Pull secrets from secrets manager rather than S3

This commit is contained in:
xss 2023-10-22 15:48:18 +11:00
parent 81830c2d74
commit f138ddc748
2 changed files with 39 additions and 7 deletions

View File

@ -6,9 +6,10 @@ resource "aws_secretsmanager_secret_version" "mqtt" {
secret_id = aws_secretsmanager_secret.mqtt.id secret_id = aws_secretsmanager_secret.mqtt.id
secret_string = jsonencode( secret_string = jsonencode(
{ {
HOST = join(",", local.websocket_host_addresses) HOST = join(",", local.websocket_host_addresses)
PASSWORD = random_password.mqtt.result HOST_MOS_FORMAT = join(" ", [for x in local.websocket_host_addresses : "${x}:1883"])
USERNAME = "write" PASSWORD = random_password.mqtt.result
USERNAME = "write"
} }
) )
} }

View File

@ -183,9 +183,9 @@ resource "aws_ecs_task_definition" "ws_reader_ec2" {
}, },
{ {
command = [ command = [
"cp", "sh",
"/config/mosquitto-reader.conf", "-c",
"/config/mosquitto.conf", "apk add gettext; envsubst < /config/mosquitto-reader-template.conf > /config/mosquitto.conf",
] ]
cpu = 0 cpu = 0
dependsOn = [ dependsOn = [
@ -214,6 +214,16 @@ resource "aws_ecs_task_definition" "ws_reader_ec2" {
name = "config-move" name = "config-move"
portMappings = [] portMappings = []
volumesFrom = [] volumesFrom = []
secrets = [
{
name = "PASSWORD"
valueFrom = "${aws_secretsmanager_secret.mqtt.arn}:PASSWORD::"
},
{
name = "HOST_MOS_FORMAT"
valueFrom = "${aws_secretsmanager_secret.mqtt.arn}:HOST_MOS_FORMAT::"
}
]
}, },
] ]
) )
@ -232,6 +242,7 @@ resource "aws_ecs_task_definition" "ws_reader_ec2" {
volume { volume {
name = "config" name = "config"
} }
} }
resource "aws_ecs_task_definition" "ws" { resource "aws_ecs_task_definition" "ws" {
@ -277,7 +288,7 @@ resource "aws_ecs_task_definition" "ws" {
] ]
environment = [] environment = []
essential = true essential = true
image = "eclipse-mosquitto:2-openssl" image = "eclipse-mosquitto:2.0.15"
# logConfiguration = { # logConfiguration = {
# logDriver = "awslogs" # logDriver = "awslogs"
# options = { # options = {
@ -571,6 +582,26 @@ resource "aws_iam_role_policy" "efs" {
EOF EOF
} }
resource "aws_iam_role_policy" "secrets" {
name = "secrests"
role = aws_iam_role.ecs_execution.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
}
]
}
EOF
}
resource "aws_iam_role_policy" "ssm" { resource "aws_iam_role_policy" "ssm" {
name = "SSM" name = "SSM"
role = aws_iam_role.ecs_execution.id role = aws_iam_role.ecs_execution.id