Autogenerate db password, enable secrets factory

Author: ikovac

README.md

@@ -92,7 +92,7 @@ type DatabaseService = {
   serviceName: string;
   dbName: pulumi.Input<string>;
   username: pulumi.Input<string>;
-  password: pulumi.Input<string>;
+  password?: pulumi.Input<string>;
   applyImmediately?: pulumi.Input<boolean>;
   skipFinalSnapshot?: pulumi.Input<boolean>;
   allocatedStorage?: pulumi.Input<number>;
@@ -131,7 +131,7 @@ export type WebServerService = {
   environment?:
     | aws.ecs.KeyValuePair[]
     | ((services: Services) => aws.ecs.KeyValuePair[]);
-  secrets?: aws.ecs.Secret[];
+  secrets?: aws.ecs.Secret[] | ((services: Services) => aws.ecs.Secret[]);
   image: pulumi.Input<string>;
   port: pulumi.Input<number>;
   domain: pulumi.Input<string>;
@@ -203,6 +203,33 @@ const project = new studion.Project('demo-project', {
 });
 ```
 
+```ts
+const project = new studion.Project('demo-project', {
+  environment: 'DEVELOPMENT',
+  services: [
+    {
+      type: 'REDIS',
+      serviceName: 'redis',
+      dbName: 'test-db',
+    },
+    {
+      type: 'WEB_SERVER',
+      serviceName: 'api',
+      image: imageUri,
+      port: 3000,
+      domain: 'api.my-domain.com',
+      secrets: (services: Services) => {
+        const redisServiceName = 'redis';
+        const redis = services[redisServiceName];
+        return [
+          { name: 'REDIS_PASSWORD', valueFrom: redis.passwordSecret.arn },
+        ];
+      },
+    },
+  ],
+});
+```
+
 ### Database
 
 AWS RDS Postgres instance.
@@ -229,8 +256,8 @@ new Database(name: string, args: DatabaseArgs, opts?: pulumi.CustomResourceOptio
 type DatabaseArgs = {
   dbName: pulumi.Input<string>;
   username: pulumi.Input<string>;
-  password: pulumi.Input<string>;
   vpc: awsx.ec2.Vpc;
+  password?: pulumi.Input<string>;
   applyImmediately?: pulumi.Input<boolean>;
   skipFinalSnapshot?: pulumi.Input<boolean>;
   allocatedStorage?: pulumi.Input<number>;
@@ -242,6 +269,10 @@ type DatabaseArgs = {
 };
 ```
 
+If a password is not specified, it will be autogenerated and stored as a secret
+inside AWS Secret Manager. The secret will be available on the `Database` resource
+as `passwordSecret`.
+
 ### Redis
 
 [Upstash](https://upstash.com) Redis instance.
@@ -283,6 +314,9 @@ interface RedisOptions extends pulumi.ComponentResourceOptions {
 }
 ```
 
+After creating the Redis resource, the `passwordSecret` AWS Secret Manager Secret
+will exist on the resource.
+
 ### Static Site
 
 AWS S3 + Cloudfront static site.
@@ -467,4 +501,3 @@ const project = new studion.Project('demo-project', {
 
 - [ ] Add worker service for executing tasks
 - [ ] Add MongoDB service
-- [ ] Make db username & password fields optional and autogenerate db username & password if they are not provided

src/components/database.ts

@@ -11,14 +11,15 @@ export type DatabaseArgs = {
    * Username for the master DB user.
    */
   username: pulumi.Input<string>;
-  /**
-   * Password for the master DB user.
-   */
-  password: pulumi.Input<string>;
   /**
    * The awsx.ec2.Vpc resource.
    */
   vpc: awsx.ec2.Vpc;
+  /**
+   * Password for the master DB user. If not specified, it will be autogenerated
+   * and stored as a secret in AWS Secret Manager.
+   */
+  password?: pulumi.Input<string>;
   /**
    * Specifies whether any database modifications are applied immediately, or during the next maintenance window. Default is false.
    */
@@ -60,6 +61,7 @@ export class Database extends pulumi.ComponentResource {
   kms: aws.kms.Key;
   dbSubnetGroup: aws.rds.SubnetGroup;
   dbSecurityGroup: aws.ec2.SecurityGroup;
+  passwordSecret?: aws.secretsmanager.Secret;
 
   constructor(
     name: string,
@@ -68,6 +70,9 @@ export class Database extends pulumi.ComponentResource {
   ) {
     super('studion:Database', name, {}, opts);
 
+    const project = pulumi.getProject();
+    const stack = pulumi.getStack();
+
     const argsWithDefaults = Object.assign({}, defaults, args);
 
     this.dbSubnetGroup = new aws.rds.SubnetGroup(
@@ -107,6 +112,31 @@ export class Database extends pulumi.ComponentResource {
       { parent: this },
     );
 
+    const password =
+      argsWithDefaults.password ||
+      aws.secretsmanager
+        .getRandomPasswordOutput()
+        .apply(res => res.randomPassword);
+
+    if (!argsWithDefaults.password) {
+      this.passwordSecret = new aws.secretsmanager.Secret(
+        `${name}-password-secret`,
+        {
+          name: `${stack}/${project}/DatabasePassword`,
+        },
+        { parent: this },
+      );
+
+      const passwordSecretValue = new aws.secretsmanager.SecretVersion(
+        `${name}-password-secret-value`,
+        {
+          secretId: this.passwordSecret.id,
+          secretString: password,
+        },
+        { parent: this, dependsOn: [this.passwordSecret] },
+      );
+    }
+
     this.instance = new aws.rds.Instance(
       `${name}-rds`,
       {
@@ -118,7 +148,7 @@ export class Database extends pulumi.ComponentResource {
         instanceClass: argsWithDefaults.instanceClass,
         dbName: argsWithDefaults.dbName,
         username: argsWithDefaults.username,
-        password: argsWithDefaults.password,
+        password,
         dbSubnetGroupName: this.dbSubnetGroup.name,
         vpcSecurityGroupIds: [this.dbSecurityGroup.id],
         storageEncrypted: true,

src/components/project.ts

@@ -32,8 +32,12 @@ export type WebServerService = {
   environment?:
     | aws.ecs.KeyValuePair[]
     | ((services: Services) => aws.ecs.KeyValuePair[]);
+  secrets?: aws.ecs.Secret[] | ((services: Services) => aws.ecs.Secret[]);
 } & ServiceArgs &
-  Omit<WebServerArgs, 'cluster' | 'vpc' | 'hostedZoneId' | 'environment'>;
+  Omit<
+    WebServerArgs,
+    'cluster' | 'vpc' | 'hostedZoneId' | 'environment' | 'secrets'
+  >;
 
 export type ProjectArgs = {
   services: (
@@ -173,12 +177,15 @@ export class Project extends pulumi.ComponentResource {
     if (!this.cluster) return;
     if (!this.hostedZoneId) throw new MissingHostedZoneId(options.type);
 
-    const { serviceName, environment, ...ecsOptions } = options;
+    const { serviceName, environment, secrets, ...ecsOptions } = options;
     const parsedEnv =
       typeof environment === 'function'
         ? environment(this.services)
         : environment;
 
+    const parsedSecrets =
+      typeof secrets === 'function' ? secrets(this.services) : secrets;
+
     const service = new WebServer(
       serviceName,
       {
@@ -187,6 +194,7 @@ export class Project extends pulumi.ComponentResource {
         vpc: this.vpc,
         hostedZoneId: this.hostedZoneId,
         environment: parsedEnv,
+        secrets: parsedSecrets,
       },
       { parent: this },
     );

src/components/redis.ts

@@ -1,5 +1,6 @@
 import * as pulumi from '@pulumi/pulumi';
 import * as upstash from '@upstash/pulumi';
+import * as aws from '@pulumi/aws';
 
 export type RedisArgs = {
   /**
@@ -22,10 +23,15 @@ export interface RedisOptions extends pulumi.ComponentResourceOptions {
 
 export class Redis extends pulumi.ComponentResource {
   instance: upstash.RedisDatabase;
+  passwordSecret: aws.secretsmanager.Secret;
+  username = 'default';
 
   constructor(name: string, args: RedisArgs, opts: RedisOptions) {
     super('studion:Redis', name, {}, opts);
 
+    const project = pulumi.getProject();
+    const stack = pulumi.getStack();
+
     const argsWithDefaults = Object.assign({}, defaults, args);
 
     this.instance = new upstash.RedisDatabase(
@@ -39,6 +45,23 @@ export class Redis extends pulumi.ComponentResource {
       { provider: opts.provider, parent: this },
     );
 
+    this.passwordSecret = new aws.secretsmanager.Secret(
+      `${name}-password-secret`,
+      {
+        name: `${stack}/${project}/RedisPassword`,
+      },
+      { parent: this, dependsOn: [this.instance] },
+    );
+
+    const passwordSecretValue = new aws.secretsmanager.SecretVersion(
+      `${name}-password-secret-value`,
+      {
+        secretId: this.passwordSecret.id,
+        secretString: this.instance.password,
+      },
+      { parent: this, dependsOn: [this.passwordSecret] },
+    );
+
     this.registerOutputs();
   }
 }

src/components/static-site.ts

@@ -44,7 +44,6 @@ export class StaticSite extends pulumi.ComponentResource {
     const bucket = new aws.s3.Bucket(
       `${name}-bucket`,
       {
-        bucket: name,
         website: {
           indexDocument: 'index.html',
           errorDocument: 'index.html',