convert user/pass parameters to secure ssm

Guslington · Guslington · commit 0e99922c2f49 · 2018-11-02T13:24:21.000+11:00
diff --git a/aurora-postgres.cfhighlander.rb b/aurora-postgres.cfhighlander.rb
@@ -1,9 +1,14 @@
 CfhighlanderTemplate do
+
+  Name 'aurora-postgres'
+  Description "Highlander Aurora Postgres component #{component_version}"
   DependsOn 'vpc@1.2.0'
+
   Parameters do
     ComponentParam 'EnvironmentName', 'dev', isGlobal: true
     ComponentParam 'EnvironmentType', 'development', isGlobal: true, allowedValues: ['development', 'production']
     ComponentParam 'StackOctet', isGlobal: true
+
     MappingParam('WriterInstanceType') do
       map 'EnvironmentType'
       attribute 'WriterInstanceType'
@@ -19,10 +24,8 @@
     maximum_availability_zones.times do |az|
       ComponentParam "SubnetPersistence#{az}"
     end
+
     ComponentParam 'SnapshotID'
-    ComponentParam 'MasterUsername', 'master'
-    ComponentParam 'MasterUserPassword', 'pa33w0rd'
-    
     ComponentParam 'EnableReader', 'false'
     ComponentParam 'VPCId', type: 'AWS::EC2::VPC::Id'
   end
diff --git a/aurora-postgres.cfndsl.rb b/aurora-postgres.cfndsl.rb
@@ -39,8 +39,8 @@
     DBClusterParameterGroupName Ref(:DBClusterParameterGroup)
     SnapshotIdentifier Ref(:SnapshotID)
     SnapshotIdentifier FnIf('UseSnapshotID',Ref(:SnapshotID), Ref('AWS::NoValue'))
-    MasterUsername FnIf('UseUsernameAndPassword',Ref(:MasterUsername), Ref('AWS::NoValue'))
-    MasterUserPassword FnIf('UseUsernameAndPassword',Ref(:MasterUserPassword), Ref('AWS::NoValue'))
+    MasterUsername  FnIf('UseUsernameAndPassword', FnJoin('', [ '{{resolve:ssm:', FnSub(master_login['username_ssm_param']), ':1}}' ]), Ref('AWS::NoValue'))
+    MasterUserPassword FnIf('UseUsernameAndPassword', FnJoin('', [ '{{resolve:ssm-secure:', FnSub(master_login['password_ssm_param']), ':1}}' ]), Ref('AWS::NoValue'))
     DBSubnetGroupName Ref(:DBClusterSubnetGroup)
     VpcSecurityGroupIds [ Ref(:SecurityGroup) ]
     Port cluster_port
diff --git a/aurora-postgres.config.yaml b/aurora-postgres.config.yaml
@@ -3,6 +3,10 @@ hostname: aurora2pg
 
 cluster_port: 5432
 
+master_login:
+  username_ssm_param: /rds/AURORA_POSTGRES_MASTER_USERNAME
+  password_ssm_param: /rds/AURORA_POSTGRES_MASTER_PASSWORD
+
 # cluster_parameters:
 
 # instance_parameters:
