Merge pull request #4724 from nhsuk/data_replication_self_managed_password

TheOneFromNorway · web-flow · commit 97c19a4e8946 · 2026-01-22T18:57:51.000Z
Create independent password for data replication
diff --git a/.github/workflows/refresh-data-replication.yml b/.github/workflows/refresh-data-replication.yml
@@ -146,13 +146,6 @@ jobs:
         uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: 1.13.3
-      - name: Get db secret arn
-        id: get-db-secret-arn
-        working-directory: terraform/app
-        run: |
-          terraform init -backend-config="env/$environment-backend.hcl" -upgrade
-          DB_SECRET_ARN=$(terraform output --raw db_secret_arn)
-          echo "DB_SECRET_ARN=$DB_SECRET_ARN" >> $GITHUB_OUTPUT
       - name: Terraform Plan
         id: plan
         run: |
@@ -161,7 +154,6 @@ jobs:
 
           PLAN_ARGS=(
             "plan"
-            "-var=db_secret_arn=${{ steps.get-db-secret-arn.outputs.DB_SECRET_ARN }}"
             "-var=imported_snapshot=$SNAPSHOT_ARN"
             "-var-file=env/$environment.tfvars"
             "-var=allowed_egress_cidr_blocks=$egress_cidr"
diff --git a/terraform/app/outputs.tf b/terraform/app/outputs.tf
@@ -1,4 +0,0 @@
-output "db_secret_arn" {
-  description = "The ARN of the secret containing the DB credentials."
-  value       = aws_rds_cluster.core.master_user_secret[0].secret_arn
-}
diff --git a/terraform/data_replication/iam.tf b/terraform/data_replication/iam.tf
@@ -11,7 +11,7 @@ data "aws_iam_policy_document" "ecs_permissions" {
     sid     = "dbSecretSid"
     actions = ["secretsmanager:GetSecretValue"]
     resources = [
-      var.db_secret_arn
+      aws_rds_cluster.cluster.master_user_secret[0].secret_arn
     ]
     effect = "Allow"
   }
diff --git a/terraform/data_replication/rds.tf b/terraform/data_replication/rds.tf
@@ -17,18 +17,19 @@ resource "aws_security_group_rule" "rds_inbound" {
 }
 
 resource "aws_rds_cluster" "cluster" {
-  cluster_identifier     = "${local.name_prefix}-rds-${formatdate("hh-mm-ss", timestamp())}"
-  engine                 = "aurora-postgresql"
-  engine_mode            = "provisioned"
-  database_name          = "manage_vaccinations"
-  master_username        = "postgres"
-  snapshot_identifier    = var.imported_snapshot
-  db_subnet_group_name   = aws_db_subnet_group.dbsg.name
-  vpc_security_group_ids = [aws_security_group.rds.id]
-  storage_encrypted      = true
-  skip_final_snapshot    = true
-  deletion_protection    = false
-  engine_version         = var.db_engine_version
+  cluster_identifier          = "${local.name_prefix}-rds-${formatdate("hh-mm-ss", timestamp())}"
+  engine                      = "aurora-postgresql"
+  engine_mode                 = "provisioned"
+  database_name               = "manage_vaccinations"
+  master_username             = "postgres"
+  snapshot_identifier         = var.imported_snapshot
+  db_subnet_group_name        = aws_db_subnet_group.dbsg.name
+  vpc_security_group_ids      = [aws_security_group.rds.id]
+  storage_encrypted           = true
+  skip_final_snapshot         = true
+  deletion_protection         = false
+  manage_master_user_password = true
+  engine_version              = var.db_engine_version
 
   serverlessv2_scaling_configuration {
     max_capacity = var.max_aurora_capacity_units
diff --git a/terraform/data_replication/variables.tf b/terraform/data_replication/variables.tf
@@ -37,12 +37,6 @@ variable "max_aurora_capacity_units" {
   description = "Maximum amount of allowed ACU capacity for Aurora Serverless v2"
 }
 
-variable "db_secret_arn" {
-  type        = string
-  description = "The ARN of the secret that stores the credentials for the database from which the snapshot originates."
-  nullable    = false
-}
-
 variable "account_id" {
   type        = string
   default     = "393416225559"
@@ -83,7 +77,7 @@ locals {
   task_secrets = [
     {
       name      = "DB_CREDENTIALS"
-      valueFrom = var.db_secret_arn
+      valueFrom = aws_rds_cluster.cluster.master_user_secret[0].secret_arn
     },
     {
       name      = "RAILS_MASTER_KEY"

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ data "aws_iam_policy_document" "ecs_permissions" {`
`11`	`11`	`sid = "dbSecretSid"`
`12`	`12`	`actions = ["secretsmanager:GetSecretValue"]`
`13`	`13`	`resources = [`
`14`		`- var.db_secret_arn`
	`14`	`+ aws_rds_cluster.cluster.master_user_secret[0].secret_arn`
`15`	`15`	`]`
`16`	`16`	`effect = "Allow"`
`17`	`17`	`}`