From 3ea4d701fd46b11f58ea805dee48e8c91cc4e0c5 Mon Sep 17 00:00:00 2001 From: James Green Date: Thu, 1 Feb 2024 12:09:49 +0000 Subject: [PATCH] updated module to use secrets manager via data AWS secrets mananger now store the http endpoint and access_key for the firehose http endpoint. --- data.tf | 15 +++++++++ main.tf | 10 +++--- modules/kinesis_firehose_xsiam/data.tf | 7 ---- modules/kinesis_firehose_xsiam/main.tf | 46 +++++++++++++------------- 4 files changed, 43 insertions(+), 35 deletions(-) delete mode 100644 modules/kinesis_firehose_xsiam/data.tf diff --git a/data.tf b/data.tf index 1938662..5df7a63 100644 --- a/data.tf +++ b/data.tf @@ -1,3 +1,9 @@ +locals { + xaiam_secrets_version_development = "2f39a1d3-b363-4d24-8749-f0ae737c2824" + xaiam_secrets_version_pre_production = "" + xaiam_secrets_version_production = "" +} + #----------------------------------------------------------------- ### Getting the staff-device-shared-services-infrastructure state #----------------------------------------------------------------- @@ -10,3 +16,12 @@ data "terraform_remote_state" "staff-device-shared-services-infrastructure" { region = "eu-west-2" } } + +data "aws_secretsmanager_secret" "xsiam_endpoint_secrets" { + name = "/nac-server/${terraform.workspace}/xsiam_endpoint_secrets" +} + +data "aws_secretsmanager_secret_version" "xaiam_secrets_version" { + secret_id = data.aws_secretsmanager_secret.xsiam_endpoint_secrets.id + version_id = terraform.workspace == "pre_production" ? local.xaiam_secrets_version_pre_production : terraform.workspace == "production" ? local.xaiam_secrets_version_production : local.xaiam_secrets_version_development +} diff --git a/main.tf b/main.tf index 4751d2b..914d1f5 100644 --- a/main.tf +++ b/main.tf @@ -312,11 +312,11 @@ module "performance_testing" { } module "kinesis_firehose_xsiam" { - source = "./modules/kinesis_firehose_xsiam" - access_key = "bar" - http_endpoint = "https://moj.gov.uk" - prefix = "${module.label.id}-xsiam" - tags = module.label.tags + source = "./modules/kinesis_firehose_xsiam" + http_endpoint = jsondecode(data.aws_secretsmanager_secret_version.xaiam_secrets_version.secret_string)["http_endpoint"] + access_key = jsondecode(data.aws_secretsmanager_secret_version.xaiam_secrets_version.secret_string)["access_key"] + prefix = "${module.label.id}-xsiam" + tags = module.label.tags providers = { aws = aws.env diff --git a/modules/kinesis_firehose_xsiam/data.tf b/modules/kinesis_firehose_xsiam/data.tf deleted file mode 100644 index e6f42e8..0000000 --- a/modules/kinesis_firehose_xsiam/data.tf +++ /dev/null @@ -1,7 +0,0 @@ -#data "aws_ssm_parameter" "http_endpoint" { -# name = "/service_name/$ENV/xsiam_http_endpoint" -# provider = -#} -#output "http_endpoint" { -# value=data.aws_ssm_parameter.http_endpoint.value -#} diff --git a/modules/kinesis_firehose_xsiam/main.tf b/modules/kinesis_firehose_xsiam/main.tf index a2d6e3a..ecaff36 100644 --- a/modules/kinesis_firehose_xsiam/main.tf +++ b/modules/kinesis_firehose_xsiam/main.tf @@ -12,35 +12,35 @@ resource "aws_kinesis_firehose_delivery_stream" "xsiam_delivery_stream" { s3_backup_mode = "FailedDataOnly" cloudwatch_logging_options { - enabled = true - log_group_name = "xsiam-delivery-stream-${var.prefix}" + enabled = true + log_group_name = "xsiam-delivery-stream-${var.prefix}" log_stream_name = "errors" } } - s3_configuration { - role_arn = aws_iam_role.xsiam_kinesis_firehose_role.arn - bucket_arn = aws_s3_bucket.xsiam_firehose_bucket.arn - buffer_size = 10 - buffer_interval = 400 - compression_format = "GZIP" - } - -# request_configuration { -# content_encoding = "GZIP" -# -# common_attributes { -# name = "testname" -# value = "testvalue" -# } -# -# common_attributes { -# name = "testname2" -# value = "testvalue2" -# } -# } + s3_configuration { + role_arn = aws_iam_role.xsiam_kinesis_firehose_role.arn + bucket_arn = aws_s3_bucket.xsiam_firehose_bucket.arn + buffer_size = 10 + buffer_interval = 400 + compression_format = "GZIP" } + # request_configuration { + # content_encoding = "GZIP" + # + # common_attributes { + # name = "testname" + # value = "testvalue" + # } + # + # common_attributes { + # name = "testname2" + # value = "testvalue2" + # } + # } +} + resource "aws_iam_role" "xsiam_kinesis_firehose_role" { //name = "kinesis-firehose-role-xsiam"