Skip to content

Commit

Permalink
[ALS-6225] PICSURE will use RDS 7 day rotating password (#137)
Browse files Browse the repository at this point in the history
## [ALS-6225] Integration of AWS Secrets Manager and MySQL Connector Updates for Wildfly Deployment

### Summary:
- Implemented AWS Secrets Manager JDBC for managing database credentials, enhancing security by utilizing secrets for loading usernames and passwords.
- Updated the Wildfly MySQL module and standalone configuration to include the new MySQL Java Connector, ensuring proper SQL connectivity and aligning secret names with updated standards.
- Modified `wildfly-user_data.sh` to correctly reference the updated MySQL connector path and removed outdated MySQL module configurations to streamline deployment.
- Refactored IAM roles and policy attachments for Wildfly deployment, improving monitoring and management capabilities by attaching CloudWatchAgentServerPolicy and AmazonSSMManagedInstanceCore policy.
- Streamlined the Terraform configuration by updating IAM instance profiles and segregating IAM resources into `wildfly-iam.tf`, removing duplication.
- Enhanced the standalone.xml configuration by adding MySQL and H2 drivers, updating JDBC connection details, and reintroducing the ExampleDS datasource for improved database connectivity.
- Documented the configuration and deployment process in a new README.md file, providing clarity on dynamic generation of module.xml during Docker image build.
- Performed cleanup by removing obsolete configurations and variables related to AWS region and IAM roles for secret management, ensuring a leaner configuration.
  • Loading branch information
Gcolon021 authored Apr 9, 2024
1 parent 05ae75d commit d20e775
Show file tree
Hide file tree
Showing 9 changed files with 171 additions and 146 deletions.
5 changes: 5 additions & 0 deletions app-infrastructure/configs/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
## Additional Information about WildFly Configuration
There is no module.xml in this repository. It has been moved to the [pic-sure-wildfly-docker repository](https://github.com/hms-dbmi/pic-sure-wildfly-docker).
The `module.xml` is created dynamically by the `generate-module-xml.sh` script in the pic-sure-wildfly-docker repository. This script is run when the
`pic-sure-with-aggregate-resource.Dockerfile` is built. The module.xml is created based on the jars copied into the
`opt/jboss/wildfly/modules/system/layers/base/com/sql/mysql/main/` directory in the docker image.
17 changes: 9 additions & 8 deletions app-infrastructure/configs/standalone.xml
Original file line number Diff line number Diff line change
Expand Up @@ -164,17 +164,16 @@
</datasource>
<datasource jndi-name="java:jboss/datasources/AuthDS" pool-name="AuthDS" use-java-context="true">
<connection-url>
jdbc:mysql://${picsure-db-host}/auth?useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true&amp;autoReconnectForPools=true
jdbc-secretsmanager:mysql://${picsure-db-host}/auth?useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true&amp;autoReconnectForPools=true
</connection-url>
<driver>mysql</driver>
<driver>aws-secretsmanager-mysql</driver>
<pool>
<min-pool-size>2</min-pool-size>
<max-pool-size>10</max-pool-size>
<prefill>true</prefill>
</pool>
<security>
<user-name>${picsure-db-username}</user-name>
<password>${picsure-db-password}</password>
<user-name>${app_user_secret_name}</user-name>
</security>
<validation>
<valid-connection-checker
Expand All @@ -188,17 +187,16 @@
</datasource>
<datasource jndi-name="java:jboss/datasources/PicsureDS" pool-name="PicsureDS" use-java-context="true">
<connection-url>
jdbc:mysql://${picsure-db-host}/picsure?useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true&amp;autoReconnectForPools=true
jdbc-secretsmanager:mysql://${picsure-db-host}/picsure?useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true&amp;autoReconnectForPools=true
</connection-url>
<driver>mysql</driver>
<driver>aws-secretsmanager-mysql</driver>
<pool>
<min-pool-size>3</min-pool-size>
<max-pool-size>10</max-pool-size>
<prefill>true</prefill>
</pool>
<security>
<user-name>${picsure-db-username}</user-name>
<password>${picsure-db-password}</password>
<user-name>${app_user_secret_name}</user-name>
</security>
<validation>
<valid-connection-checker
Expand All @@ -217,6 +215,9 @@
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
<driver name="aws-secretsmanager-mysql" module="com.sql.mysql">
<driver-class>com.amazonaws.secretsmanager.sql.AWSSecretsManagerMySQLDriver</driver-class>
</driver>
</drivers>
</datasources>
</subsystem>
Expand Down
8 changes: 0 additions & 8 deletions app-infrastructure/configs/wildfly_mysql_module.xml

This file was deleted.

Binary file removed app-infrastructure/mysql-connector-j-8.0.33.jar
Binary file not shown.
118 changes: 0 additions & 118 deletions app-infrastructure/s3_roles.tf
Original file line number Diff line number Diff line change
@@ -1,121 +1,3 @@

resource "aws_iam_instance_profile" "wildfly-deployment-s3-profile" {
name = "wildfly-deployment-s3-profile-${var.target_stack}-${local.uniq_name}"
role = aws_iam_role.wildfly-deployment-s3-role.name
}

resource "aws_iam_role_policy" "wildfly-deployment-s3-policy" {
name = "wildfly-deployment-s3-policy-${var.target_stack}-${local.uniq_name}"
role = aws_iam_role.wildfly-deployment-s3-role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/releases/jenkins_pipeline_build_${var.stack_githash_long}/pic-sure-wildfly.tar.gz"
},{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/visualization-resource.properties"
},{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/data/${var.dataset_s3_object_key}/fence_mapping.json"
},{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/standalone.xml"
},{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/*"
},{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/aggregate-resource.properties"
},{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/aggregate-resource.properties"
},{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/modules/*"
},{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}",
"Condition": {
"StringLike": {
"s3:prefix": [
"releases/jenkins_pipeline_build_${var.stack_githash_long}/*",
"configs/jenkins_pipeline_build_${var.stack_githash_long}*",
"modules/*",
"data/${var.dataset_s3_object_key}/*"
]
}
}
},{
"Action": [
"ec2:CreateTags"
],
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
}
]
}
EOF
}

resource "aws_iam_role" "wildfly-deployment-s3-role" {
name = "${local.project_no_space}-wildfly-deployment-s3-role-${var.target_stack}-${local.uniq_name}"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}

resource "aws_iam_role_policy_attachment" "attach-cloudwatch-server-policy-to-wildfly-role" {
role = aws_iam_role.wildfly-deployment-s3-role.name
policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
}
resource "aws_iam_role_policy_attachment" "attach-cloudwatch-ssm-policy-to-wildfly-role" {
role = aws_iam_role.wildfly-deployment-s3-role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}


resource "aws_iam_instance_profile" "httpd-deployment-s3-profile" {
name = "httpd-deployment-s3-profile-${var.target_stack}-${local.uniq_name}"
role = aws_iam_role.httpd-deployment-s3-role.name
Expand Down
4 changes: 0 additions & 4 deletions app-infrastructure/scripts/wildfly-user_data.sh
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,6 @@ sleep 600

s3_copy s3://${stack_s3_bucket}/releases/jenkins_pipeline_build_${stack_githash}/pic-sure-wildfly.tar.gz /home/centos/pic-sure-wildfly.tar.gz
s3_copy s3://${stack_s3_bucket}/configs/jenkins_pipeline_build_${stack_githash}/standalone.xml /home/centos/standalone.xml
s3_copy s3://${stack_s3_bucket}/modules/mysql/module.xml /home/centos/mysql_module.xml
s3_copy s3://${stack_s3_bucket}/modules/mysql/mysql-connector-j-8.0.33.jar /home/centos/mysql-connector-j-8.0.33.jar
s3_copy s3://${stack_s3_bucket}/data/${dataset_s3_object_key}/fence_mapping.json /home/centos/fence_mapping.json
s3_copy s3://${stack_s3_bucket}/configs/jenkins_pipeline_build_${stack_githash}/aggregate-resource.properties /home/centos/aggregate-resource.properties
s3_copy s3://${stack_s3_bucket}/configs/jenkins_pipeline_build_${stack_githash}/visualization-resource.properties /home/centos/visualization-resource.properties
Expand All @@ -51,8 +49,6 @@ sudo docker run -u root --name=wildfly \
-v /home/centos/standalone.xml:/opt/jboss/wildfly/standalone/configuration/standalone.xml \
-v /home/centos/fence_mapping.json:/usr/local/docker-config/fence_mapping.json \
-v /home/centos/aggregate-resource.properties:/opt/jboss/wildfly/standalone/configuration/aggregate-data-sharing/pic-sure-aggregate-resource/resource.properties \
-v /home/centos/mysql_module.xml:/opt/jboss/wildfly/modules/system/layers/base/com/sql/mysql/main/module.xml \
-v /home/centos/mysql-connector-j-8.0.33.jar:/opt/jboss/wildfly/modules/system/layers/base/com/sql/mysql/main/mysql-connector-j-8.0.33.jar \
-v /var/log/wildfly-docker-os-logs/:/var/log/ \
-v /home/centos/visualization-resource.properties:/opt/jboss/wildfly/standalone/configuration/visualization/pic-sure-visualization-resource/resource.properties \
-p 8080:8080 -e JAVA_OPTS="$JAVA_OPTS" -d $WILDFLY_IMAGE
Expand Down
9 changes: 9 additions & 0 deletions app-infrastructure/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -203,5 +203,14 @@ variable "referer_allowed_domains" {
variable "pic_sure_resource_id" {
type = string
description = "The resource id for the pic-sure. Used for auth or open HPDS generally"
}

variable "app_acct_id" {
type = string
description = "The account id for the application"
}

variable "app_user_secret_name" {
type = string
description = "The secret name for the application user"
}
139 changes: 139 additions & 0 deletions app-infrastructure/wildfly-iam.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,139 @@
data "aws_region" "current" {}

resource "aws_iam_instance_profile" "wildfly-deployment-profile" {
name = "wildfly-deployment-profile-${var.target_stack}-${local.uniq_name}"
role = aws_iam_role.wildfly-deployment-role.name
}

resource "aws_iam_role" "wildfly-deployment-role" {
name = "${local.project_no_space}-wildfly-deployment-role-${var.target_stack}-${local.uniq_name}"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}

resource "aws_iam_role_policy" "wildfly-deployment-sm-policy" {
name = "wildfly-deployment-sm-policy-${var.target_stack}-${local.uniq_name}"
role = aws_iam_role.wildfly-deployment-role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:${data.aws_region.current.name}:${var.app_acct_id}:secret:${var.app_user_secret_name}-*"
}
]
}
EOF
}

resource "aws_iam_role_policy_attachment" "attach-cloudwatch-server-policy-to-sm-role" {
role = aws_iam_role.wildfly-deployment-role.name
policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
}

resource "aws_iam_role_policy_attachment" "attach-cloudwatch-ssm-policy-to-sm-role" {
role = aws_iam_role.wildfly-deployment-role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

resource "aws_iam_role_policy" "wildfly-deployment-s3-policy" {
name = "wildfly-deployment-s3-policy-${var.target_stack}-${local.uniq_name}"
role = aws_iam_role.wildfly-deployment-role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/releases/jenkins_pipeline_build_${var.stack_githash_long}/pic-sure-wildfly.tar.gz"
},{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/visualization-resource.properties"
},{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/data/${var.dataset_s3_object_key}/fence_mapping.json"
},{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/standalone.xml"
},{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/*"
},{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/aggregate-resource.properties"
},{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/aggregate-resource.properties"
},{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}/modules/*"
},{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.stack_s3_bucket}",
"Condition": {
"StringLike": {
"s3:prefix": [
"releases/jenkins_pipeline_build_${var.stack_githash_long}/*",
"configs/jenkins_pipeline_build_${var.stack_githash_long}*",
"modules/*",
"data/${var.dataset_s3_object_key}/*"
]
}
}
},{
"Action": [
"ec2:CreateTags"
],
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
}
]
}
EOF
}

Loading

0 comments on commit d20e775

Please sign in to comment.