Merge pull request #10 from ankur6405/secret-manager

Added option to upload output to secret manager
squareops · Aug 3, 2023 · 4402cb8 · 4402cb8
2 parents b6048e5 + 2990613
commit 4402cb8
Show file tree

Hide file tree

Showing 9 changed files with 141 additions and 61 deletions.
diff --git a/README.md b/README.md
@@ -11,7 +11,7 @@ This module allows you to easily deploy a MySQL database on Kubernetes using Hel
 
 | MysqlDB Helm Chart Version | K8s supported version | 
 | :-----: | :--- |
-| **9.2.0** | **1.23,1.24,1.25** |
+| **9.2.0** | **1.23,1.24,1.25,1.26,1.27** |
 
 
 ## Usage Example
@@ -21,15 +21,27 @@ module "mysql" {
  source = "squareops/mysql/kubernetes"
  cluster_name = "dev-cluster"
  mysqldb_config = {
- name = "mysql"
- values_yaml = ""
- environment = "prod"
- architecture = "replication"
- storage_class_name = "gp3"
- custom_user_username = "admin"
- primary_db_volume_size = "10Gi"
- secondary_db_volume_size = "10Gi"
- secondary_db_replica_count = 2
+ name = "mysql"
+ values_yaml = ""
+ environment = "prod"
+ architecture = "replication"
+ storage_class_name = "gp3"
+ custom_user_username = "admin"
+ primary_db_volume_size = "10Gi"
+ secondary_db_volume_size = "10Gi"
+ secondary_db_replica_count = 2
+ store_password_to_secret_manager = true
+ }
+ mysqldb_custom_credentials_enabled = true
+ mysqldb_custom_credentials_config = {
+ root_user = "root"
+ root_password = "RJDRIFsYC8ZS1WQuV0ps"
+ custom_username = "admin"
+ custom_user_password = "NCPFUKEMd7rrWuvMAa73"
+ replication_user = "replicator"
+ replication_password = "nvAHhm1uGQNYWVw6ZyAH"
+ exporter_user = "mysqld_exporter"
+ exporter_password = "ZawhvpueAehRdKFlbjaq"
  }
  mysqldb_backup_enabled = true
  mysqldb_backup_config = {
@@ -60,7 +72,7 @@ The required IAM permissions to create resources from this module can be found [
  5. To deploy Prometheus/Grafana, please follow the installation instructions for each tool in their respective documentation.
  6. Once Prometheus and Grafana are deployed, the exporter can be configured to scrape metrics data from your application or system and send it to Prometheus.
  7. Finally, you can use Grafana to create custom dashboards and visualize the metrics data collected by Prometheus.
- 8. This module is compatible with EKS version 1.23, which is great news for users deploying the module on an EKS cluster running that version. Review the module's documentation, meet specific configuration requirements, and test thoroughly after deployment to ensure everything works as expected.
+ 8. This module is compatible with EKS version 1.23,1.24,1.25,1.26 and 1.27, which is great news for users deploying the module on an EKS cluster running that version. Review the module's documentation, meet specific configuration requirements, and test thoroughly after deployment to ensure everything works as expected.
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -108,7 +120,9 @@ No modules.
 | <a name="input_create_namespace"></a> [create\_namespace](#input\_create\_namespace) | Specify whether or not to create the namespace if it does not already exist. Set it to true to create the namespace. | `string` | `true` | no |
 | <a name="input_mysqldb_backup_config"></a> [mysqldb\_backup\_config](#input\_mysqldb\_backup\_config) | configuration options for MySQL database backups. It includes properties such as the S3 bucket URI, the S3 bucket region, and the cron expression for full backups. | `any` | <pre>{<br> "cron_for_full_backup": "",<br> "s3_bucket_region": "",<br> "s3_bucket_uri": ""<br>}</pre> | no |
 | <a name="input_mysqldb_backup_enabled"></a> [mysqldb\_backup\_enabled](#input\_mysqldb\_backup\_enabled) | Specifies whether to enable backups for MySQL database. | `bool` | `false` | no |
-| <a name="input_mysqldb_config"></a> [mysqldb\_config](#input\_mysqldb\_config) | Specify the configuration settings for MySQL, including the name, environment, storage options, replication settings, and custom YAML values. | `any` | <pre>{<br> "architecture": "",<br> "custom_user_username": "",<br> "environment": "",<br> "name": "",<br> "primary_db_volume_size": "",<br> "secondary_db_replica_count": 1,<br> "secondary_db_volume_size": "",<br> "storage_class_name": "",<br> "values_yaml": ""<br>}</pre> | no |
+| <a name="input_mysqldb_config"></a> [mysqldb\_config](#input\_mysqldb\_config) | Specify the configuration settings for MySQL, including the name, environment, storage options, replication settings, and custom YAML values. | `any` | <pre>{<br> "architecture": "",<br> "custom_user_username": "",<br> "environment": "",<br> "name": "",<br> "primary_db_volume_size": "",<br> "secondary_db_replica_count": 1,<br> "secondary_db_volume_size": "",<br> "storage_class_name": "",<br> "store_password_to_secret_manager": true,<br> "values_yaml": ""<br>}</pre> | no |
+| <a name="input_mysqldb_custom_credentials_config"></a> [mysqldb\_custom\_credentials\_config](#input\_mysqldb\_custom\_credentials\_config) | Specify the configuration settings for MySQL to pass custom credentials during creation | `any` | <pre>{<br> "custom_user_password": "",<br> "custom_username": "",<br> "exporter_password": "",<br> "exporter_user": "",<br> "replication_password": "",<br> "replication_user": "",<br> "root_password": "",<br> "root_user": ""<br>}</pre> | no |
+| <a name="input_mysqldb_custom_credentials_enabled"></a> [mysqldb\_custom\_credentials\_enabled](#input\_mysqldb\_custom\_credentials\_enabled) | Specifies whether to enable custom for MySQL database. | `bool` | `false` | no |
 | <a name="input_mysqldb_exporter_enabled"></a> [mysqldb\_exporter\_enabled](#input\_mysqldb\_exporter\_enabled) | Specify whether or not to deploy Mysql exporter to collect Mysql metrics for monitoring in Grafana. | `bool` | `false` | no |
 | <a name="input_mysqldb_restore_config"></a> [mysqldb\_restore\_config](#input\_mysqldb\_restore\_config) | Configuration options for restoring dump to the MySQL database. | `any` | <pre>{<br> "s3_bucket_region": "",<br> "s3_bucket_uri": ""<br>}</pre> | no |
 | <a name="input_mysqldb_restore_enabled"></a> [mysqldb\_restore\_enabled](#input\_mysqldb\_restore\_enabled) | Specifies whether to enable restoring dump to the MySQL database. | `bool` | `false` | no |
@@ -119,7 +133,8 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_mysqldb"></a> [mysqldb](#output\_mysqldb) | Mysql\_Info |
+| <a name="output_mysqldb_credential"></a> [mysqldb\_credential](#output\_mysqldb\_credential) | MySQL credentials used for accessing the MySQL database. |
+| <a name="output_mysqldb_endpoints"></a> [mysqldb\_endpoints](#output\_mysqldb\_endpoints) | MySQL endpoints in the Kubernetes cluster. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Contribution & Issue Reporting

diff --git a/backup/templates/cronjob.yaml b/backup/templates/cronjob.yaml
@@ -40,4 +40,3 @@ spec:
  secretKeyRef:
  name: aws-mysql
  key: AWS_DEFAULT_REGION
-
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -38,5 +38,6 @@ No inputs.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_mysql_configuration"></a> [mysql\_configuration](#output\_mysql\_configuration) | Mysql\_Info |
+| <a name="output_mysql_credential"></a> [mysql\_credential](#output\_mysql\_credential) | MySQL credentials used for accessing the MySQL database. |
+| <a name="output_mysql_endpoints"></a> [mysql\_endpoints](#output\_mysql\_endpoints) | MySQL endpoints in the Kubernetes cluster. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -7,21 +7,34 @@ locals {
  Expires = "Never"
  Department = "Engineering"
  }
+ store_password_to_secret_manager = true
 }
 
 module "mysql" {
  source = "squareops/mysql/kubernetes"
  cluster_name = ""
  mysqldb_config = {
- name = local.name
- values_yaml = file("./helm/values.yaml")
- environment = local.environment
- architecture = "replication"
- storage_class_name = "gp3"
- custom_user_username = "admin"
- primary_db_volume_size = "10Gi"
- secondary_db_volume_size = "10Gi"
- secondary_db_replica_count = 2
+ name = local.name
+ values_yaml = file("./helm/values.yaml")
+ environment = local.environment
+ architecture = "replication"
+ storage_class_name = "gp3"
+ custom_user_username = "admin"
+ primary_db_volume_size = "10Gi"
+ secondary_db_volume_size = "10Gi"
+ secondary_db_replica_count = 2
+ store_password_to_secret_manager = local.store_password_to_secret_manager
+ }
+ mysqldb_custom_credentials_enabled = true
+ mysqldb_custom_credentials_config = {
+ root_user = "root"
+ root_password = "RJDRIFsYC8ZS1WQuV0ps"
+ custom_username = "admin"
+ custom_user_password = "NCPFUKEMd7rrWuvMAa73"
+ replication_user = "replicator"
+ replication_password = "nvAHhm1uGQNYWVw6ZyAH"
+ exporter_user = "mysqld_exporter"
+ exporter_password = "ZawhvpueAehRdKFlbjaq"
  }
  mysqldb_backup_enabled = true
  mysqldb_backup_config = {

diff --git a/examples/complete/output.tf b/examples/complete/output.tf
@@ -1,4 +1,9 @@
-output "mysql_configuration" {
- value = module.mysql.mysqldb
- description = "Mysql_Info"
+output "mysql_endpoints" {
+ value = module.mysql.mysqldb_endpoints
+ description = "MySQL endpoints in the Kubernetes cluster."
+}
+
+output "mysql_credential" {
+ value = local.store_password_to_secret_manager ? null : module.mysql.mysqldb_credential
+ description = "MySQL credentials used for accessing the MySQL database."
 }
diff --git a/examples/complete/provider.tf b/examples/complete/provider.tf
@@ -5,7 +5,6 @@ provider "aws" {
  }
 }
 
-
 data "aws_eks_cluster" "cluster" {
  name = ""
 }
@@ -14,19 +13,16 @@ data "aws_eks_cluster_auth" "cluster" {
  name = ""
 }
 
-
 provider "kubernetes" {
  host = data.aws_eks_cluster.cluster.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
  token = data.aws_eks_cluster_auth.cluster.token
-
 }
 
 provider "helm" {
  kubernetes {
  host = data.aws_eks_cluster.cluster.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
  token = data.aws_eks_cluster_auth.cluster.token
-
  }
 }
diff --git a/main.tf b/main.tf
@@ -13,44 +13,59 @@ data "aws_eks_cluster" "kubernetes_cluster" {
 }
 
 resource "random_password" "mysqldb_root_password" {
+ count = var.mysqldb_custom_credentials_enabled ? 0 : 1
  length = 20
  special = false
 }
 
 resource "random_password" "mysqldb_custom_user_password" {
+ count = var.mysqldb_custom_credentials_enabled ? 0 : 1
  length = 20
  special = false
 }
 
 resource "random_password" "mysqldb_replication_user_password" {
+ count = var.mysqldb_custom_credentials_enabled ? 0 : 1
  length = 20
  special = false
 }
 
 resource "random_password" "mysqldb_exporter_user_password" {
+ count = var.mysqldb_custom_credentials_enabled ? 0 : 1
  length = 20
  special = false
 }
 
 resource "aws_secretsmanager_secret" "mysql_user_password" {
+ count = var.mysqldb_config.store_password_to_secret_manager ? 1 : 0
  name = format("%s/%s/%s", var.mysqldb_config.environment, var.mysqldb_config.name, "mysql")
  recovery_window_in_days = var.recovery_window_aws_secret
 }
 
 resource "aws_secretsmanager_secret_version" "mysql_user_password" {
- secret_id = aws_secretsmanager_secret.mysql_user_password.id
- secret_string = <<EOF
- {
- "root_user": "root",
- "root_password": "${random_password.mysqldb_root_password.result}",
- "custom_username": "${var.mysqldb_config.custom_user_username}",
- "custom_user_password": "${random_password.mysqldb_custom_user_password.result}",
- "replication_user": "replicator",
- "replication_password": "${random_password.mysqldb_replication_user_password.result}",
- "exporter_user": "mysqld_exporter",
- "exporter_password": "${random_password.mysqldb_exporter_user_password.result}"
- }
-EOF
+ count = var.mysqldb_config.store_password_to_secret_manager ? 1 : 0
+ secret_id = aws_secretsmanager_secret.mysql_user_password[0].id
+ secret_string = var.mysqldb_custom_credentials_enabled ? jsonencode(
+ {
+ "root_user" : "${var.mysqldb_custom_credentials_config.root_user}",
+ "root_password" : "${var.mysqldb_custom_credentials_config.root_password}",
+ "custom_username" : "${var.mysqldb_custom_credentials_config.custom_username}",
+ "custom_user_password" : "${var.mysqldb_custom_credentials_config.custom_user_password}",
+ "replication_user" : "${var.mysqldb_custom_credentials_config.replication_user}",
+ "replication_password" : "${var.mysqldb_custom_credentials_config.replication_password}",
+ "exporter_user" : "${var.mysqldb_custom_credentials_config.exporter_user}",
+ "exporter_password" : "${var.mysqldb_custom_credentials_config.exporter_password}"
+ }) : jsonencode(
+ {
+ "root_user" : "root",
+ "root_password" : "${random_password.mysqldb_root_password[0].result}",
+ "custom_username" : "${var.mysqldb_config.custom_user_username}",
+ "custom_user_password" : "${random_password.mysqldb_custom_user_password[0].result}",
+ "replication_user" : "replicator",
+ "replication_password" : "${random_password.mysqldb_replication_user_password[0].result}",
+ "exporter_user" : "mysqld_exporter",
+ "exporter_password" : "${random_password.mysqldb_exporter_user_password[0].result}"
+ })
 }
 
 resource "kubernetes_namespace" "mysqldb" {
@@ -76,13 +91,13 @@ resource "helm_release" "mysqldb" {
  primary_pod_size = var.mysqldb_config.primary_db_volume_size,
  secondary_pod_size = var.mysqldb_config.secondary_db_volume_size,
  storage_class_name = var.mysqldb_config.storage_class_name,
- custom_user_username = var.mysqldb_config.custom_user_username,
- custom_user_password = random_password.mysqldb_custom_user_password.result,
- replication_password = random_password.mysqldb_replication_user_password.result,
- mysqldb_root_password = random_password.mysqldb_root_password.result,
+ custom_user_username = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.custom_username : var.mysqldb_config.custom_user_username,
+ custom_user_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.custom_user_password : random_password.mysqldb_custom_user_password[0].result,
+ replication_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.replication_password : random_password.mysqldb_replication_user_password[0].result,
+ mysqldb_root_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.root_password : random_password.mysqldb_root_password[0].result,
  mysqldb_exporter_enabled = var.mysqldb_exporter_enabled,
  service_monitor_namespace = var.namespace
- metrics_exporter_password = random_password.mysqldb_exporter_user_password.result,
+ metrics_exporter_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.exporter_password : random_password.mysqldb_exporter_user_password[0].result,
  secondary_pod_replica_count = var.mysqldb_config.secondary_db_replica_count
  }),
  var.mysqldb_config.values_yaml

diff --git a/output.tf b/output.tf
@@ -1,10 +1,24 @@
-output "mysqldb" {
- description = "Mysql_Info"
+output "mysqldb_endpoints" {
+ description = "MySQL endpoints in the Kubernetes cluster."
  value = {
  mysqlport = "3306",
  mysql_primary_endpoint = "mysqldb-primary.${var.namespace}.svc.cluster.local",
  mysql_primary_headless_endpoint = "mysqldb-primary-headless.${var.namespace}.svc.cluster.local",
  mysql_secondary_endpoint = "mysqldb-secondary.${var.namespace}.svc.cluster.local",
- mysql_secondary_headless_endpoint = "mysqldb-secondary-headless.${var.namespace}.svc.cluster.local"
+ mysql_secondary_headless_endpoint = "mysqldb-secondary-headless.${var.namespace}.svc.cluster.local",
+ }
+}
+
+output "mysqldb_credential" {
+ description = "MySQL credentials used for accessing the MySQL database."
+ value = var.mysqldb_config.store_password_to_secret_manager ? null : {
+ root_user = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.root_user : "root",
+ root_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.root_password : nonsensitive(random_password.mysqldb_root_password[0].result),
+ custom_username = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.custom_username : var.mysqldb_config.custom_user_username,
+ custom_user_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.custom_user_password : nonsensitive(random_password.mysqldb_custom_user_password[0].result),
+ replication_user = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.replication_user : "replicator",
+ replication_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.replication_password : nonsensitive(random_password.mysqldb_replication_user_password[0].result),
+ exporter_user = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.exporter_user : "mysqld_exporter",
+ exporter_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.exporter_password : nonsensitive(random_password.mysqldb_exporter_user_password[0].result)
  }
 }
diff --git a/variables.tf b/variables.tf
@@ -1,19 +1,41 @@
 variable "mysqldb_config" {
  type = any
  default = {
- name = ""
- environment = ""
- values_yaml = ""
- architecture = ""
- storage_class_name = ""
- custom_user_username = ""
- primary_db_volume_size = ""
- secondary_db_volume_size = ""
- secondary_db_replica_count = 1
+ name = ""
+ environment = ""
+ values_yaml = ""
+ architecture = ""
+ storage_class_name = ""
+ custom_user_username = ""
+ primary_db_volume_size = ""
+ secondary_db_volume_size = ""
+ secondary_db_replica_count = 1
+ store_password_to_secret_manager = true
  }
  description = "Specify the configuration settings for MySQL, including the name, environment, storage options, replication settings, and custom YAML values."
 }
 
+variable "mysqldb_custom_credentials_enabled" {
+ type = bool
+ default = false
+ description = "Specifies whether to enable custom credentials for MySQL database."
+}
+
+variable "mysqldb_custom_credentials_config" {
+ type = any
+ default = {
+ root_user = ""
+ root_password = ""
+ custom_username = ""
+ custom_user_password = ""
+ replication_user = ""
+ replication_password = ""
+ exporter_user = ""
+ exporter_password = ""
+ }
+ description = "Specify the configuration settings for MySQL to pass custom credentials during creation"
+}
+
 variable "app_version" {
  type = string
  default = "8.0.29-debian-11-r9"