AB2D-7247 Refactor IDR Importer Module#1822
Conversation
mianava
left a comment
There was a problem hiding this comment.
This importer can be moved to use the service module.
| # 30-idr-db-importer terraservice. It has no IAM path, so its ARN is | ||
| # constructed here as a string to avoid a reverse cross-state dependency | ||
| # (10-core applies before 30-idr-db-importer). | ||
| "arn:aws:iam::${local.aws_account_number}:role/${local.service_prefix}-idr-db-importer-task-role" |
There was a problem hiding this comment.
Is this for access to an S3 bucket?
There was a problem hiding this comment.
Can this bucket be moved into its service idr-db-importer? I assume it's required for the IDR importer and is not "core"
| security_groups = [data.aws_security_group.idr_db_importer.id] | ||
| subnets = keys(module.platform.private_subnets) | ||
|
|
||
| additional_task_role_policies = { s3 = data.aws_iam_policy.idr_db_importer_task.arn } |
There was a problem hiding this comment.
where is this policy generated?
There was a problem hiding this comment.
Good catch. It was looking up the policy from 10-core by name, which was more complicated than needed. I moved the policy into 30-idr-db-importer as aws_iam_policy.idr_db_importer_task and now reference it directly.
| { name = "IDR_SNOWFLAKE_PRIVATE_KEY", valueFrom = data.aws_ssm_parameter.idr_private_key[0].arn }, | ||
| { name = "IDR_SNOWFLAKE_WAREHOUSE", valueFrom = data.aws_ssm_parameter.idr_snowflake_warehouse[0].arn }, | ||
| { name = "IDR_SNOWFLAKE_USER", valueFrom = data.aws_ssm_parameter.idr_snowflake_user[0].arn }, | ||
| { name = "IDR_SNOWFLAKE_ROLE", valueFrom = data.aws_ssm_parameter.idr_snowflake_role[0].arn } |
There was a problem hiding this comment.
Are these stored in SOPS? If so, use platform module with ssm_root_map
ssm_root_map = { this = "/ab2d/${local.env}/id-db-importer/" }
Ideally, these get stored in a pattern that matches their relevant service (hence "idr-db-importer" is the path because that's how this terraservice has been named)
And then you can use module.platform.ssm.this.snowflake_role.arn
| "s3:ListBucket" | ||
| ] | ||
| Resource = [ | ||
| "arn:aws:s3:::${data.aws_ssm_parameter.idr_db_importer_bucket.value}", |
There was a problem hiding this comment.
Recommend getting the arn directly https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket -- though I'd favor moving the s3 bucket to be colocated with idr-db-importer as it is critical to this service
🎫 Ticket
https://jira.cms.gov/browse/AB2D-7247
🛠 Changes
ℹ️ Context
We want to refactor the IDR importer module to define secrets outside of the nonsensitive block so that sensitive values like database passwords are not inadvertently exposed during a tofu apply.
🧪 Validation
Task completed successfully