Refactoring of how secrets are passed through it

ooni · Sep 24, 2024 · c219068 · c219068
1 parent 8888b58
commit c219068
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 9 deletions.
diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
@@ -208,6 +208,9 @@ resource "aws_secretsmanager_secret_version" "prometheus_metrics_password" {
   secret_string = random_password.prometheus_metrics_password.result
 }
 
+data "aws_secretsmanager_secret_version" "prometheus_metrics_password" {
+  secret_id = aws_secretsmanager_secret.prometheus_metrics_password.id
+}
 
 resource "aws_secretsmanager_secret" "oonipg_url" {
   name = "oonidevops/ooni-tier0-postgres/postgresql_url"
@@ -236,6 +239,10 @@ resource "aws_s3_bucket" "oonith_codepipeline_bucket" {
   bucket = "codepipeline-oonith-${var.aws_region}-${random_id.artifact_id.hex}"
 }
 
+data "aws_secretsmanager_secret_version" "deploy_key" {
+  secret_id = module.adm_iam_roles.oonidevops_deploy_key_arn
+}
+
 # The aws_codestarconnections_connection resource is created in the state
 # PENDING. Authentication with the connection provider must be completed in the
 # AWS Console.
@@ -261,8 +268,8 @@ module "ooni_th_droplet" {
   instance_location = "fra1"
   instance_size     = "s-1vcpu-1gb"
   droplet_count     = 2
-  deployer_key      = module.adm_iam_roles.oonidevops_ssh_public_key
-  metrics_password  = random_password.prometheus_metrics_password.result
+  deployer_key      = jsondecode(data.aws_secretsmanager_secret_version.deploy_key.secret_string)["public_key"]
+  metrics_password  = data.aws_secretsmanager_secret_version.prometheus_metrics_password.secret_string
   ssh_keys = [
     "3d:81:99:17:b5:d1:20:a5:fe:2b:14:96:67:93:d6:34",
     "f6:4b:8b:e2:0e:d2:97:c5:45:5c:07:a6:fe:54:60:0e"

diff --git a/tf/modules/adm_iam_roles/main.tf b/tf/modules/adm_iam_roles/main.tf
@@ -79,12 +79,15 @@ resource "aws_key_pair" "oonidevops" {
 }
 
 resource "aws_secretsmanager_secret" "oonidevops_deploy_key" {
-  name = "oonidevops/deploy_key/ssh_key_private"
+  name = "oonidevops/deploy_key"
   tags = var.tags
 }
 
 resource "aws_secretsmanager_secret_version" "oonidevops_deploy_key" {
-  secret_id     = aws_secretsmanager_secret.oonidevops_deploy_key.id
-  secret_string = tls_private_key.oonidevops.private_key_openssh
+  secret_id = aws_secretsmanager_secret.oonidevops_deploy_key.id
+  secret_string = jsonencode({
+    private_key = tls_private_key.oonidevops.private_key_openssh,
+    public_key  = tls_private_key.oonidevops.public_key_openssh,
+  })
 }
 
diff --git a/tf/modules/adm_iam_roles/outputs.tf b/tf/modules/adm_iam_roles/outputs.tf
@@ -9,7 +9,3 @@ output "oonidevops_key_name" {
 output "oonidevops_deploy_key_arn" {
   value = aws_secretsmanager_secret.oonidevops_deploy_key.id
 }
-
-output "oonidevops_ssh_public_key" {
-  value = trimspace(tls_private_key.oonidevops.public_key_openssh)
-}
diff --git a/tf/modules/ooni_th_droplet/templates/cloud-init.yml b/tf/modules/ooni_th_droplet/templates/cloud-init.yml
@@ -51,6 +51,7 @@ write_files:
             proxy_cache_valid 200 10m;
             proxy_cache_valid any 0;
             add_header X-Cache-Status $upstream_cache_status;
+
         }
       }
-Original file line number
+Diff line change
@@ Expand Up / @@ -51,6 +51,7 @@ write_files: @@
                 proxy_cache_valid 200 10m;
                 proxy_cache_valid any 0;
                 add_header X-Cache-Status $upstream_cache_status;
             }
           }
@@ Expand Down @@