Skip to content

Commit

Permalink
updated module to use secrets manager via data
Browse files Browse the repository at this point in the history
AWS secrets mananger now store the http endpoint and access_key for the
firehose http endpoint.
  • Loading branch information
jamesgreen-moj committed Feb 1, 2024
1 parent 15cecfb commit 3ea4d70
Show file tree
Hide file tree
Showing 4 changed files with 43 additions and 35 deletions.
15 changes: 15 additions & 0 deletions data.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
locals {
xaiam_secrets_version_development = "2f39a1d3-b363-4d24-8749-f0ae737c2824"
xaiam_secrets_version_pre_production = ""
xaiam_secrets_version_production = ""
}

#-----------------------------------------------------------------
### Getting the staff-device-shared-services-infrastructure state
#-----------------------------------------------------------------
Expand All @@ -10,3 +16,12 @@ data "terraform_remote_state" "staff-device-shared-services-infrastructure" {
region = "eu-west-2"
}
}

data "aws_secretsmanager_secret" "xsiam_endpoint_secrets" {
name = "/nac-server/${terraform.workspace}/xsiam_endpoint_secrets"
}

data "aws_secretsmanager_secret_version" "xaiam_secrets_version" {
secret_id = data.aws_secretsmanager_secret.xsiam_endpoint_secrets.id
version_id = terraform.workspace == "pre_production" ? local.xaiam_secrets_version_pre_production : terraform.workspace == "production" ? local.xaiam_secrets_version_production : local.xaiam_secrets_version_development
}
10 changes: 5 additions & 5 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -312,11 +312,11 @@ module "performance_testing" {
}

module "kinesis_firehose_xsiam" {
source = "./modules/kinesis_firehose_xsiam"
access_key = "bar"
http_endpoint = "https://moj.gov.uk"
prefix = "${module.label.id}-xsiam"
tags = module.label.tags
source = "./modules/kinesis_firehose_xsiam"
http_endpoint = jsondecode(data.aws_secretsmanager_secret_version.xaiam_secrets_version.secret_string)["http_endpoint"]
access_key = jsondecode(data.aws_secretsmanager_secret_version.xaiam_secrets_version.secret_string)["access_key"]
prefix = "${module.label.id}-xsiam"
tags = module.label.tags

providers = {
aws = aws.env
Expand Down
7 changes: 0 additions & 7 deletions modules/kinesis_firehose_xsiam/data.tf

This file was deleted.

46 changes: 23 additions & 23 deletions modules/kinesis_firehose_xsiam/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,35 +12,35 @@ resource "aws_kinesis_firehose_delivery_stream" "xsiam_delivery_stream" {
s3_backup_mode = "FailedDataOnly"

cloudwatch_logging_options {
enabled = true
log_group_name = "xsiam-delivery-stream-${var.prefix}"
enabled = true
log_group_name = "xsiam-delivery-stream-${var.prefix}"
log_stream_name = "errors"
}
}

s3_configuration {
role_arn = aws_iam_role.xsiam_kinesis_firehose_role.arn
bucket_arn = aws_s3_bucket.xsiam_firehose_bucket.arn
buffer_size = 10
buffer_interval = 400
compression_format = "GZIP"
}

# request_configuration {
# content_encoding = "GZIP"
#
# common_attributes {
# name = "testname"
# value = "testvalue"
# }
#
# common_attributes {
# name = "testname2"
# value = "testvalue2"
# }
# }
s3_configuration {
role_arn = aws_iam_role.xsiam_kinesis_firehose_role.arn
bucket_arn = aws_s3_bucket.xsiam_firehose_bucket.arn
buffer_size = 10
buffer_interval = 400
compression_format = "GZIP"
}

# request_configuration {
# content_encoding = "GZIP"
#
# common_attributes {
# name = "testname"
# value = "testvalue"
# }
#
# common_attributes {
# name = "testname2"
# value = "testvalue2"
# }
# }
}

resource "aws_iam_role" "xsiam_kinesis_firehose_role" {

//name = "kinesis-firehose-role-xsiam"
Expand Down

0 comments on commit 3ea4d70

Please sign in to comment.