Move DB password secrets into secret manager to prevent leaks in task definitions

Limess · Limess · commit 5833e84cae68 · 2022-05-27T10:53:33.000+01:00
diff --git a/examples/eks/metaflow.tf b/examples/eks/metaflow.tf
@@ -47,19 +47,19 @@ module "metaflow-metadata-service" {
   resource_prefix = local.resource_prefix
   resource_suffix = local.resource_suffix
 
-  access_list_cidr_blocks          = []
-  api_basic_auth                   = true
-  database_password                = module.metaflow-datastore.database_password
-  database_username                = module.metaflow-datastore.database_username
-  datastore_s3_bucket_kms_key_arn  = module.metaflow-datastore.datastore_s3_bucket_kms_key_arn
-  fargate_execution_role_arn       = aws_iam_role.ecs_execution_role.arn
-  metaflow_vpc_id                  = module.vpc.vpc_id
-  metadata_service_container_image = module.metaflow-common.default_metadata_service_container_image
-  rds_master_instance_endpoint     = module.metaflow-datastore.rds_master_instance_endpoint
-  s3_bucket_arn                    = module.metaflow-datastore.s3_bucket_arn
-  subnet1_id                       = module.vpc.private_subnets[0]
-  subnet2_id                       = module.vpc.private_subnets[1]
-  vpc_cidr_block                   = module.vpc.vpc_cidr_block
+  access_list_cidr_blocks              = []
+  api_basic_auth                       = true
+  database_password_secret_manager_arn = module.metaflow-datastore.database_password_secret_manager_arn
+  database_username                    = module.metaflow-datastore.database_username
+  datastore_s3_bucket_kms_key_arn      = module.metaflow-datastore.datastore_s3_bucket_kms_key_arn
+  fargate_execution_role_arn           = aws_iam_role.ecs_execution_role.arn
+  metaflow_vpc_id                      = module.vpc.vpc_id
+  metadata_service_container_image     = module.metaflow-common.default_metadata_service_container_image
+  rds_master_instance_endpoint         = module.metaflow-datastore.rds_master_instance_endpoint
+  s3_bucket_arn                        = module.metaflow-datastore.s3_bucket_arn
+  subnet1_id                           = module.vpc.private_subnets[0]
+  subnet2_id                           = module.vpc.private_subnets[1]
+  vpc_cidr_block                       = module.vpc.vpc_cidr_block
 
   standard_tags = local.tags
 }
diff --git a/main.tf b/main.tf
@@ -20,21 +20,21 @@ module "metaflow-metadata-service" {
   resource_prefix = local.resource_prefix
   resource_suffix = local.resource_suffix
 
-  access_list_cidr_blocks          = var.access_list_cidr_blocks
-  api_basic_auth                   = var.api_basic_auth
-  database_password                = module.metaflow-datastore.database_password
-  database_username                = module.metaflow-datastore.database_username
-  datastore_s3_bucket_kms_key_arn  = module.metaflow-datastore.datastore_s3_bucket_kms_key_arn
-  ecs_cluster_id                   = var.ecs_cluster_id
-  fargate_execution_role_arn       = module.metaflow-computation.ecs_execution_role_arn
-  iam_partition                    = var.iam_partition
-  metadata_service_container_image = local.metadata_service_container_image
-  metaflow_vpc_id                  = var.vpc_id
-  rds_master_instance_endpoint     = module.metaflow-datastore.rds_master_instance_endpoint
-  s3_bucket_arn                    = module.metaflow-datastore.s3_bucket_arn
-  subnet1_id                       = var.subnet1_id
-  subnet2_id                       = var.subnet2_id
-  vpc_cidr_block                   = var.vpc_cidr_block
+  access_list_cidr_blocks              = var.access_list_cidr_blocks
+  api_basic_auth                       = var.api_basic_auth
+  database_password_secret_manager_arn = module.metaflow-datastore.database_password_secret_manager_arn
+  database_username                    = module.metaflow-datastore.database_username
+  datastore_s3_bucket_kms_key_arn      = module.metaflow-datastore.datastore_s3_bucket_kms_key_arn
+  ecs_cluster_id                       = var.ecs_cluster_id
+  fargate_execution_role_arn           = module.metaflow-computation.ecs_execution_role_arn
+  iam_partition                        = var.iam_partition
+  metadata_service_container_image     = local.metadata_service_container_image
+  metaflow_vpc_id                      = var.vpc_id
+  rds_master_instance_endpoint         = module.metaflow-datastore.rds_master_instance_endpoint
+  s3_bucket_arn                        = module.metaflow-datastore.s3_bucket_arn
+  subnet1_id                           = var.subnet1_id
+  subnet2_id                           = var.subnet2_id
+  vpc_cidr_block                       = var.vpc_cidr_block
 
   standard_tags = var.tags
 }
@@ -47,21 +47,21 @@ module "metaflow-ui" {
   resource_prefix = local.resource_prefix
   resource_suffix = local.resource_suffix
 
-  database_password               = module.metaflow-datastore.database_password
-  database_username               = module.metaflow-datastore.database_username
-  datastore_s3_bucket_kms_key_arn = module.metaflow-datastore.datastore_s3_bucket_kms_key_arn
-  ecs_cluster_id                  = var.ecs_cluster_id
-  fargate_execution_role_arn      = module.metaflow-computation.ecs_execution_role_arn
-  iam_partition                   = var.iam_partition
-  metaflow_vpc_id                 = var.vpc_id
-  rds_master_instance_endpoint    = module.metaflow-datastore.rds_master_instance_endpoint
-  s3_bucket_arn                   = module.metaflow-datastore.s3_bucket_arn
-  subnet1_id                      = var.subnet1_id
-  subnet2_id                      = var.subnet2_id
-  ui_backend_container_image      = local.metadata_service_container_image
-  ui_static_container_image       = local.ui_static_container_image
-  alb_internal                    = var.ui_alb_internal
-  ui_allow_list                   = var.ui_allow_list
+  database_password_secret_manager_arn = module.metaflow-datastore.database_password_secret_manager_arn
+  database_username                    = module.metaflow-datastore.database_username
+  datastore_s3_bucket_kms_key_arn      = module.metaflow-datastore.datastore_s3_bucket_kms_key_arn
+  ecs_cluster_id                       = var.ecs_cluster_id
+  fargate_execution_role_arn           = module.metaflow-computation.ecs_execution_role_arn
+  iam_partition                        = var.iam_partition
+  metaflow_vpc_id                      = var.vpc_id
+  rds_master_instance_endpoint         = module.metaflow-datastore.rds_master_instance_endpoint
+  s3_bucket_arn                        = module.metaflow-datastore.s3_bucket_arn
+  subnet1_id                           = var.subnet1_id
+  subnet2_id                           = var.subnet2_id
+  ui_backend_container_image           = local.metadata_service_container_image
+  ui_static_container_image            = local.ui_static_container_image
+  alb_internal                         = var.ui_alb_internal
+  ui_allow_list                        = var.ui_allow_list
 
   METAFLOW_DATASTORE_SYSROOT_S3      = module.metaflow-datastore.METAFLOW_DATASTORE_SYSROOT_S3
   certificate_arn                    = var.ui_certificate_arn
@@ -78,6 +78,8 @@ module "metaflow-computation" {
   resource_prefix = local.resource_prefix
   resource_suffix = local.resource_suffix
 
+  database_password_secret_manager_arn = module.metaflow-datastore.database_password_secret_manager_arn
+
   batch_type                              = var.batch_type
   compute_environment_ami_id              = var.compute_environment_ami_id
   compute_environment_spot_bid_percentage = var.compute_environment_spot_bid_percentage
diff --git a/modules/computation/README.md b/modules/computation/README.md
@@ -21,6 +21,7 @@ To read more, see [the Metaflow docs](https://docs.metaflow.org/metaflow-on-aws/
 | <a name="input_compute_environment_min_vcpus"></a> [compute\_environment\_min\_vcpus](#input\_compute\_environment\_min\_vcpus) | Minimum VCPUs for Batch Compute Environment [0-16] for EC2 Batch Compute Environment (ignored for Fargate) | `number` | n/a | yes |
 | <a name="input_compute_environment_spot_bid_percentage"></a> [compute\_environment\_spot\_bid\_percentage](#input\_compute\_environment\_spot\_bid\_percentage) | The maximum percentage of on-demand EC2 instance price to bid for spot instances when using the 'spot' AWS Batch Compute Type. | `number` | `100` | no |
 | <a name="input_compute_environment_user_data_base64"></a> [compute\_environment\_user\_data\_base64](#input\_compute\_environment\_user\_data\_base64) | Base64 hash of the user data to use for Batch Compute Environment EC2 instances. | `string` | `null` | no |
+| <a name="input_database_password_secret_manager_arn"></a> [database\_password\_secret\_manager\_arn](#input\_database\_password\_secret\_manager\_arn) | The arn of the database password stored in AWS secrets manager | `string` | n/a | yes |
 | <a name="input_ecs_cluster_id"></a> [ecs\_cluster\_id](#input\_ecs\_cluster\_id) | The ID of an existing ECS cluster to run services on. If no cluster ID is specfied, a new cluster will be created. | `string` | `null` | no |
 | <a name="input_iam_partition"></a> [iam\_partition](#input\_iam\_partition) | IAM Partition (Select aws-us-gov for AWS GovCloud, otherwise leave as is) | `string` | `"aws"` | no |
 | <a name="input_metaflow_vpc_id"></a> [metaflow\_vpc\_id](#input\_metaflow\_vpc\_id) | ID of the Metaflow VPC this SageMaker notebook instance is to be deployed in | `string` | n/a | yes |
diff --git a/modules/computation/iam-ecs-execution.tf b/modules/computation/iam-ecs-execution.tf
@@ -27,6 +27,41 @@ resource "aws_iam_role" "ecs_execution_role" {
   tags = var.standard_tags
 }
 
+
+data "aws_iam_policy_document" "db_secrets" {
+  statement {
+    sid = "AllowDBSecretAccess"
+
+    effect = "Allow"
+
+    actions = [
+      "secretsmanager:GetResourcePolicy",
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:ListSecretVersionIds"
+    ]
+
+    resources = [
+      var.database_password_secret_manager_arn
+    ]
+  }
+
+  statement {
+    sid = "AllowSecretsManagerList"
+
+    effect = "Allow"
+
+    actions = [
+      "secretsmanager:ListSecrets",
+    ]
+
+    resources = [
+      "*"
+    ]
+  }
+}
+
+
 data "aws_iam_policy_document" "ecs_task_execution_policy" {
   statement {
     effect = "Allow"
@@ -53,3 +88,9 @@ resource "aws_iam_role_policy" "grant_ecs_access" {
   role   = aws_iam_role.ecs_execution_role.name
   policy = data.aws_iam_policy_document.ecs_task_execution_policy.json
 }
+
+resource "aws_iam_role_policy" "grant_db_secrets" {
+  name   = "dbt_secrets"
+  role   = aws_iam_role.ecs_execution_role.name
+  policy = data.aws_iam_policy_document.db_secrets.json
+}
diff --git a/modules/computation/variables.tf b/modules/computation/variables.tf
@@ -9,6 +9,12 @@ variable "batch_type" {
   }
 }
 
+variable "database_password_secret_manager_arn" {
+  type        = string
+  description = "The arn of the database password stored in AWS secrets manager"
+  sensitive   = true
+}
+
 variable "compute_environment_ami_id" {
   type        = string
   description = "The AMI ID to use for Batch Compute Environment EC2 instances. If not specified, defaults to the latest ECS optimised AMI."
diff --git a/modules/datastore/README.md b/modules/datastore/README.md
@@ -38,7 +38,7 @@ To read more, see [the Metaflow docs](https://docs.metaflow.org/metaflow-on-aws/
 |------|-------------|
 | <a name="output_METAFLOW_DATASTORE_SYSROOT_S3"></a> [METAFLOW\_DATASTORE\_SYSROOT\_S3](#output\_METAFLOW\_DATASTORE\_SYSROOT\_S3) | Amazon S3 URL for Metaflow DataStore |
 | <a name="output_METAFLOW_DATATOOLS_S3ROOT"></a> [METAFLOW\_DATATOOLS\_S3ROOT](#output\_METAFLOW\_DATATOOLS\_S3ROOT) | Amazon S3 URL for Metaflow DataTools |
-| <a name="output_database_password"></a> [database\_password](#output\_database\_password) | The database password |
+| <a name="output_database_password_secret_manager_arn"></a> [database\_password\_secret\_manager\_arn](#output\_database\_password\_secret\_manager\_arn) | The arn of the database password stored in AWS secrets manager |
 | <a name="output_database_username"></a> [database\_username](#output\_database\_username) | The database username |
 | <a name="output_datastore_s3_bucket_kms_key_arn"></a> [datastore\_s3\_bucket\_kms\_key\_arn](#output\_datastore\_s3\_bucket\_kms\_key\_arn) | The ARN of the KMS key used to encrypt the Metaflow datastore S3 bucket |
 | <a name="output_rds_master_instance_endpoint"></a> [rds\_master\_instance\_endpoint](#output\_rds\_master\_instance\_endpoint) | The database connection endpoint in address:port format |
diff --git a/modules/datastore/outputs.tf b/modules/datastore/outputs.tf
@@ -8,9 +8,9 @@ output "METAFLOW_DATASTORE_SYSROOT_S3" {
   description = "Amazon S3 URL for Metaflow DataStore"
 }
 
-output "database_password" {
-  value       = random_password.this.result
-  description = "The database password"
+output "database_password_secret_manager_arn" {
+  value       = aws_secretsmanager_secretrds_db_password.arn
+  description = "The arn of the database password stored in AWS secrets manager"
 }
 
 output "database_username" {
diff --git a/modules/datastore/rds.tf b/modules/datastore/rds.tf
@@ -51,6 +51,15 @@ resource "random_password" "this" {
   override_special = "!#$%&*()-_=+[]{}<>:?"
 }
 
+resource "aws_secretsmanager_secret" "rds_db_password" {
+  name = "${var.resource_prefix}${var.db_name}_password${var.resource_suffix}"
+}
+
+resource "aws_secretsmanager_secret_version" "example" {
+  secret_id     = aws_secretsmanager_secret.rds_db_password.id
+  secret_string = random_password.this.result
+}
+
 resource "random_pet" "final_snapshot_id" {}
 
 /*
diff --git a/modules/metadata-service/README.md b/modules/metadata-service/README.md
@@ -17,7 +17,7 @@ If the `access_list_cidr_blocks` variable is set, only traffic originating from
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_list_cidr_blocks"></a> [access\_list\_cidr\_blocks](#input\_access\_list\_cidr\_blocks) | List of CIDRs we want to grant access to our Metaflow Metadata Service. Usually this is our VPN's CIDR blocks. | `list(string)` | n/a | yes |
 | <a name="input_api_basic_auth"></a> [api\_basic\_auth](#input\_api\_basic\_auth) | Enable basic auth for API Gateway? (requires key export) | `bool` | `true` | no |
-| <a name="input_database_password"></a> [database\_password](#input\_database\_password) | The database password | `string` | n/a | yes |
+| <a name="input_database_password_secret_manager_arn"></a> [database\_password\_secret\_manager\_arn](#input\_database\_password\_secret\_manager\_arn) | The arn of the database password stored in AWS secrets manager | `string` | n/a | yes |
 | <a name="input_database_username"></a> [database\_username](#input\_database\_username) | The database username | `string` | n/a | yes |
 | <a name="input_datastore_s3_bucket_kms_key_arn"></a> [datastore\_s3\_bucket\_kms\_key\_arn](#input\_datastore\_s3\_bucket\_kms\_key\_arn) | The ARN of the KMS key used to encrypt the Metaflow datastore S3 bucket | `string` | n/a | yes |
 | <a name="input_ecs_cluster_id"></a> [ecs\_cluster\_id](#input\_ecs\_cluster\_id) | The ID of an existing ECS cluster to run services on. If no cluster ID is specfied, a new cluster will be created. | `string` | `null` | no |
diff --git a/modules/metadata-service/ecs.tf b/modules/metadata-service/ecs.tf
@@ -14,43 +14,45 @@ resource "aws_ecs_cluster" "this" {
 resource "aws_ecs_task_definition" "this" {
   family = "${var.resource_prefix}service${var.resource_suffix}" # Unique name for task definition
 
-  container_definitions = <<EOF
-[
-  {
-    "name": "${var.resource_prefix}service${var.resource_suffix}",
-    "image": "${var.metadata_service_container_image}",
-    "essential": true,
-    "cpu": 512,
-    "memory": 1024,
-    "portMappings": [
-      {
-        "containerPort": 8080,
-        "hostPort": 8080
-      },
-      {
-        "containerPort": 8082,
-        "hostPort": 8082
-      }
-    ],
-    "environment": [
-      {"name": "MF_METADATA_DB_HOST", "value": "${replace(var.rds_master_instance_endpoint, ":5432", "")}"},
-      {"name": "MF_METADATA_DB_NAME", "value": "metaflow"},
-      {"name": "MF_METADATA_DB_PORT", "value": "5432"},
-      {"name": "MF_METADATA_DB_PSWD", "value": "${var.database_password}"},
-      {"name": "MF_METADATA_DB_USER", "value": "${var.database_username}"}
-    ],
-    "logConfiguration": {
-        "logDriver": "awslogs",
-        "options": {
-            "awslogs-group": "${aws_cloudwatch_log_group.this.name}",
-            "awslogs-region": "${data.aws_region.current.name}",
-            "awslogs-stream-prefix": "metadata"
+  container_definitions = jsonencode([
+    {
+      "name"      = "${var.resource_prefix}service${var.resource_suffix}",
+      "image"     = "${var.metadata_service_container_image}",
+      "essential" = true,
+      "cpu"       = 512,
+      "memory"    = 1024,
+      "portMappings" = [
+        {
+          "containerPort" = 8080,
+          "hostPort"      = 8080
+        },
+        {
+          "containerPort" = 8082,
+          "hostPort"      = 8082
+        }
+      ],
+      "environment" = [
+        { "name" = "MF_METADATA_DB_HOST", "value" = "${replace(var.rds_master_instance_endpoint, ":5432", "")}" },
+        { "name" = "MF_METADATA_DB_NAME", "value" = "metaflow" },
+        { "name" = "MF_METADATA_DB_PORT", "value" = "5432" },
+        { "name" = "MF_METADATA_DB_USER", "value" = "${var.database_username}" },
+      ],
+      "secrets" = [
+        {
+          "name"      = "MF_METADATA_DB_PSWD",
+          "valueFrom" = var.database_password_secret_manager_arn,
+        }
+      ],
+      "logConfiguration" = {
+        "logDriver" = "awslogs",
+        "options" = {
+          "awslogs-group"         = "${aws_cloudwatch_log_group.this.name}",
+          "awslogs-region"        = "${data.aws_region.current.name}",
+          "awslogs-stream-prefix" = "metadata"
         }
+      }
     }
-  }
-]
-EOF
-
+  ])
   network_mode             = "awsvpc"
   requires_compatibilities = ["FARGATE"]
   task_role_arn            = aws_iam_role.metadata_svc_ecs_task_role.arn
diff --git a/modules/metadata-service/variables.tf b/modules/metadata-service/variables.tf
@@ -15,9 +15,10 @@ variable "ecs_cluster_id" {
   description = "The ID of an existing ECS cluster to run services on. If no cluster ID is specfied, a new cluster will be created."
 }
 
-variable "database_password" {
+variable "database_password_secret_manager_arn" {
   type        = string
-  description = "The database password"
+  description = "The arn of the database password stored in AWS secrets manager"
+  sensitive   = true
 }
 
 variable "database_username" {
diff --git a/modules/step-functions/README.md b/modules/step-functions/README.md
@@ -12,7 +12,7 @@ To read more, see [the Metaflow docs](https://docs.metaflow.org/going-to-product
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_active"></a> [active](#input\_active) | When true step function infrastructure is provisioned. | `bool` | `false` | no |
-| <a name="input_batch_job_queue_arns"></a> [batch\_job\_queue\_arns](#input\_batch\_job\_queue\_arns) | Batch job queue arns | `list[string]` | n/a | yes |
+| <a name="input_batch_job_queue_arns"></a> [batch\_job\_queue\_arns](#input\_batch\_job\_queue\_arns) | Batch job queue arns | `list(string)` | n/a | yes |
 | <a name="input_iam_partition"></a> [iam\_partition](#input\_iam\_partition) | IAM Partition (Select aws-us-gov for AWS GovCloud, otherwise leave as is) | `string` | `"aws"` | no |
 | <a name="input_resource_prefix"></a> [resource\_prefix](#input\_resource\_prefix) | Prefix given to all AWS resources to differentiate between applications | `string` | n/a | yes |
 | <a name="input_resource_suffix"></a> [resource\_suffix](#input\_resource\_suffix) | Suffix given to all AWS resources to differentiate between environment and workspace | `string` | n/a | yes |
diff --git a/modules/step-functions/variables.tf b/modules/step-functions/variables.tf
@@ -5,7 +5,7 @@ variable "active" {
 }
 
 variable "batch_job_queue_arns" {
-  type        = list[string]
+  type        = list(string)
   description = "Batch job queue arns"
 }
 
diff --git a/modules/ui/README.md b/modules/ui/README.md
diff --git a/modules/ui/ecs_ui_backend.tf b/modules/ui/ecs_ui_backend.tf
diff --git a/modules/ui/locals.tf b/modules/ui/locals.tf
diff --git a/modules/ui/variables.tf b/modules/ui/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,12 @@ variable "batch_type" {`
`9`	`9`	`}`
`10`	`10`	`}`
`11`	`11`
	`12`	`+variable "database_password_secret_manager_arn" {`
	`13`	`+ type = string`
	`14`	`+ description = "The arn of the database password stored in AWS secrets manager"`
	`15`	`+ sensitive = true`
	`16`	`+}`
	`17`	`+`
`12`	`18`	`variable "compute_environment_ami_id" {`
`13`	`19`	`type = string`
`14`	`20`	`description = "The AMI ID to use for Batch Compute Environment EC2 instances. If not specified, defaults to the latest ECS optimised AMI."`
Original file line number	Diff line number	Diff line change
`@@ -8,9 +8,9 @@ output "METAFLOW_DATASTORE_SYSROOT_S3" {`
`8`	`8`	`description = "Amazon S3 URL for Metaflow DataStore"`
`9`	`9`	`}`
`10`	`10`
`11`		`-output "database_password" {`
`12`		`- value = random_password.this.result`
`13`		`- description = "The database password"`
	`11`	`+output "database_password_secret_manager_arn" {`
	`12`	`+ value = aws_secretsmanager_secretrds_db_password.arn`
	`13`	`+ description = "The arn of the database password stored in AWS secrets manager"`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`output "database_username" {`
Original file line number	Diff line number	Diff line change
`@@ -15,9 +15,10 @@ variable "ecs_cluster_id" {`
`15`	`15`	`description = "The ID of an existing ECS cluster to run services on. If no cluster ID is specfied, a new cluster will be created."`
`16`	`16`	`}`
`17`	`17`
`18`		`-variable "database_password" {`
	`18`	`+variable "database_password_secret_manager_arn" {`
`19`	`19`	`type = string`
`20`		`- description = "The database password"`
	`20`	`+ description = "The arn of the database password stored in AWS secrets manager"`
	`21`	`+ sensitive = true`
`21`	`22`	`}`
`22`	`23`
`23`	`24`	`variable "database_username" {`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ variable "active" {`
`5`	`5`	`}`
`6`	`6`
`7`	`7`	`variable "batch_job_queue_arns" {`
`8`		`- type = list[string]`
	`8`	`+ type = list(string)`
`9`	`9`	`description = "Batch job queue arns"`
`10`	`10`	`}`
`11`	`11`