diff --git a/README.md b/README.md index 59a9bfe..da91c05 100644 --- a/README.md +++ b/README.md @@ -161,6 +161,10 @@ No modules. | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.ecr_viewer_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_route_table.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source | +| [aws_secretsmanager_secret_version.postgres_database_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | +| [aws_secretsmanager_secret_version.sqlserver_host](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | +| [aws_secretsmanager_secret_version.sqlserver_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | +| [aws_secretsmanager_secret_version.sqlserver_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | ## Inputs @@ -183,7 +187,7 @@ No modules. | <a name="input_internal"></a> [internal](#input\_internal) | Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example). | `bool` | `true` | no | | <a name="input_owner"></a> [owner](#input\_owner) | Owner of the resources | `string` | `"CDC"` | no | | <a name="input_phdi_version"></a> [phdi\_version](#input\_phdi\_version) | Version of the PHDI application | `string` | `"v1.6.9"` | no | -| <a name="input_postgres_database_data"></a> [postgres\_database\_data](#input\_postgres\_database\_data) | n/a | <pre>object({<br> non_integrated_viewer = string<br> metadata_database_type = string<br> metadata_database_schema = string<br> secrets_manager_postgres_database_url_arn = string<br> })</pre> | <pre>{<br> "metadata_database_schema": "",<br> "metadata_database_type": "",<br> "non_integrated_viewer": "false",<br> "secrets_manager_postgres_database_url_arn": ""<br>}</pre> | no | +| <a name="input_postgres_database_data"></a> [postgres\_database\_data](#input\_postgres\_database\_data) | n/a | <pre>object({<br> non_integrated_viewer = string<br> metadata_database_type = string<br> metadata_database_schema = string<br> secrets_manager_postgres_database_url_name = string<br> })</pre> | <pre>{<br> "metadata_database_schema": "",<br> "metadata_database_type": "",<br> "non_integrated_viewer": "false",<br> "secrets_manager_postgres_database_url_name": ""<br>}</pre> | no | | <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs | `list(string)` | n/a | yes | | <a name="input_project"></a> [project](#input\_project) | The project name | `string` | `"dibbs"` | no | | <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs | `list(string)` | n/a | yes | @@ -191,7 +195,7 @@ No modules. | <a name="input_s3_viewer_bucket_name"></a> [s3\_viewer\_bucket\_name](#input\_s3\_viewer\_bucket\_name) | Name of the S3 bucket for the viewer | `string` | `""` | no | | <a name="input_s3_viewer_bucket_role_name"></a> [s3\_viewer\_bucket\_role\_name](#input\_s3\_viewer\_bucket\_role\_name) | Name of the IAM role for the ecr-viewer bucket | `string` | `""` | no | | <a name="input_service_data"></a> [service\_data](#input\_service\_data) | Data for the DIBBS services | <pre>map(object({<br> short_name = string<br> fargate_cpu = number<br> fargate_memory = number<br> min_capacity = number<br> max_capacity = number<br> app_image = string<br> app_version = string<br> container_port = number<br> host_port = number<br> public = bool<br> registry_url = string<br> env_vars = list(object({<br> name = string<br> value = string<br> }))<br> }))</pre> | `{}` | no | -| <a name="input_sqlserver_database_data"></a> [sqlserver\_database\_data](#input\_sqlserver\_database\_data) | n/a | <pre>object({<br> non_integrated_viewer = string<br> metadata_database_type = string<br> metadata_database_schema = string<br> secrets_manager_sqlserver_user_arn = string<br> secrets_manager_sqlserver_password_arn = string<br> secrets_manager_sqlserver_host_arn = string<br> })</pre> | <pre>{<br> "metadata_database_schema": "",<br> "metadata_database_type": "",<br> "non_integrated_viewer": "false",<br> "secrets_manager_sqlserver_host_arn": "",<br> "secrets_manager_sqlserver_password_arn": "",<br> "secrets_manager_sqlserver_user_arn": ""<br>}</pre> | no | +| <a name="input_sqlserver_database_data"></a> [sqlserver\_database\_data](#input\_sqlserver\_database\_data) | n/a | <pre>object({<br> non_integrated_viewer = string<br> metadata_database_type = string<br> metadata_database_schema = string<br> secrets_manager_sqlserver_user_name = string<br> secrets_manager_sqlserver_password_name = string<br> secrets_manager_sqlserver_host_name = string<br> })</pre> | <pre>{<br> "metadata_database_schema": "",<br> "metadata_database_type": "",<br> "non_integrated_viewer": "false",<br> "secrets_manager_sqlserver_host_name": "",<br> "secrets_manager_sqlserver_password_name": "",<br> "secrets_manager_sqlserver_user_name": ""<br>}</pre> | no | | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to resources | `map(string)` | `{}` | no | | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC | `string` | n/a | yes | diff --git a/_check.tf b/_check.tf index 14186dd..327c3d6 100644 --- a/_check.tf +++ b/_check.tf @@ -1,11 +1,8 @@ check "database_data_non_integrated_viewer" { assert { - condition = ( - (local.database_data.non_integrated_viewer == "false" && - length(local.database_data.metadata_database_type) == 0) || - (local.database_data.non_integrated_viewer == "true" && - length(local.database_data.metadata_database_type) > 0 && - length(local.database_data.metadata_database_schema) > 0) + condition = ( + (local.database_data.non_integrated_viewer == "false" && length(local.database_data.metadata_database_type) == 0) || + (local.database_data.non_integrated_viewer == "true" && length(local.database_data.metadata_database_type) > 0 && length(local.database_data.metadata_database_schema) > 0) ) error_message = "When non_integrated_viewer is false, no other database data should be provided. When non_integrated_viewer is true, metadata_database_type, metadata_database_schema, and secrets_manager_* variables should be provided." } diff --git a/_data.tf b/_data.tf index 4a51084..c358fef 100644 --- a/_data.tf +++ b/_data.tf @@ -37,4 +37,24 @@ data "aws_iam_policy" "amazon_ec2_container_service_for_ec2_role" { data "aws_route_table" "this" { for_each = local.private_subnet_kvs subnet_id = each.value -} \ No newline at end of file +} + +data "aws_secretsmanager_secret_version" "postgres_database_url" { + count = local.database_data.metadata_database_type == "postgres" ? 1 : 0 + secret_id = local.database_data.metadata_database_type == "postgres" ? local.database_data.secrets_manager_postgres_database_url_name : "" +} + +data "aws_secretsmanager_secret_version" "sqlserver_user" { + count = local.database_data.metadata_database_type == "sqlserver" ? 1 : 0 + secret_id = local.database_data.metadata_database_type == "sqlserver" ? local.database_data.secrets_manager_sqlserver_user_name : "" +} + +data "aws_secretsmanager_secret_version" "sqlserver_password" { + count = local.database_data.metadata_database_type == "sqlserver" ? 1 : 0 + secret_id = local.database_data.metadata_database_type == "sqlserver" ? local.database_data.secrets_manager_sqlserver_password_name : "" +} + +data "aws_secretsmanager_secret_version" "sqlserver_host" { + count = local.database_data.metadata_database_type == "sqlserver" ? 1 : 0 + secret_id = local.database_data.metadata_database_type == "sqlserver" ? local.database_data.secrets_manager_sqlserver_host_name : "" +} diff --git a/_local.tf b/_local.tf index e02d7c4..fad1ef2 100644 --- a/_local.tf +++ b/_local.tf @@ -8,7 +8,7 @@ locals { registry_url = var.disable_ecr == false ? "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com" : "ghcr.io/cdcgov/phdi" registry_username = data.aws_ecr_authorization_token.this.user_name registry_password = data.aws_ecr_authorization_token.this.password - database_data = var.postgres_database_data.non_integrated_viewer == "true" ? var.postgres_database_data : var.sqlserver_database_data + database_data = var.postgres_database_data.non_integrated_viewer == "true" ? var.postgres_database_data : var.sqlserver_database_data service_data = length(var.service_data) > 0 ? var.service_data : { ecr-viewer = { @@ -57,28 +57,28 @@ locals { value = var.ecr_viewer_basepath }, { - name = "METADATA_DATABASE_TYPE", + name = "METADATA_DATABASE_TYPE", value = local.database_data.non_integrated_viewer == "true" ? local.database_data.metadata_database_type : "" }, { - name = "METADATA_DATABASE_SCHEMA", + name = "METADATA_DATABASE_SCHEMA", value = local.database_data.non_integrated_viewer == "true" ? local.database_data.metadata_database_schema : "" }, { - name = "DATABASE_URL", - value = local.database_data.metadata_database_type == "postgres" ? local.database_data.secrets_manager_postgres_database_url_arn : "" + name = "DATABASE_URL", + value = local.database_data.metadata_database_type == "postgres" ? data.aws_secretsmanager_secret_version.postgres_database_url[0].secret_string : "" }, { - name = "SQL_SERVER_USER", - value = local.database_data.metadata_database_type == "sqlserver" ? local.database_data.secrets_manager_sqlserver_user_arn : "" + name = "SQL_SERVER_USER", + value = local.database_data.metadata_database_type == "sqlserver" ? data.aws_secretsmanager_secret_version.sqlserver_user[0].secret_string : "" }, { - name = "SQL_SERVER_PASSWORD", - value = local.database_data.metadata_database_type == "sqlserver" ? local.database_data.secrets_manager_sqlserver_password_arn : "" + name = "SQL_SERVER_PASSWORD", + value = local.database_data.metadata_database_type == "sqlserver" ? data.aws_secretsmanager_secret_version.sqlserver_password[0].secret_string : "" }, { - name = "SQL_SERVER_HOST", - value = local.database_data.metadata_database_type == "sqlserver" ? local.database_data.secrets_manager_sqlserver_host_arn : "" + name = "SQL_SERVER_HOST", + value = local.database_data.metadata_database_type == "sqlserver" ? data.aws_secretsmanager_secret_version.sqlserver_host[0].secret_string : "" } ] }, diff --git a/_variable.tf b/_variable.tf index 5e3f5a9..dc5b9d8 100644 --- a/_variable.tf +++ b/_variable.tf @@ -115,35 +115,35 @@ variable "service_data" { variable "postgres_database_data" { type = object({ - non_integrated_viewer = string - metadata_database_type = string - metadata_database_schema = string - secrets_manager_postgres_database_url_arn = string + non_integrated_viewer = string + metadata_database_type = string + metadata_database_schema = string + secrets_manager_postgres_database_url_name = string }) default = { - non_integrated_viewer = "false" - metadata_database_type = "" - metadata_database_schema = "" - secrets_manager_postgres_database_url_arn = "" + non_integrated_viewer = "false" + metadata_database_type = "" + metadata_database_schema = "" + secrets_manager_postgres_database_url_name = "" } } variable "sqlserver_database_data" { type = object({ - non_integrated_viewer = string - metadata_database_type = string - metadata_database_schema = string - secrets_manager_sqlserver_user_arn = string - secrets_manager_sqlserver_password_arn = string - secrets_manager_sqlserver_host_arn = string + non_integrated_viewer = string + metadata_database_type = string + metadata_database_schema = string + secrets_manager_sqlserver_user_name = string + secrets_manager_sqlserver_password_name = string + secrets_manager_sqlserver_host_name = string }) default = { - non_integrated_viewer = "false" - metadata_database_type = "" - metadata_database_schema = "" - secrets_manager_sqlserver_user_arn = "" - secrets_manager_sqlserver_password_arn = "" - secrets_manager_sqlserver_host_arn = "" + non_integrated_viewer = "false" + metadata_database_type = "" + metadata_database_schema = "" + secrets_manager_sqlserver_user_name = "" + secrets_manager_sqlserver_password_name = "" + secrets_manager_sqlserver_host_name = "" } }