Remove additional db_password secret.

lkacenja · lkacenja · commit 28e345fdd167 · 2025-05-21T15:52:59.000-06:00
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -15,6 +15,49 @@ module "backend" {
   environment = var.environment
 }
 
+module "secrets" {
+  source = "github.com/codeforamerica/tofu-modules-aws-secrets?ref=1.0.0"
+
+  project     = var.project_name
+  environment = var.environment
+
+  secrets = {
+    database = {
+      description = "Credentials for our Database."
+      name = "/asap-pdf/production/database"
+      start_value = jsonencode({
+        host = ""
+        name = ""
+        username = ""
+        password = ""
+      })
+    }
+    redis = {
+      description = "The Redis/Elasticache url."
+      name = "/asap-pdf/production/redis"
+      start_value = jsonencode({
+        url = ""
+      })
+    }
+    rails = {
+      description = "The Rails master key."
+      name = "/asap-pdf/production/rails"
+      start_value = jsonencode({
+        master_key = ""
+        secret_key = ""
+      })
+    }
+    google = {
+      description = "The Rails master key."
+      name = "/asap-pdf/production/GOOGLE_AI_KEY"
+    }
+    anthropic = {
+      description = "The Rails master key."
+      name = "/asap-pdf/production/ANTHROPIC_KEY"
+    }
+  }
+}
+
 module "logging" {
   source = "github.com/codeforamerica/tofu-modules-aws-logging?ref=2.1.0"
 
@@ -59,57 +102,14 @@ module "deployment" {
   project_name      = var.project_name
   environment       = var.environment
 
-  db_password_secret_arn = module.database.db_password_secret_arn
+  db_password_secret_arn = "${module.secrets.secrets["database"].secret_arn}:password"
   aws_account_id         = data.aws_caller_identity.identity.account_id
   backend_kms_arn        = module.backend.kms_key
   document_inference_lambda_arn            = module.lambda.document_inference_lambda_arn
   document_inference_evaluation_lambda_arn = module.lambda.document_inference_evaluation_lambda_arn
   evaluation_lambda_arn                    = module.lambda.evaluation_lambda_arn
 }
 
-module "secrets" {
-  source = "github.com/codeforamerica/tofu-modules-aws-secrets?ref=1.0.0"
-
-  project     = var.project_name
-  environment = var.environment
-
-  secrets = {
-    database = {
-      description = "Credentials for our Database."
-      name = "/asap-pdf/production/database"
-      start_value = jsonencode({
-        host = ""
-        name = ""
-        username = ""
-        password = ""
-      })
-    }
-    redis = {
-      description = "The Redis/Elasticache url."
-      name = "/asap-pdf/production/redis"
-      start_value = jsonencode({
-        url = ""
-      })
-    }
-    rails = {
-      description = "The Rails master key."
-      name = "/asap-pdf/production/rails"
-      start_value = jsonencode({
-        master_key = ""
-        secret_key = ""
-      })
-    }
-    google = {
-      description = "The Rails master key."
-      name = "/asap-pdf/production/GOOGLE_AI_KEY"
-    }
-    anthropic = {
-      description = "The Rails master key."
-      name = "/asap-pdf/production/ANTHROPIC_KEY"
-    }
-  }
-}
-
 # ECS
 module "ecs" {
   source = "./modules/ecs"
diff --git a/terraform/modules/database/main.tf b/terraform/modules/database/main.tf
@@ -6,14 +6,14 @@ resource "random_password" "db_password" {
 }
 
 # Store password in AWS Secrets Manager
-resource "aws_secretsmanager_secret" "db_password" {
-  name = "${var.project_name}-${var.environment}-db-password"
-}
-
-resource "aws_secretsmanager_secret_version" "db_password" {
-  secret_id     = aws_secretsmanager_secret.db_password.id
-  secret_string = random_password.db_password.result
-}
+# resource "aws_secretsmanager_secret" "db_password" {
+#   name = "${var.project_name}-${var.environment}-db-password"
+# }
+
+# resource "aws_secretsmanager_secret_version" "db_password" {
+#   secret_id     = aws_secretsmanager_secret.db_password.id
+#   secret_string = random_password.db_password.result
+# }
 
 # RDS subnet group
 resource "aws_db_subnet_group" "main" {
diff --git a/terraform/modules/database/outputs.tf b/terraform/modules/database/outputs.tf
@@ -23,7 +23,7 @@ output "db_instance_name" {
   value       = aws_db_instance.main.db_name
 }
 
-output "db_password_secret_arn" {
-  description = "ARN of the secret containing the database password"
-  value       = aws_secretsmanager_secret.db_password.arn
-}
+# output "db_password_secret_arn" {
+#   description = "ARN of the secret containing the database password"
+#   value       = aws_secretsmanager_secret.db_password.arn
+# }
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
@@ -30,7 +30,7 @@ output "db_username" {
 
 output "db_password_secret_arn" {
   description = "ARN of the secret containing the database password"
-  value       = module.database.db_password_secret_arn
+  value       = "${module.secrets.secrets["database"].secret_arn}:password"
   sensitive   = true
 }
 
@@ -74,7 +74,7 @@ output "database_url" {
   description = "Database connection URL"
   value = format("postgres://%s:%s@%s/%s",
     module.database.db_instance_username,
-    module.database.db_password_secret_arn,
+    "${module.secrets.secrets["database"].secret_arn}:password",
     module.database.db_instance_endpoint,
     module.database.db_instance_name
   )
