Merge pull request #5 from thoughtbot/import-rds-posgres-login

Add rds-postgres-login module to create additional postgres users in RDS

Author: OlamideOl1

rds-postgres/rds-postgres-login/README.md

@@ -0,0 +1,101 @@
+# RDS Postgres Admin Login
+
+Creates a login to an RDS Postgres instance and automatically rotates the
+password.
+
+An active, admin username and password must be provided in an existing secret.
+This admin user will be used to create and rotate credentials.
+
+During rotation, the secret will toggle between primary and alternate usernames
+to avoid the scenario where the password is changed but hasn't been propagated
+to all users yet. This means that each password will remain active for two
+rotations.
+
+Example:
+
+```
+module "rds_readonly_password" {
+  source = "git@github.com:thoughtbot/flightdeck-addons.git//aws/rds-postgres-login?ref=main"
+
+  admin_login_kms_key_id = module.rds_admin_password.kms_key_arn
+  admin_login_secret_arn = module.rds_admin_password.secret_arn
+  database               = module.database.primary
+  subnet_ids             = module.network_data.private_subnet_ids
+  username               = "readonly"
+  vpc_id                 = module.network_data.vpc_id
+
+  grants = [
+    "GRANT USAGE ON SCHEMA public TO %s",
+    "GRANT SELECT ON ALL TABLES IN SCHEMA public TO %s"
+  ]
+}
+
+module "rds_admin_password" {
+  source = "git@github.com:thoughtbot/flightdeck-addons.git//aws/rds-postgres-admin-login?ref=main"
+
+  database         = module.database.primary
+  initial_password = module.database.initial_password
+  subnet_ids       = module.network_data.private_subnet_ids
+  username         = module.database.admin_username
+  vpc_id           = module.network_data.vpc_id
+}
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.26.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_rotation"></a> [rotation](#module\_rotation) | github.com/thoughtbot/terraform-aws-secrets//secret-rotation-function | v0.4.0 |
+| <a name="module_secret"></a> [secret](#module\_secret) | github.com/thoughtbot/terraform-aws-secrets//secret | v0.4.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.access_admin_login](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role_policy_attachment.access_admin_login](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_security_group.function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.function_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_iam_policy_document.access_admin_login](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_kms_key.admin_login](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_admin_login_kms_key_id"></a> [admin\_login\_kms\_key\_id](#input\_admin\_login\_kms\_key\_id) | ARN of the KMS key used to encrypt the admin login | `string` | n/a | yes |
+| <a name="input_admin_login_secret_arn"></a> [admin\_login\_secret\_arn](#input\_admin\_login\_secret\_arn) | ARN of a SecretsManager secret containing admin login | `string` | `null` | no |
+| <a name="input_admin_principals"></a> [admin\_principals](#input\_admin\_principals) | Principals allowed to peform admin actions (default: current account) | `list(string)` | `null` | no |
+| <a name="input_alternate_username"></a> [alternate\_username](#input\_alternate\_username) | Username for the alternate login used during rotation | `string` | `null` | no |
+| <a name="input_database"></a> [database](#input\_database) | The database instance for which a login will be managed | <pre>object({<br>    address    = string<br>    arn        = string<br>    engine     = string<br>    identifier = string<br>    name       = string<br>    port       = number<br>  })</pre> | n/a | yes |
+| <a name="input_grants"></a> [grants](#input\_grants) | List of GRANT statements for this user | `list(string)` | n/a | yes |
+| <a name="input_read_principals"></a> [read\_principals](#input\_read\_principals) | Principals allowed to read the secret (default: current account) | `list(string)` | `null` | no |
+| <a name="input_secret_name"></a> [secret\_name](#input\_secret\_name) | Override the name for this secret | `string` | `null` | no |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | Subnets in which the rotation function should run | `list(string)` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags to be applied to created resources | `map(string)` | `{}` | no |
+| <a name="input_trust_tags"></a> [trust\_tags](#input\_trust\_tags) | Tags required on principals accessing the secret | `map(string)` | `{}` | no |
+| <a name="input_username"></a> [username](#input\_username) | The username for which a login will be managed | `string` | n/a | yes |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC in which the rotation function should run | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_policy_json"></a> [policy\_json](#output\_policy\_json) | Required IAM policies |
+| <a name="output_secret_arn"></a> [secret\_arn](#output\_secret\_arn) | ARN of the secrets manager secret containing credentials |
+| <a name="output_secret_name"></a> [secret\_name](#output\_secret\_name) | Name of the secrets manager secret containing credentials |
+<!-- END_TF_DOCS -->

rds-postgres/rds-postgres-login/main.tf

@@ -0,0 +1,104 @@
+module "secret" {
+  source = "github.com/thoughtbot/terraform-aws-secrets//secret?ref=v0.4.0"
+
+  admin_principals = var.admin_principals
+  description      = "Postgres password for: ${local.full_name}"
+  name             = coalesce(var.secret_name, local.full_name)
+  read_principals  = var.read_principals
+  resource_tags    = var.tags
+  trust_tags       = var.trust_tags
+
+  initial_value = jsonencode({
+    dbname   = var.database.name
+    engine   = var.database.engine
+    host     = var.database.address
+    password = ""
+    port     = tostring(var.database.port)
+    username = var.username
+  })
+}
+
+module "rotation" {
+  source = "github.com/thoughtbot/terraform-aws-secrets//secret-rotation-function?ref=v0.4.0"
+
+  handler            = "lambda_function.lambda_handler"
+  role_arn           = module.secret.rotation_role_arn
+  runtime            = "python3.8"
+  secret_arn         = module.secret.arn
+  security_group_ids = [aws_security_group.function.id]
+  source_file        = "${path.module}/rotation/lambda_function.py"
+  subnet_ids         = var.subnet_ids
+
+  dependencies = {
+    postgres = "${path.module}/rotation/postgres.zip"
+  }
+
+  variables = {
+    ADMIN_LOGIN_SECRET_ARN = var.admin_login_secret_arn
+    ALTERNATE_USERNAME     = coalesce(var.alternate_username, "${var.username}_alt")
+    GRANTS                 = jsonencode(var.grants)
+    PRIMARY_USERNAME       = var.username
+  }
+}
+
+resource "aws_security_group" "function" {
+  description = "Security group for rotating ${local.full_name}"
+  name        = "${var.database.identifier}-rotation"
+  tags        = var.tags
+  vpc_id      = var.vpc_id
+}
+
+resource "aws_security_group_rule" "function_egress" {
+  cidr_blocks       = ["0.0.0.0/0"]
+  description       = "Allow all egress"
+  from_port         = 0
+  protocol          = "-1"
+  security_group_id = aws_security_group.function.id
+  to_port           = 0
+  type              = "egress"
+}
+
+resource "aws_iam_role_policy_attachment" "access_admin_login" {
+  policy_arn = aws_iam_policy.access_admin_login.arn
+  role       = module.secret.rotation_role_name
+}
+
+resource "aws_iam_policy" "access_admin_login" {
+  name   = local.full_name
+  policy = data.aws_iam_policy_document.access_admin_login.json
+}
+
+data "aws_iam_policy_document" "access_admin_login" {
+  statement {
+    sid = "ReadAdminLogin"
+    actions = [
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:GetSecretValue"
+    ]
+    resources = [var.admin_login_secret_arn]
+  }
+
+  statement {
+    sid = "DecryptReadAdminLogin"
+    actions = [
+      "kms:Decrypt"
+    ]
+    resources = [data.aws_kms_key.admin_login.arn]
+  }
+
+  statement {
+    sid = "DescribeDatabase"
+    actions = [
+      "rds:DescribeDBInstances"
+    ]
+    resources = [var.database.arn]
+  }
+}
+
+data "aws_kms_key" "admin_login" {
+  key_id = var.admin_login_kms_key_id
+}
+
+locals {
+  full_name = join("-", ["rds-postgres", var.database.identifier, var.username])
+}

rds-postgres/rds-postgres-login/makefile

@@ -0,0 +1,58 @@
+TFLINTRC    := ../../.tflint.hcl
+MODULEFILES := $(wildcard *.tf)
+
+.PHONY: default
+default: checkfmt validate docs lint
+
+.PHONY: checkfmt
+checkfmt: .fmt
+
+.PHONY: fmt
+fmt: $(MODULEFILES)
+	terraform fmt
+	@touch .fmt
+
+.PHONY: validate
+validate: .validate
+
+.PHONY: docs
+docs: README.md
+
+.PHONY: lint
+lint: .lint
+
+.lint: $(MODULEFILES) .lintinit
+	tflint --config=$(TFLINTRC)
+	@touch .lint
+
+.lintinit: $(TFLINTRC)
+	tflint --init --config=$(TFLINTRC)
+	@touch .lintinit
+
+README.md: $(MODULEFILES)
+	terraform-docs markdown table . --output-file README.md
+
+.fmt: $(MODULEFILES)
+	terraform fmt -check
+	@touch .fmt
+
+.PHONY: init
+init: .init
+
+.init: versions.tf
+	terraform init -backend=false
+	@touch .init
+
+.validate: .init $(MODULEFILES) $(wildcard *.tf.example)
+	echo | cat - $(wildcard *.tf.example) > test.tf
+	if AWS_DEFAULT_REGION=us-east-1 terraform validate; then \
+		rm test.tf; \
+		touch .validate; \
+	else \
+		rm test.tf; \
+		false; \
+	fi
+
+.PHONY: clean
+clean:
+	rm -rf .fmt .init .lint .lintinit .terraform .terraform.lock.hcl .validate

rds-postgres/rds-postgres-login/outputs.tf

@@ -0,0 +1,14 @@
+output "policy_json" {
+  description = "Required IAM policies"
+  value       = module.secret.policy_json
+}
+
+output "secret_arn" {
+  description = "ARN of the secrets manager secret containing credentials"
+  value       = module.secret.arn
+}
+
+output "secret_name" {
+  description = "Name of the secrets manager secret containing credentials"
+  value       = module.secret.name
+}