[ALS-6225] PICSURE will use RDS 7 day rotating password (#137)

## [ALS-6225] Integration of AWS Secrets Manager and MySQL Connector Updates for Wildfly Deployment ### Summary: - Implemented AWS Secrets Manager JDBC for managing database credentials, enhancing security by utilizing secrets for loading usernames and passwords. - Updated the Wildfly MySQL module and standalone configuration to include the new MySQL Java Connector, ensuring proper SQL connectivity and aligning secret names with updated standards. - Modified `wildfly-user_data.sh` to correctly reference the updated MySQL connector path and removed outdated MySQL module configurations to streamline deployment. - Refactored IAM roles and policy attachments for Wildfly deployment, improving monitoring and management capabilities by attaching CloudWatchAgentServerPolicy and AmazonSSMManagedInstanceCore policy. - Streamlined the Terraform configuration by updating IAM instance profiles and segregating IAM resources into `wildfly-iam.tf`, removing duplication. - Enhanced the standalone.xml configuration by adding MySQL and H2 drivers, updating JDBC connection details, and reintroducing the ExampleDS datasource for improved database connectivity. - Documented the configuration and deployment process in a new README.md file, providing clarity on dynamic generation of module.xml during Docker image build. - Performed cleanup by removing obsolete configurations and variables related to AWS region and IAM roles for secret management, ensuring a leaner configuration.
hms-dbmi · Apr 9, 2024 · d20e775 · d20e775
1 parent 05ae75d
commit d20e775
Show file tree

Hide file tree

Showing 9 changed files with 171 additions and 146 deletions.
diff --git a/app-infrastructure/configs/README.md b/app-infrastructure/configs/README.md
@@ -0,0 +1,5 @@
+## Additional Information about WildFly Configuration
+There is no module.xml in this repository. It has been moved to the [pic-sure-wildfly-docker repository](https://github.com/hms-dbmi/pic-sure-wildfly-docker).
+The `module.xml` is created dynamically by the `generate-module-xml.sh` script in the pic-sure-wildfly-docker repository. This script is run when the
+`pic-sure-with-aggregate-resource.Dockerfile` is built. The module.xml is created based on the jars copied into the 
+`opt/jboss/wildfly/modules/system/layers/base/com/sql/mysql/main/` directory in the docker image.
diff --git a/app-infrastructure/configs/standalone.xml b/app-infrastructure/configs/standalone.xml
@@ -164,17 +164,16 @@
                 </datasource>
                 <datasource jndi-name="java:jboss/datasources/AuthDS" pool-name="AuthDS" use-java-context="true">
                     <connection-url>
-                        jdbc:mysql://${picsure-db-host}/auth?useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true&amp;autoReconnectForPools=true
+                        jdbc-secretsmanager:mysql://${picsure-db-host}/auth?useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true&amp;autoReconnectForPools=true
                     </connection-url>
-                    <driver>mysql</driver>
+                    <driver>aws-secretsmanager-mysql</driver>
                     <pool>
                         <min-pool-size>2</min-pool-size>
                         <max-pool-size>10</max-pool-size>
                         <prefill>true</prefill>
                     </pool>
                     <security>
-                        <user-name>${picsure-db-username}</user-name>
-                        <password>${picsure-db-password}</password>
+                        <user-name>${app_user_secret_name}</user-name>
                     </security>
                     <validation>
                         <valid-connection-checker
@@ -188,17 +187,16 @@
                 </datasource>
                 <datasource jndi-name="java:jboss/datasources/PicsureDS" pool-name="PicsureDS" use-java-context="true">
                     <connection-url>
-                        jdbc:mysql://${picsure-db-host}/picsure?useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true&amp;autoReconnectForPools=true
+                        jdbc-secretsmanager:mysql://${picsure-db-host}/picsure?useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true&amp;autoReconnectForPools=true
                     </connection-url>
-                    <driver>mysql</driver>
+                    <driver>aws-secretsmanager-mysql</driver>
                     <pool>
                         <min-pool-size>3</min-pool-size>
                         <max-pool-size>10</max-pool-size>
                         <prefill>true</prefill>
                     </pool>
                     <security>
-                        <user-name>${picsure-db-username}</user-name>
-                        <password>${picsure-db-password}</password>
+                        <user-name>${app_user_secret_name}</user-name>
                     </security>
                     <validation>
                         <valid-connection-checker
@@ -217,6 +215,9 @@
                     <driver name="h2" module="com.h2database.h2">
                         <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
                     </driver>
+                    <driver name="aws-secretsmanager-mysql" module="com.sql.mysql">
+                        <driver-class>com.amazonaws.secretsmanager.sql.AWSSecretsManagerMySQLDriver</driver-class>
+                    </driver>
                 </drivers>
             </datasources>
         </subsystem>

diff --git a/app-infrastructure/configs/wildfly_mysql_module.xml b/app-infrastructure/configs/wildfly_mysql_module.xml
diff --git a/app-infrastructure/mysql-connector-j-8.0.33.jar b/app-infrastructure/mysql-connector-j-8.0.33.jar
diff --git a/app-infrastructure/s3_roles.tf b/app-infrastructure/s3_roles.tf
@@ -1,121 +1,3 @@
-
-resource "aws_iam_instance_profile" "wildfly-deployment-s3-profile" {
-  name = "wildfly-deployment-s3-profile-${var.target_stack}-${local.uniq_name}"
-  role = aws_iam_role.wildfly-deployment-s3-role.name
-}
-
-resource "aws_iam_role_policy" "wildfly-deployment-s3-policy" {
-  name   = "wildfly-deployment-s3-policy-${var.target_stack}-${local.uniq_name}"
-  role   = aws_iam_role.wildfly-deployment-s3-role.id
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "s3:GetObject"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/releases/jenkins_pipeline_build_${var.stack_githash_long}/pic-sure-wildfly.tar.gz"
-    },{
-      "Action": [
-        "s3:GetObject"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/visualization-resource.properties"
-    },{
-      "Action": [
-        "s3:GetObject"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/data/${var.dataset_s3_object_key}/fence_mapping.json"
-    },{
-      "Action": [
-        "s3:GetObject"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/standalone.xml"
-    },{
-      "Action": [
-        "s3:GetObject"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/*"
-    },{
-      "Action": [
-        "s3:GetObject"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/aggregate-resource.properties"
-    },{
-      "Action": [
-        "s3:GetObject"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/aggregate-resource.properties"
-    },{
-      "Action": [
-        "s3:GetObject"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/modules/*"
-    },{
-      "Action": [
-        "s3:ListBucket"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}",
-      "Condition": {
-        "StringLike": {
-          "s3:prefix": [
-            "releases/jenkins_pipeline_build_${var.stack_githash_long}/*",
-            "configs/jenkins_pipeline_build_${var.stack_githash_long}*",
-            "modules/*",
-            "data/${var.dataset_s3_object_key}/*"
-          ]
-        }
-      }
-    },{
-      "Action": [
-        "ec2:CreateTags"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:ec2:*:*:instance/*"
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_role" "wildfly-deployment-s3-role" {
-  name               = "${local.project_no_space}-wildfly-deployment-s3-role-${var.target_stack}-${local.uniq_name}"
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "ec2.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy_attachment" "attach-cloudwatch-server-policy-to-wildfly-role" {
-  role       = aws_iam_role.wildfly-deployment-s3-role.name
-  policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
-}
-resource "aws_iam_role_policy_attachment" "attach-cloudwatch-ssm-policy-to-wildfly-role" {
-  role       = aws_iam_role.wildfly-deployment-s3-role.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
-}
-
-
 resource "aws_iam_instance_profile" "httpd-deployment-s3-profile" {
   name = "httpd-deployment-s3-profile-${var.target_stack}-${local.uniq_name}"
   role = aws_iam_role.httpd-deployment-s3-role.name

diff --git a/app-infrastructure/scripts/wildfly-user_data.sh b/app-infrastructure/scripts/wildfly-user_data.sh
@@ -33,8 +33,6 @@ sleep 600
 
 s3_copy s3://${stack_s3_bucket}/releases/jenkins_pipeline_build_${stack_githash}/pic-sure-wildfly.tar.gz /home/centos/pic-sure-wildfly.tar.gz
 s3_copy s3://${stack_s3_bucket}/configs/jenkins_pipeline_build_${stack_githash}/standalone.xml /home/centos/standalone.xml
-s3_copy s3://${stack_s3_bucket}/modules/mysql/module.xml /home/centos/mysql_module.xml
-s3_copy s3://${stack_s3_bucket}/modules/mysql/mysql-connector-j-8.0.33.jar /home/centos/mysql-connector-j-8.0.33.jar
 s3_copy s3://${stack_s3_bucket}/data/${dataset_s3_object_key}/fence_mapping.json /home/centos/fence_mapping.json
 s3_copy s3://${stack_s3_bucket}/configs/jenkins_pipeline_build_${stack_githash}/aggregate-resource.properties /home/centos/aggregate-resource.properties
 s3_copy s3://${stack_s3_bucket}/configs/jenkins_pipeline_build_${stack_githash}/visualization-resource.properties /home/centos/visualization-resource.properties
@@ -51,8 +49,6 @@ sudo docker run -u root --name=wildfly \
                         -v /home/centos/standalone.xml:/opt/jboss/wildfly/standalone/configuration/standalone.xml \
                         -v /home/centos/fence_mapping.json:/usr/local/docker-config/fence_mapping.json \
                         -v /home/centos/aggregate-resource.properties:/opt/jboss/wildfly/standalone/configuration/aggregate-data-sharing/pic-sure-aggregate-resource/resource.properties \
-                        -v /home/centos/mysql_module.xml:/opt/jboss/wildfly/modules/system/layers/base/com/sql/mysql/main/module.xml  \
-                        -v /home/centos/mysql-connector-j-8.0.33.jar:/opt/jboss/wildfly/modules/system/layers/base/com/sql/mysql/main/mysql-connector-j-8.0.33.jar \
                         -v /var/log/wildfly-docker-os-logs/:/var/log/ \
                         -v /home/centos/visualization-resource.properties:/opt/jboss/wildfly/standalone/configuration/visualization/pic-sure-visualization-resource/resource.properties \
                         -p 8080:8080 -e JAVA_OPTS="$JAVA_OPTS" -d $WILDFLY_IMAGE

diff --git a/app-infrastructure/variables.tf b/app-infrastructure/variables.tf
@@ -203,5 +203,14 @@ variable "referer_allowed_domains" {
 variable "pic_sure_resource_id" {
     type = string
     description = "The resource id for the pic-sure. Used for auth or open HPDS generally"
+}
 
+variable "app_acct_id" {
+    type = string
+    description = "The account id for the application"
+}
+
+variable "app_user_secret_name" {
+    type = string
+    description = "The secret name for the application user"
 }
diff --git a/app-infrastructure/wildfly-iam.tf b/app-infrastructure/wildfly-iam.tf
@@ -0,0 +1,139 @@
+data "aws_region" "current" {}
+
+resource "aws_iam_instance_profile" "wildfly-deployment-profile" {
+  name = "wildfly-deployment-profile-${var.target_stack}-${local.uniq_name}"
+  role = aws_iam_role.wildfly-deployment-role.name
+}
+
+resource "aws_iam_role" "wildfly-deployment-role" {
+  name               = "${local.project_no_space}-wildfly-deployment-role-${var.target_stack}-${local.uniq_name}"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "wildfly-deployment-sm-policy" {
+  name   = "wildfly-deployment-sm-policy-${var.target_stack}-${local.uniq_name}"
+  role   = aws_iam_role.wildfly-deployment-role.id
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+      "Action": [
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:secretsmanager:${data.aws_region.current.name}:${var.app_acct_id}:secret:${var.app_user_secret_name}-*"
+      }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "attach-cloudwatch-server-policy-to-sm-role" {
+  role       = aws_iam_role.wildfly-deployment-role.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+}
+
+resource "aws_iam_role_policy_attachment" "attach-cloudwatch-ssm-policy-to-sm-role" {
+  role       = aws_iam_role.wildfly-deployment-role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
+resource "aws_iam_role_policy" "wildfly-deployment-s3-policy" {
+  name   = "wildfly-deployment-s3-policy-${var.target_stack}-${local.uniq_name}"
+  role   = aws_iam_role.wildfly-deployment-role.id
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/releases/jenkins_pipeline_build_${var.stack_githash_long}/pic-sure-wildfly.tar.gz"
+    },{
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/visualization-resource.properties"
+    },{
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/data/${var.dataset_s3_object_key}/fence_mapping.json"
+    },{
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/standalone.xml"
+    },{
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/*"
+    },{
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/aggregate-resource.properties"
+    },{
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/configs/jenkins_pipeline_build_${var.stack_githash_long}/aggregate-resource.properties"
+    },{
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}/modules/*"
+    },{
+      "Action": [
+        "s3:ListBucket"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::${var.stack_s3_bucket}",
+      "Condition": {
+        "StringLike": {
+          "s3:prefix": [
+            "releases/jenkins_pipeline_build_${var.stack_githash_long}/*",
+            "configs/jenkins_pipeline_build_${var.stack_githash_long}*",
+            "modules/*",
+            "data/${var.dataset_s3_object_key}/*"
+          ]
+        }
+      }
+    },{
+      "Action": [
+        "ec2:CreateTags"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:ec2:*:*:instance/*"
+    }
+  ]
+}
+EOF
+}
+