GitlabBot - Enable pulling secrets from SecretsManager (#9)

* Enable pulling secrets from SecrersManager

* move logic into secrets_manager module

* add new output to docs

* docs update

* new gitlab source code

* fix dynamic statement syntax

* fix secrets manager module reference

* formatting

* split policies and attach to role

* formatting

* formatting

* improve syntax

* cancel rename

* update source code

Author: ChengaDev

README.md

@@ -30,6 +30,7 @@ Terraform configuration used to create the required AWS resources for integratin
 | `lambda_function_timeout` | Amount of time your Lambda Function has to run in seconds.  | `number` | 300 | No |
 | `lambda_function_memory_size` | Amount of memory in MB your Lambda Function can use at runtime. | `number` | 1024 | No |
 | `lambda_publish` | Whether to publish creation/change as new Lambda Function Version. | `bool` | `false` | No |
+| `store_secret_in_secrets_manager` | Whether to store secrets values on a vault (currently supporting AWS secrets manager on GitLab integration). | `bool` | `false` | No |
 
 ### env_vars
 
@@ -79,7 +80,7 @@ This variable holds a collection of tags grouped by key representing its target
 
 ```tcl
 module "spectral_lambda_integration" {
-  source                        = "github.com/SpectralOps/spectral-terraform-lambda-integration?ref=v1.0.2"
+  source                        = "github.com/SpectralOps/spectral-terraform-lambda-integration"
 
   environment                   = "prod"
   integration_type              = "terraform"
@@ -91,7 +92,7 @@ module "spectral_lambda_integration" {
 
   # Environment variables used by the integration
   env_vars = {
-    # Mandatory - Your spectral DSN retrieved from SpectralOps
+    # Mandatory (unless you are using vault) - Your spectral DSN retrieved from SpectralOps
     SPECTRAL_DSN       = ""
     # Additional env-vars should go here
   }
@@ -120,15 +121,6 @@ module "spectral_lambda_integration" {
 }
 ```
 
-Don't forget to configure your provider:
-```tcl
-provider "aws" {
-  allowed_account_ids = ["11111111111"]
-  region = "us-east-1"
-  profile = "example-profile"
-}
-```
-
 ## Resources
 
 | Name      | Type |
@@ -159,3 +151,4 @@ provider "aws" {
 7. `lambda_function_name` - The name of the lambda function.
 8. `lambda_iam_role_arn` - Amazon Resource Name (ARN) specifying the role.
 9. `lambda_iam_role_name` - Name of the role.
+10. `secrets_arns` - Arns of created secrets in secrets manager.

main.tf

@@ -3,18 +3,20 @@ locals {
 }
 
 module "lambda_function" {
-  source                 = "./modules/lambda"
-  global_tags            = var.global_tags
-  tags                   = var.tags
-  environment            = var.environment
-  integration_type       = var.integration_type
-  resource_name_pattern  = local.resource_name_pattern
-  env_vars               = var.env_vars
-  logs_retention_in_days = var.lambda_logs_retention_in_days
-  should_write_logs      = var.lambda_enable_logs
-  timeout                = var.lambda_function_timeout
-  memory_size            = var.lambda_function_memory_size
-  publish                = var.lambda_publish
+  source                          = "./modules/lambda"
+  global_tags                     = var.global_tags
+  tags                            = var.tags
+  environment                     = var.environment
+  integration_type                = var.integration_type
+  resource_name_pattern           = local.resource_name_pattern
+  env_vars                        = var.env_vars
+  logs_retention_in_days          = var.lambda_logs_retention_in_days
+  should_write_logs               = var.lambda_enable_logs
+  timeout                         = var.lambda_function_timeout
+  memory_size                     = var.lambda_function_memory_size
+  publish                         = var.lambda_publish
+  secrets_arns                    = var.store_secret_in_secrets_manager ? module.secrets_manager[0].secrets_arns : []
+  store_secret_in_secrets_manager = var.store_secret_in_secrets_manager
 }
 
 module "api_gateway" {
@@ -25,4 +27,10 @@ module "api_gateway" {
   integration_type      = var.integration_type
   resource_name_pattern = local.resource_name_pattern
   lambda_function_arn   = module.lambda_function.lambda_function_arn
+}
+
+module "secrets_manager" {
+  count            = var.store_secret_in_secrets_manager ? 1 : 0
+  integration_type = var.integration_type
+  source           = "./modules/secrets_manager"
 }

modules/lambda/lambda.tf

@@ -59,7 +59,32 @@ resource "aws_iam_role" "lambda_execution_role" {
   )
 }
 
+data "aws_iam_policy_document" "secrets_policy_document" {
+  statement {
+    sid       = ""
+    effect    = "Allow"
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = var.secrets_arns
+  }
+}
+
+resource "aws_iam_policy" "secrets_iam_policy" {
+  count  = var.store_secret_in_secrets_manager ? 1 : 0
+  policy = data.aws_iam_policy_document.secrets_policy_document.json
+
+  tags = merge(
+    var.global_tags,
+    lookup(var.tags, "iam", {}),
+  )
+}
+
 resource "aws_iam_role_policy_attachment" "lambda_execution_role" {
   role       = aws_iam_role.lambda_execution_role.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_secrets_role_attachment" {
+  count      = var.store_secret_in_secrets_manager ? 1 : 0
+  role       = aws_iam_role.lambda_execution_role.name
+  policy_arn = aws_iam_policy.secrets_iam_policy[count.index].arn
 }

modules/lambda/source_code/gitlab/app.zip

@@ -63,4 +63,15 @@ variable "publish" {
   type        = bool
   description = "Whether to publish creation/change as new Lambda Function Version."
   default     = false
+}
+
+variable "secrets_arns" {
+  description = "List of secrets associated with the lambda"
+  type        = list(string)
+  default     = []
+}
+
+variable "store_secret_in_secrets_manager" {
+  description = "Whether to store your secrets in secrets manager, default is false"
+  type        = bool
 }

modules/lambda/variables.tf

@@ -0,0 +1,7 @@
+resource "aws_secretsmanager_secret" "gitlab_webhook_secret" {
+  name = "Spectral_GitlabBot_WebhookSecret"
+}
+
+resource "aws_secretsmanager_secret" "gitlab_token" {
+  name = "Spectral_GitlabBot_GitlabToken"
+}

modules/secrets_manager/gitlab/main.tf

@@ -0,0 +1,6 @@
+output "secrets_arns" {
+  value = [
+    aws_secretsmanager_secret.gitlab_token.arn,
+    aws_secretsmanager_secret.gitlab_webhook_secret.arn
+  ]
+}

modules/secrets_manager/gitlab/outputs.tf

@@ -0,0 +1,3 @@
+output "secrets_arns" {
+  value = local.secrets_arns
+}

modules/secrets_manager/outputs.tf

@@ -0,0 +1,15 @@
+locals {
+  secrets_arns = concat(
+    try(module.gitlab[0].secrets_arns, []),
+    [aws_secretsmanager_secret.spectral_dsn.arn]
+  )
+}
+
+resource "aws_secretsmanager_secret" "spectral_dsn" {
+  name = "Spectral_Dsn"
+}
+
+module "gitlab" {
+  count  = var.integration_type == "gitlab" ? 1 : 0
+  source = "./gitlab"
+}

modules/secrets_manager/secrets.tf

@@ -0,0 +1,4 @@
+variable "integration_type" {
+  description = "Integration type to create secrets for"
+  type        = string
+}

modules/secrets_manager/variables.tf

@@ -32,4 +32,8 @@ output "lambda_iam_role_arn" {
 
 output "lambda_iam_role_name" {
   value = module.lambda_function.lambda_iam_role_name
-}
+}
+
+output "secrets_arns" {
+  value = module.secrets_manager[*].secrets_arns
+}

outputs.tf

@@ -68,4 +68,10 @@ variable "lambda_publish" {
   type        = bool
   description = "Whether to publish creation/change as new Lambda Function Version."
   default     = false
+}
+
+variable "store_secret_in_secrets_manager" {
+  type        = bool
+  description = "Whether to store your secrets in secrets manager, default is false"
+  default     = false
 }