Remove old db migration resources

infrastructure/base/main.tf

@@ -219,33 +219,6 @@ module "sql_server_key_vault" {
   key_vault_access_users = var.key_vault_access_users
 }
 
-module "sql_server_production" {
-  count = var.deploy_production ? 1 : 0
-
-  source              = "./modules/database"
-  resource_group      = data.azurerm_resource_group.resource_group
-  project_name        = "${var.project_name}-production"
-  subnet_id           = module.network.sql_subnet_id
-  private_dns_zone_id = module.sql_server_private_dns_zone.dns_zone_id
-  key_vault_id        = module.sql_server_key_vault.key_vault_id
-  instance_size       = var.production_db_instance_size
-  storage_size        = var.production_db_storage_size
-}
-
-module "sql_server_production_14" {
-  count = var.deploy_production ? 1 : 0
-
-  source              = "./modules/database"
-  resource_group      = data.azurerm_resource_group.resource_group
-  project_name        = "${var.project_name}-production-14"
-  subnet_id           = module.network.sql_subnet_id
-  private_dns_zone_id = module.sql_server_private_dns_zone.dns_zone_id
-  key_vault_id        = module.sql_server_key_vault.key_vault_id
-  instance_size       = var.production_db_instance_size
-  storage_size        = var.production_db_storage_size
-  postgresql_version  = "14"
-}
-
 module "sql_server_production_tulip" {
   count = var.deploy_production ? 1 : 0
 
@@ -260,17 +233,6 @@ module "sql_server_production_tulip" {
   postgresql_version  = "14"
 }
 
-module "sql_server_staging" {
-  source              = "./modules/database"
-  resource_group      = data.azurerm_resource_group.resource_group
-  project_name        = "${var.project_name}-staging"
-  subnet_id           = module.network.sql_subnet_id
-  private_dns_zone_id = module.sql_server_private_dns_zone.dns_zone_id
-  key_vault_id        = module.sql_server_key_vault.key_vault_id
-  instance_size       = var.staging_db_instance_size
-  storage_size        = var.staging_db_storage_size
-}
-
 module "sql_server_staging_14" {
   source              = "./modules/database"
   resource_group      = data.azurerm_resource_group.resource_group

infrastructure/base/outputs.tf

@@ -61,42 +61,6 @@ output "redis_password" {
   sensitive = true
 }
 
-output "sql_server_production_name" {
-  value = length(module.sql_server_production) > 0 ? module.sql_server_production[0].sql_server_name : null
-}
-
-output "sql_server_production_hostname" {
-  value = length(module.sql_server_production) > 0 ? module.sql_server_production[0].sql_server_url : null
-}
-
-output "sql_server_production_username" {
-  value     = length(module.sql_server_production) > 0 ? module.sql_server_production[0].sql_server_username : null
-  sensitive = true
-}
-
-output "sql_server_production_password" {
-  value     = length(module.sql_server_production) > 0 ? module.sql_server_production[0].sql_server_password : null
-  sensitive = true
-}
-
-output "sql_server_production_14_name" {
-  value = length(module.sql_server_production_14) > 0 ? module.sql_server_production_14[0].sql_server_name : null
-}
-
-output "sql_server_production_14_hostname" {
-  value = length(module.sql_server_production_14) > 0 ? module.sql_server_production_14[0].sql_server_url : null
-}
-
-output "sql_server_production_14_username" {
-  value     = length(module.sql_server_production_14) > 0 ? module.sql_server_production_14[0].sql_server_username : null
-  sensitive = true
-}
-
-output "sql_server_production_14_password" {
-  value     = length(module.sql_server_production_14) > 0 ? module.sql_server_production_14[0].sql_server_password : null
-  sensitive = true
-}
-
 output "sql_server_production_tulip_name" {
   value = length(module.sql_server_production_tulip) > 0 ? module.sql_server_production_tulip[0].sql_server_name : null
 }
@@ -115,24 +79,6 @@ output "sql_server_production_tulip_password" {
   sensitive = true
 }
 
-output "sql_server_staging_name" {
-  value = module.sql_server_staging.sql_server_name
-}
-
-output "sql_server_staging_hostname" {
-  value = module.sql_server_staging.sql_server_url
-}
-
-output "sql_server_staging_username" {
-  value     = module.sql_server_staging.sql_server_username
-  sensitive = true
-}
-
-output "sql_server_staging_password" {
-  value     = module.sql_server_staging.sql_server_password
-  sensitive = true
-}
-
 output "sql_server_staging_14_name" {
   value = module.sql_server_staging_14.sql_server_name
 }

infrastructure/kubernetes/modules/cloud_secrets/main.tf

@@ -0,0 +1,49 @@
+locals {
+  api_postgres_secret_json = {
+    username = var.postgres_api_username
+    password = var.postgres_api_password
+    database = var.postgres_api_database
+  }
+  geoprocessing_postgres_secret_json = {
+    username = var.postgres_geoprocessing_username
+    password = var.postgres_geoprocessing_password
+    database = var.postgres_geoprocessing_database
+  }
+
+  api_auth_jwt_secret                    = random_password.jwt_secret.result
+  x_auth_api_key                         = random_password.x_auth_api_key.result
+  cloning_signing_secret                 = tls_private_key.cloning_signing_secret.private_key_pem
+  cloning_storage_backup_restic_password = random_password.cloning_storage_backup_restic_password.result
+}
+
+resource "random_password" "jwt_secret" {
+  length  = 24
+  special = true
+}
+
+resource "random_password" "x_auth_api_key" {
+  length  = 24
+  special = true
+}
+
+resource "azurerm_key_vault_secret" "api_user_postgresql" {
+  name         = "PostgresApiUserPassword"
+  value        = jsonencode(local.api_postgres_secret_json)
+  key_vault_id = var.key_vault_id
+}
+
+resource "azurerm_key_vault_secret" "geoprocessing_user_postgresql" {
+  name         = "PostgresGeoprocessingUserPassword"
+  value        = jsonencode(local.geoprocessing_postgres_secret_json)
+  key_vault_id = var.key_vault_id
+}
+
+resource "tls_private_key" "cloning_signing_secret" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "random_password" "cloning_storage_backup_restic_password" {
+  length           = 16
+  special          = true
+}

infrastructure/kubernetes/modules/cloud_secrets/outputs.tf

@@ -0,0 +1,15 @@
+output "api_auth_jwt_secret" {
+  value = local.api_auth_jwt_secret
+}
+
+output "x_auth_api_key" {
+  value = local.x_auth_api_key
+}
+
+output "cloning_signing_secret" {
+  value = local.cloning_signing_secret
+}
+
+output "cloning_storage_backup_restic_password" {
+  value = local.cloning_storage_backup_restic_password
+}

infrastructure/kubernetes/modules/cloud_secrets/variable.tf

@@ -0,0 +1,74 @@
+variable "name" {
+  description = "The name of the secret"
+}
+
+variable "namespace" {
+  description = "The k8s namespace in which to deploy resources"
+}
+
+variable "key_vault_id" {
+  description = "Azure key vault id"
+}
+
+variable "project_name" {
+  type        = string
+  description = "A project name to use when naming resources."
+}
+
+variable "redis_host" {
+  description = "The redis server hostname"
+}
+
+variable "redis_password" {
+  description = "The redis server password"
+}
+
+variable "redis_port" {
+  description = "The redis server port"
+}
+
+variable "sparkpost_api_key" {
+  type        = string
+  description = "The API key for Sparkpost"
+}
+
+variable "api_url" {
+  type        = string
+  description = "The URL for the Marxan API server"
+}
+
+variable "postgres_geoprocessing_hostname" {
+  description = "The postgres geoprocessing database hostname"
+}
+
+variable "postgres_geoprocessing_username" {
+  description = "The postgres geoprocessing database username"
+}
+
+variable "postgres_geoprocessing_password" {
+  description = "The postgres geoprocessing database password"
+}
+
+variable "postgres_geoprocessing_database" {
+  description = "The postgres geoprocessing database name"
+}
+
+variable "postgres_api_hostname" {
+  description = "The postgres api database hostname"
+}
+
+variable "postgres_api_username" {
+  description = "The postgres api database username"
+}
+
+variable "postgres_api_password" {
+  description = "The postgres api database password"
+}
+
+variable "postgres_api_database" {
+  description = "The postgres api database name"
+}
+
+variable "azure_storage_account_key" {
+  description = "A key for the Azure storage account used for backups"
+}

infrastructure/kubernetes/modules/cloud_secrets/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.32.0"
+    }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "3.3.2"
+    }
+  }
+  required_version = "1.3.5"
+}

infrastructure/kubernetes/modules/kubernetes_secrets/main.tf

@@ -0,0 +1,76 @@
+locals {
+  api_postgres_secret_json = {
+    username = var.postgres_api_username
+    password = var.postgres_api_password
+    database = var.postgres_api_database
+  }
+  geoprocessing_postgres_secret_json = {
+    username = var.postgres_geoprocessing_username
+    password = var.postgres_geoprocessing_password
+    database = var.postgres_geoprocessing_database
+  }
+
+  api_auth_jwt_secret                    = var.api_auth_jwt_secret
+  x_auth_api_key                         = var.x_auth_api_key
+  cloning_signing_secret                 = var.cloning_signing_secret
+  cloning_storage_backup_restic_password = var.cloning_storage_backup_restic_password
+}
+
+resource "kubernetes_secret" "api_secret" {
+  metadata {
+    name      = "api"
+    namespace = var.namespace
+  }
+
+  data = {
+    API_AUTH_JWT_SECRET    = sensitive(local.api_auth_jwt_secret)
+    API_AUTH_X_API_KEY     = sensitive(local.x_auth_api_key)
+    CLONING_SIGNING_SECRET = sensitive(base64encode(local.cloning_signing_secret))
+
+    API_POSTGRES_HOST     = var.postgres_api_hostname
+    API_POSTGRES_USER     = sensitive(local.api_postgres_secret_json.username)
+    API_POSTGRES_PASSWORD = sensitive(local.api_postgres_secret_json.password)
+    API_POSTGRES_DB       = sensitive(local.api_postgres_secret_json.database)
+
+    GEO_POSTGRES_HOST     = var.postgres_geoprocessing_hostname
+    GEO_POSTGRES_USER     = sensitive(local.geoprocessing_postgres_secret_json.username)
+    GEO_POSTGRES_PASSWORD = sensitive(local.geoprocessing_postgres_secret_json.password)
+    GEO_POSTGRES_DB       = sensitive(local.geoprocessing_postgres_secret_json.database)
+
+    REDIS_HOST     = var.redis_host
+    REDIS_PASSWORD = var.redis_password
+    REDIS_PORT     = var.redis_port
+
+    SPARKPOST_APIKEY = var.sparkpost_api_key
+    API_SERVICE_URL  = var.api_url
+
+    AZURE_STORAGE_ACCOUNT_KEY              = sensitive(var.azure_storage_account_key)
+    CLONING_STORAGE_BACKUP_RESTIC_PASSWORD = sensitive(local.cloning_storage_backup_restic_password)
+  }
+}
+
+resource "kubernetes_secret" "geoprocessing_secret" {
+  metadata {
+    name      = "geoprocessing"
+    namespace = var.namespace
+  }
+
+  data = {
+    API_AUTH_JWT_SECRET = sensitive(local.api_auth_jwt_secret)
+    API_AUTH_X_API_KEY  = sensitive(local.x_auth_api_key)
+
+    API_POSTGRES_HOST     = var.postgres_api_hostname
+    API_POSTGRES_USER     = sensitive(local.api_postgres_secret_json.username)
+    API_POSTGRES_PASSWORD = sensitive(local.api_postgres_secret_json.password)
+    API_POSTGRES_DB       = sensitive(local.api_postgres_secret_json.database)
+
+    GEO_POSTGRES_HOST     = var.postgres_geoprocessing_hostname
+    GEO_POSTGRES_USER     = sensitive(local.geoprocessing_postgres_secret_json.username)
+    GEO_POSTGRES_PASSWORD = sensitive(local.geoprocessing_postgres_secret_json.password)
+    GEO_POSTGRES_DB       = sensitive(local.geoprocessing_postgres_secret_json.database)
+
+    REDIS_HOST     = var.redis_host
+    REDIS_PASSWORD = var.redis_password
+    REDIS_PORT     = var.redis_port
+  }
+}