Pull secrets from secrets manager rather than S3 (#127)

Co-authored-by: xss <michaela@michaela.lgbt>
2024-12-18 12:56:28 +00:00 · 2023-10-22 15:49:32 +11:00 · 2023-10-22 15:49:32 +11:00 · d3ca3cebfe
commit d3ca3cebfe
parent 81830c2d74
2 changed files with 39 additions and 7 deletions
--- a/secrets.tf
+++ b/secrets.tf
@ -6,9 +6,10 @@ resource "aws_secretsmanager_secret_version" "mqtt" {
  secret_id = aws_secretsmanager_secret.mqtt.id
  secret_string = jsonencode(
    {
-      HOST     = join(",", local.websocket_host_addresses)
-      PASSWORD = random_password.mqtt.result
-      USERNAME = "write"
+      HOST            = join(",", local.websocket_host_addresses)
+      HOST_MOS_FORMAT = join(" ", [for x in local.websocket_host_addresses : "${x}:1883"])
+      PASSWORD        = random_password.mqtt.result
+      USERNAME        = "write"
    }
  )
 }
--- a/websockets.tf
+++ b/websockets.tf
@ -183,9 +183,9 @@ resource "aws_ecs_task_definition" "ws_reader_ec2" {
      },
      {
        command = [
-          "cp",
-          "/config/mosquitto-reader.conf",
-          "/config/mosquitto.conf",
+          "sh",
+          "-c",
+          "apk add gettext; envsubst < /config/mosquitto-reader-template.conf > /config/mosquitto.conf",
        ]
        cpu = 0
        dependsOn = [
@ -214,6 +214,16 @@ resource "aws_ecs_task_definition" "ws_reader_ec2" {
        name         = "config-move"
        portMappings = []
        volumesFrom  = []
+        secrets = [
+          {
+            name      = "PASSWORD"
+            valueFrom = "${aws_secretsmanager_secret.mqtt.arn}:PASSWORD::"
+          },
+          {
+            name      = "HOST_MOS_FORMAT"
+            valueFrom = "${aws_secretsmanager_secret.mqtt.arn}:HOST_MOS_FORMAT::"
+          }
+        ]
      },
    ]
  )
@ -232,6 +242,7 @@ resource "aws_ecs_task_definition" "ws_reader_ec2" {
  volume {
    name = "config"
  }
+
 }

 resource "aws_ecs_task_definition" "ws" {
@ -277,7 +288,7 @@ resource "aws_ecs_task_definition" "ws" {
        ]
        environment = []
        essential   = true
-        image       = "eclipse-mosquitto:2-openssl"
+        image       = "eclipse-mosquitto:2.0.15"
        # logConfiguration = {
        #   logDriver = "awslogs"
        #   options = {
@ -571,6 +582,26 @@ resource "aws_iam_role_policy" "efs" {
 EOF
 }

+resource "aws_iam_role_policy" "secrets" {
+  name = "secrests"
+  role = aws_iam_role.ecs_execution.id
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+          "Action": [
+            "secretsmanager:GetSecretValue"
+          ],
+          "Effect": "Allow",
+          "Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
+        }
+    ]
+}
+EOF
+}
+
 resource "aws_iam_role_policy" "ssm" {
  name = "SSM"
  role = aws_iam_role.ecs_execution.id