Added sec man to store DB credentials

Author: Saborni

terraform-lambda-aurora-serverless/.gitignore

@@ -1,3 +1,8 @@
 builds/*
 .terraform
 .terraform.*
+function.zip
+src/function/pymysql
+src/function/pymysql/*
+src/function/PyMySQL-1.1.0.dist-info
+src/function/PyMySQL-1.1.0.dist-info/*

terraform-lambda-aurora-serverless/README.md

@@ -1,6 +1,6 @@
 # AWS Lambda function to Amazon Aurora Serverless
 
-The pattern creates a Lambda function and a Amazon Aurora Serverless cluster, a Log group and the IAM resources required to run the application.
+The pattern creates an AWS Lambda function and an Amazon Aurora Serverless cluster, a Log group and the IAM resources required to run the application. The database credentials are stored in AWS Secrets Manager secret.
 
 The Lambda function is written in Python that uses pymysql client to establish connectivity with the serverless database.
 
@@ -22,6 +22,13 @@ terraform init
 terrform deploy
 ```
 
+Naming constraints with Amazon Aurora for Master password:
+- The password for the database master user can include any printable ASCII character except /, ', ", @, or a space.
+- The password can contain the following number of printable ASCII characters depending on the DB engine: Aurora MySQL: 8–41 and Aurora PostgreSQL: 8–99.
+For more information, please refer to [this](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_Limits.html#RDS_Limits.Constraints)
+
+
+
 ## Testing
 
 After deployment, invoke Lambda function with multiple inputs, and go to the Step Function Console and view the different invocations to note the different behavior with the different inputs.

terraform-lambda-aurora-serverless/example-pattern.json

@@ -1,13 +1,14 @@
 {
   "title": "AWS Lambda function to Amazon Aurora Serverless",
-  "description": "The pattern creates a Lambda function and an Amazon Aurora Cluster with Serverless instance.",
+  "description": "The pattern creates a Lambda function and an Amazon Aurora Cluster with Serverless instance. The Database credentials are stored and accessed from AWS Secrets Manager.",
   "language": "Python",
-  "level": "200",
+  "level": "300",
   "framework": "Terraform",
   "introBox": {
     "headline": "How it works",
     "text": [
       "The pattern creates a Lambda function and an Amazon Aurora Cluster with Serverless instance.",
+      "The Database credentials are stored and accessed from AWS Secrets Manager.",
       "It also guides how to invoke the function to access the database."
     ]
   },

terraform-lambda-aurora-serverless/main.tf

@@ -142,6 +142,24 @@ resource "aws_security_group" "aurora_sg" {
   }
 }
 
+# Secrets Manager Configuration - stores db credentials
+
+resource "aws_secretsmanager_secret" "aurora_secret" {
+  name = "aurora-db-credentials"
+  tags = {
+    Environment = var.environment
+  }
+}
+
+resource "aws_secretsmanager_secret_version" "aurora_secret_version" {
+  secret_id = aws_secretsmanager_secret.aurora_secret.id
+  secret_string = jsonencode({
+    username = var.db_username
+    password = var.db_password
+  })
+}
+
+
 # Aurora Configuration
 resource "aws_db_subnet_group" "aurora_subnet_group" {
   name       = "aurora-subnet-group"
@@ -159,8 +177,8 @@ resource "aws_rds_cluster" "aurora_cluster" {
   engine_version         = "8.0.mysql_aurora.3.04.1"
   engine_mode            = "provisioned"
   database_name          = var.database_name
-  master_username        = var.db_username
-  master_password        = var.db_password
+  master_username        = jsondecode(aws_secretsmanager_secret_version.aurora_secret_version.secret_string)["username"]
+  master_password        = jsondecode(aws_secretsmanager_secret_version.aurora_secret_version.secret_string)["password"]
   storage_encrypted      = true
   skip_final_snapshot    = true
   db_subnet_group_name   = aws_db_subnet_group.aurora_subnet_group.name
@@ -230,7 +248,8 @@ resource "aws_iam_role_policy" "lambda_policy" {
           "logs:PutLogEvents",
           "ec2:CreateNetworkInterface",
           "ec2:DescribeNetworkInterfaces",
-          "ec2:DeleteNetworkInterface"
+          "ec2:DeleteNetworkInterface",
+          "secretsmanager:GetSecretValue"
         ]
         Resource = "*"
       }
@@ -268,8 +287,7 @@ resource "aws_lambda_function" "aurora_lambda" {
     variables = {
       DB_ENDPOINT = aws_rds_cluster.aurora_cluster.endpoint
       DB_NAME     = var.database_name
-      DB_USERNAME = var.db_username
-      DB_PASSWORD = var.db_password
+      SECRET_ARN  = aws_secretsmanager_secret.aurora_secret.arn
     }
   }
 

terraform-lambda-aurora-serverless/src/function/app.py

@@ -1,20 +1,34 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: MIT-0
-
 import os
 import json
 import pymysql
 import logging
+import boto3
 
 logger = logging.getLogger()
 logger.setLevel(logging.INFO)
 
+session = boto3.session.Session()
+client = session.client('secretsmanager')
+
+host = os.environ['DB_ENDPOINT']
+database = os.environ['DB_NAME']
+secret_name = os.environ['SECRET_ARN']
+
+def get_secret():
+    try:
+        get_secret_value_response = client.get_secret_value(SecretId=secret_name)
+    except ClientError as e:
+        raise e
+    else:
+        if 'SecretString' in get_secret_value_response:
+            secret = json.loads(get_secret_value_response['SecretString'])
+            logger.info(f"value of password: {secret['password']}")
+            return secret['username'], secret['password']
+
 def lambda_handler(event, context):
-    # Get database connection info from environment variables
-    host = os.environ['DB_ENDPOINT']
-    database = os.environ['DB_NAME']
-    username = os.environ['DB_USERNAME']
-    password = os.environ['DB_PASSWORD']
+    username, password = get_secret()
 
     try:
         # Attempt database connection

terraform-lambda-aurora-serverless/variables.tf

@@ -22,6 +22,7 @@ variable "db_username" {
   default     = "admin"
 }
 
+# Example of valid password: "MyDBPassword123!"
 variable "db_password" {
   description = "Database administrator password, please change it"
   type        = string

terraform-lambda-aurora-serverless/versions.tf

@@ -1,5 +1,3 @@
-
-
 terraform {
   required_providers {
     aws = {