Create password resource

Author: ikovac

README.md

@@ -372,7 +372,7 @@ type DatabaseArgs = {
 
 If the password is not specified it will be autogenerated.
 The database password is stored as a secret inside AWS Secret Manager.
-The secret will be available on the `Database` resource as `passwordSecret`.
+The secret will be available on the `Database` resource as `password.secret`.
 
 ### Redis
 
@@ -600,7 +600,7 @@ export type MongoArgs = {
 
 If the password is not specified it will be autogenerated.
 The mongo password is stored as a secret inside AWS Secret Manager.
-The secret will be available on the `Mongo` resource as `passwordSecret`.
+The secret will be available on the `Mongo` resource as `password.secret`.
 
 ### Ecs Service
 

src/components/database.ts

@@ -1,6 +1,6 @@
 import * as aws from '@pulumi/aws';
 import * as pulumi from '@pulumi/pulumi';
-import * as random from '@pulumi/random';
+import { Password } from './password';
 import { commonTags } from '../constants';
 
 export type DatabaseArgs = {
@@ -68,7 +68,7 @@ export class Database extends pulumi.ComponentResource {
   kms: aws.kms.Key;
   dbSubnetGroup: aws.rds.SubnetGroup;
   dbSecurityGroup: aws.ec2.SecurityGroup;
-  passwordSecret: aws.secretsmanager.Secret;
+  password: Password;
 
   constructor(
     name: string,
@@ -83,9 +83,12 @@ export class Database extends pulumi.ComponentResource {
     this.dbSubnetGroup = this.createSubnetGroup({ isolatedSubnetIds });
     this.dbSecurityGroup = this.createSecurityGroup({ vpcId, vpcCidrBlock });
     this.kms = this.createEncryptionKey();
-    const { instance, passwordSecret } = this.createDatabaseInstance(args);
-    this.instance = instance;
-    this.passwordSecret = passwordSecret;
+    this.password = new Password(
+      `${this.name}-database-password`,
+      { value: args.password },
+      { parent: this },
+    );
+    this.instance = this.createDatabaseInstance(args);
 
     this.registerOutputs();
   }
@@ -144,43 +147,9 @@ export class Database extends pulumi.ComponentResource {
     return kms;
   }
 
-  private createPasswordSecret({ password }: Pick<DatabaseArgs, 'password'>) {
-    const project = pulumi.getProject();
-    const stack = pulumi.getStack();
-
-    const passwordSecret = new aws.secretsmanager.Secret(
-      `${this.name}-password-secret`,
-      {
-        namePrefix: `${stack}/${project}/DatabasePassword-`,
-        tags: commonTags,
-      },
-      { parent: this },
-    );
-
-    const passwordSecretValue = new aws.secretsmanager.SecretVersion(
-      `${this.name}-password-secret-value`,
-      {
-        secretId: passwordSecret.id,
-        secretString: password,
-      },
-      { parent: this, dependsOn: [passwordSecret] },
-    );
-
-    return passwordSecret;
-  }
-
   private createDatabaseInstance(args: DatabaseArgs) {
     const argsWithDefaults = Object.assign({}, defaults, args);
     const stack = pulumi.getStack();
-    const password =
-      argsWithDefaults.password ||
-      new random.RandomPassword(`${this.name}-db-password`, {
-        length: 16,
-        overrideSpecial: '_%$',
-        special: true,
-      }).result;
-
-    const passwordSecret = this.createPasswordSecret({ password });
 
     const instance = new aws.rds.Instance(
       `${this.name}-rds`,
@@ -193,7 +162,7 @@ export class Database extends pulumi.ComponentResource {
         instanceClass: argsWithDefaults.instanceClass,
         dbName: argsWithDefaults.dbName,
         username: argsWithDefaults.username,
-        password,
+        password: this.password.value,
         dbSubnetGroupName: this.dbSubnetGroup.name,
         vpcSecurityGroupIds: [this.dbSecurityGroup.id],
         storageEncrypted: true,
@@ -208,8 +177,8 @@ export class Database extends pulumi.ComponentResource {
         backupRetentionPeriod: 14,
         tags: { ...commonTags, ...argsWithDefaults.tags },
       },
-      { parent: this },
+      { parent: this, dependsOn: [this.password] },
     );
-    return { instance, passwordSecret };
+    return instance;
   }
 }

src/components/mongo.ts

@@ -1,8 +1,6 @@
 import * as pulumi from '@pulumi/pulumi';
-import * as aws from '@pulumi/aws';
-import * as random from '@pulumi/random';
-import { commonTags } from '../constants';
 import { EcsService, EcsServiceArgs } from './ecs-service';
+import { Password } from './password';
 
 export type MongoArgs = Pick<
   EcsServiceArgs,
@@ -27,7 +25,7 @@ export type MongoArgs = Pick<
 export class Mongo extends pulumi.ComponentResource {
   name: string;
   service: EcsService;
-  passwordSecret: aws.secretsmanager.Secret;
+  password: Password;
 
   constructor(
     name: string,
@@ -42,8 +40,11 @@ export class Mongo extends pulumi.ComponentResource {
 
     this.name = name;
 
-    const mongoPassword = password || this.createRandomPassword();
-    this.passwordSecret = this.createPasswordSecret(mongoPassword);
+    this.password = new Password(
+      `${this.name}-mongo-password`,
+      { value: password },
+      { parent: this },
+    );
 
     this.service = new EcsService(
       name,
@@ -68,7 +69,7 @@ export class Mongo extends pulumi.ComponentResource {
         secrets: [
           {
             name: 'MONGO_INITDB_ROOT_PASSWORD',
-            valueFrom: this.passwordSecret.arn,
+            valueFrom: this.password.secret.arn,
           },
         ],
       },
@@ -77,39 +78,4 @@ export class Mongo extends pulumi.ComponentResource {
 
     this.registerOutputs();
   }
-
-  private createRandomPassword() {
-    const password = new random.RandomPassword(`${this.name}-mongo-password`, {
-      length: 16,
-      overrideSpecial: '_%$',
-      special: true,
-    });
-
-    return password.result;
-  }
-
-  private createPasswordSecret(password: MongoArgs['password']) {
-    const project = pulumi.getProject();
-    const stack = pulumi.getStack();
-
-    const passwordSecret = new aws.secretsmanager.Secret(
-      `${this.name}-password-secret`,
-      {
-        namePrefix: `${stack}/${project}/MongoPassword-`,
-        tags: commonTags,
-      },
-      { parent: this },
-    );
-
-    const passwordSecretValue = new aws.secretsmanager.SecretVersion(
-      `${this.name}-password-secret-value`,
-      {
-        secretId: passwordSecret.id,
-        secretString: password,
-      },
-      { parent: this, dependsOn: [passwordSecret] },
-    );
-
-    return passwordSecret;
-  }
 }

src/components/password.ts

@@ -0,0 +1,69 @@
+import * as aws from '@pulumi/aws';
+import * as pulumi from '@pulumi/pulumi';
+import * as random from '@pulumi/random';
+import { commonTags } from '../constants';
+
+export type PasswordArgs = {
+  value?: pulumi.Input<string>;
+};
+
+export class Password extends pulumi.ComponentResource {
+  name: string;
+  value: pulumi.Output<string>;
+  secret: aws.secretsmanager.Secret;
+
+  constructor(
+    name: string,
+    args: PasswordArgs,
+    opts: pulumi.ComponentResourceOptions = {},
+  ) {
+    const optsWithDefauls = pulumi.mergeOptions(opts, {
+      additionalSecretOutputs: ['value'],
+    });
+    super('studion:Password', name, {}, optsWithDefauls);
+
+    this.name = name;
+    if (args.value) {
+      this.value = pulumi.output(args.value);
+    } else {
+      const password = new random.RandomPassword(
+        `${this.name}-random-password`,
+        {
+          length: 16,
+          overrideSpecial: '_%$',
+          special: true,
+        },
+        { parent: this },
+      );
+      this.value = password.result;
+    }
+
+    this.secret = this.createPasswordSecret(this.value);
+    this.registerOutputs();
+  }
+
+  private createPasswordSecret(password: pulumi.Input<string>) {
+    const project = pulumi.getProject();
+    const stack = pulumi.getStack();
+
+    const passwordSecret = new aws.secretsmanager.Secret(
+      `${this.name}-password-secret`,
+      {
+        namePrefix: `${stack}/${project}/${this.name}-`,
+        tags: commonTags,
+      },
+      { parent: this },
+    );
+
+    const passwordSecretValue = new aws.secretsmanager.SecretVersion(
+      `${this.name}-password-secret-value`,
+      {
+        secretId: passwordSecret.id,
+        secretString: password,
+      },
+      { parent: this, dependsOn: [passwordSecret] },
+    );
+
+    return passwordSecret;
+  }
+}