diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index f490db4..300a9e0 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -164,6 +164,10 @@ module "oonipg" { db_storage_type = "gp3" db_allocated_storage = "50" db_max_allocated_storage = null + + allow_cidr_blocks = module.network.vpc_subnet_private[*].cidr_block + allow_security_groups = [] + tags = merge( local.tags, { Name = "ooni-tier0-postgres" } @@ -220,11 +224,15 @@ resource "aws_secretsmanager_secret" "oonipg_url" { tags = local.tags } +data "aws_secretsmanager_secret_version" "pg_login" { + secret_id = module.oonipg.secrets_manager_pg_login_id +} + resource "aws_secretsmanager_secret_version" "oonipg_url" { secret_id = aws_secretsmanager_secret.oonipg_url.id secret_string = format("postgresql://%s:%s@%s/%s", - module.oonipg.pg_username, - module.oonipg.pg_password, + jsondecode(data.aws_secretsmanager_secret_version.pg_login.secret_string)["username"], + jsondecode(data.aws_secretsmanager_secret_version.pg_login.secret_string)["password"], module.oonipg.pg_endpoint, module.oonipg.pg_db_name ) @@ -330,9 +338,7 @@ module "ooniapi_reverseproxy" { # First run should be set on first run to bootstrap the task definition # first_run = true - vpc_id = module.network.vpc_id - public_subnet_ids = module.network.vpc_subnet_public[*].id - private_subnet_ids = module.network.vpc_subnet_private[*].id + vpc_id = module.network.vpc_id service_name = "reverseproxy" default_docker_image_url = "ooni/api-reverseproxy:latest" @@ -346,7 +352,7 @@ module "ooniapi_reverseproxy" { } task_environment = { - TARGET_URL = "https://backend-fsn.ooni.org/" + TARGET_URL = "https://backend-fsn.ooni.org/" } ooniapi_service_security_groups = [ @@ -407,9 +413,7 @@ module "ooniapi_ooniprobe" { # First run should be set on first run to bootstrap the task definition #first_run = true - vpc_id = module.network.vpc_id - private_subnet_ids = module.network.vpc_subnet_private[*].id - public_subnet_ids = module.network.vpc_subnet_public[*].id + vpc_id = module.network.vpc_id service_name = "ooniprobe" default_docker_image_url = "ooni/api-ooniprobe:latest" @@ -458,9 +462,7 @@ module "ooniapi_oonirun" { source = "../../modules/ooniapi_service" #first_run = true - vpc_id = module.network.vpc_id - private_subnet_ids = module.network.vpc_subnet_private[*].id - public_subnet_ids = module.network.vpc_subnet_public[*].id + vpc_id = module.network.vpc_id service_name = "oonirun" default_docker_image_url = "ooni/api-oonirun:latest" @@ -508,9 +510,7 @@ module "ooniapi_oonifindings" { source = "../../modules/ooniapi_service" # first_run = true - vpc_id = module.network.vpc_id - public_subnet_ids = module.network.vpc_subnet_public[*].id - private_subnet_ids = module.network.vpc_subnet_private[*].id + vpc_id = module.network.vpc_id service_name = "oonifindings" default_docker_image_url = "ooni/api-oonifindings:latest" @@ -557,9 +557,7 @@ module "ooniapi_ooniauth" { source = "../../modules/ooniapi_service" # first_run = true - vpc_id = module.network.vpc_id - private_subnet_ids = module.network.vpc_subnet_private[*].id - public_subnet_ids = module.network.vpc_subnet_public[*].id + vpc_id = module.network.vpc_id service_name = "ooniauth" default_docker_image_url = "ooni/api-ooniauth:latest" @@ -662,7 +660,7 @@ locals { } resource "aws_route53_record" "ooniapi_frontend_main" { - name = local.ooniapi_frontend_main_domain_name + name = local.ooniapi_frontend_main_domain_name zone_id = local.ooniapi_frontend_main_domain_name_zone_id type = "A" diff --git a/tf/environments/prod/outputs.tf b/tf/environments/prod/outputs.tf index e0b90d5..f6ce147 100644 --- a/tf/environments/prod/outputs.tf +++ b/tf/environments/prod/outputs.tf @@ -10,8 +10,8 @@ output "oonidevops_deploy_key_arn" { value = module.adm_iam_roles.oonidevops_deploy_key_arn } -output "oonipg_pg_password_arn" { - value = module.oonipg.secrets_manager_pg_password_id +output "oonipg_pg_login_arn" { + value = module.oonipg.secrets_manager_pg_login_id } # output "oonidataapi_alb_hostname" {