres" {
+  name = "postgresadmin-connection-string"
+}
+
 data "aws_secretsmanager_secret" "redis" {
   name = "redis-admin-connection-string"
 }

terraform/iam.tf

@@ -8,24 +8,25 @@ data "aws_iam_policy_document" "secrets" {
       "secretsmanager:ListSecretVersionIds"
     ]
     resources = [
-      data.aws_secretsmanager_secret.admin_secret_key_base.arn,
       data.aws_secretsmanager_secret.admin_bearer_token.arn,
       data.aws_secretsmanager_secret.admin_oauth_id.arn,
       data.aws_secretsmanager_secret.admin_oauth_secret.arn,
+      data.aws_secretsmanager_secret.admin_secret_key_base.arn,
+      data.aws_secretsmanager_secret.postgres.arn,
       data.aws_secretsmanager_secret.redis.arn,
     ]
   }
 
   statement {
     effect = "Allow"
     actions = [
-      "kms:Encrypt",
       "kms:Decrypt",
-      "kms:ReEncryptFrom",
-      "kms:ReEncryptTo",
+      "kms:Encrypt",
       "kms:GenerateDataKeyPair",
       "kms:GenerateDataKeyPairWithoutPlainText",
-      "kms:GenerateDataKeyWithoutPlaintext"
+      "kms:GenerateDataKeyWithoutPlaintext",
+      "kms:ReEncryptFrom",
+      "kms:ReEncryptTo",
     ]
     resources = [
       data.aws_kms_key.secretsmanager_key.arn
@@ -42,13 +43,13 @@ data "aws_iam_policy_document" "exec" {
   statement {
     effect = "Allow"
     actions = [
+      "logs:CreateLogStream",
+      "logs:DescribeLogStreams",
+      "logs:PutLogEvents",
       "ssmmessages:CreateControlChannel",
       "ssmmessages:CreateDataChannel",
       "ssmmessages:OpenControlChannel",
       "ssmmessages:OpenDataChannel",
-      "logs:CreateLogStream",
-      "logs:DescribeLogStreams",
-      "logs:PutLogEvents"
     ]
     resources = ["*"]
   }

terraform/main.tf

@@ -76,6 +76,10 @@ module "service" {
   ]
 
   service_secrets_config = [
+    {
+      name      = "DATABASE_URL"
+      valueFrom = data.aws_secretsmanager_secret.postgres.arn
+    },
     {
       name      = "REDIS_URL"
       valueFrom = data.aws_secretsmanager_secret.redis.arn