refactor: use ssm for postgres password (#165)

This diff continues the work done in #159, and allows us to use a configured postgresql user for ooni api services.
ooni · Jan 29, 2025 · f663ea9 · f663ea9
1 parent 9fdef91
commit f663ea9
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
@@ -208,6 +208,10 @@ data "aws_ssm_parameter" "jwt_secret" {
   name = "/oonidevops/secrets/ooni_services/jwt_secret"
 }
 
+data "aws_ssm_parameter" "oonipg_url" {
+  name = "/oonidevops/secrets/ooni-tier0-postgres/postgresql_write_url"
+}
+
 resource "random_password" "prometheus_metrics_password" {
   length  = 32
   special = false
@@ -433,7 +437,7 @@ module "ooniapi_ooniprobe" {
   service_desired_count = 2
 
   task_secrets = {
-    POSTGRESQL_URL              = aws_secretsmanager_secret_version.oonipg_url.arn
+    POSTGRESQL_URL              = data.aws_ssm_parameter.oonipg_url.arn
     JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret.arn
     PROMETHEUS_METRICS_PASSWORD = aws_secretsmanager_secret_version.prometheus_metrics_password.arn
   }
@@ -482,7 +486,7 @@ module "ooniapi_oonirun" {
   service_desired_count = 2
 
   task_secrets = {
-    POSTGRESQL_URL              = aws_secretsmanager_secret_version.oonipg_url.arn
+    POSTGRESQL_URL              = data.aws_ssm_parameter.oonipg_url.arn
     JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret.arn
     PROMETHEUS_METRICS_PASSWORD = aws_secretsmanager_secret_version.prometheus_metrics_password.arn
   }
@@ -528,7 +532,7 @@ module "ooniapi_oonifindings" {
   ecs_cluster_id           = module.ooniapi_cluster.cluster_id
 
   task_secrets = {
-    POSTGRESQL_URL              = aws_secretsmanager_secret_version.oonipg_url.arn
+    POSTGRESQL_URL              = data.aws_ssm_parameter.oonipg_url.arn
     JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret.arn
     PROMETHEUS_METRICS_PASSWORD = aws_secretsmanager_secret_version.prometheus_metrics_password.arn
   }
@@ -577,7 +581,7 @@ module "ooniapi_ooniauth" {
   service_desired_count = 2
 
   task_secrets = {
-    POSTGRESQL_URL              = aws_secretsmanager_secret_version.oonipg_url.arn
+    POSTGRESQL_URL              = data.aws_ssm_parameter.oonipg_url.arn
     JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret.arn
     PROMETHEUS_METRICS_PASSWORD = aws_secretsmanager_secret_version.prometheus_metrics_password.arn