oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity
Files
b03392375623d7ef898d4e4021207c719e5b862e
aitbc/infra/terraform/environments/secrets.tf
AITBC System b033923756 chore: normalize file permissions across repository 
- Remove executable permissions from configuration files (.editorconfig, .env.example, .gitignore)
- Remove executable permissions from documentation files (README.md, LICENSE, SECURITY.md)
- Remove executable permissions from web assets (HTML, CSS, JS files)
- Remove executable permissions from data files (JSON, SQL, YAML, requirements.txt)
- Remove executable permissions from source code files across all apps
- Add executable permissions to Python
2026-03-08 11:26:18 +01:00

129 lines
3.1 KiB
HCL
Raw Blame History

# Secrets management configuration
# Uses AWS Secrets Manager for sensitive values
# Database credentials
data "aws_secretsmanager_secret" "db_credentials" {
name = "aitbc/${var.environment}/db-credentials"
}
data "aws_secretsmanager_secret_version" "db_credentials" {
secret_id = data.aws_secretsmanager_secret.db_credentials.id
}
locals {
db_credentials = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)
}
# API keys
data "aws_secretsmanager_secret" "api_keys" {
name = "aitbc/${var.environment}/api-keys"
}
data "aws_secretsmanager_secret_version" "api_keys" {
secret_id = data.aws_secretsmanager_secret.api_keys.id
}
locals {
api_keys = jsondecode(data.aws_secretsmanager_secret_version.api_keys.secret_string)
}
# Wallet encryption keys
data "aws_secretsmanager_secret" "wallet_keys" {
name = "aitbc/${var.environment}/wallet-keys"
}
data "aws_secretsmanager_secret_version" "wallet_keys" {
secret_id = data.aws_secretsmanager_secret.wallet_keys.id
}
locals {
wallet_keys = jsondecode(data.aws_secretsmanager_secret_version.wallet_keys.secret_string)
}
# Create Kubernetes secrets from AWS Secrets Manager
resource "kubernetes_secret" "db_credentials" {
metadata {
name = "db-credentials"
namespace = "aitbc"
}
data = {
username = local.db_credentials.username
password = local.db_credentials.password
host = local.db_credentials.host
port = local.db_credentials.port
database = local.db_credentials.database
}
type = "Opaque"
}
resource "kubernetes_secret" "api_keys" {
metadata {
name = "api-keys"
namespace = "aitbc"
}
data = {
coordinator_api_key = local.api_keys.coordinator
explorer_api_key = local.api_keys.explorer
admin_api_key = local.api_keys.admin
}
type = "Opaque"
}
resource "kubernetes_secret" "wallet_keys" {
metadata {
name = "wallet-keys"
namespace = "aitbc"
}
data = {
encryption_key = local.wallet_keys.encryption_key
signing_key = local.wallet_keys.signing_key
}
type = "Opaque"
}
# External Secrets Operator (alternative approach)
# Uncomment if using external-secrets operator
#
# resource "kubernetes_manifest" "external_secret_db" {
# manifest = {
# apiVersion = "external-secrets.io/v1beta1"
# kind = "ExternalSecret"
# metadata = {
# name = "db-credentials"
# namespace = "aitbc"
# }
# spec = {
# refreshInterval = "1h"
# secretStoreRef = {
# name = "aws-secrets-manager"
# kind = "ClusterSecretStore"
# }
# target = {
# name = "db-credentials"
# }
# data = [
# {
# secretKey = "username"
# remoteRef = {
# key = "aitbc/${var.environment}/db-credentials"
# property = "username"
# }
# },
# {
# secretKey = "password"
# remoteRef = {
# key = "aitbc/${var.environment}/db-credentials"
# property = "password"
# }
# }
# ]
# }
# }
# }
Reference in New Issue View Git Blame Copy Permalink