Merge pull request #33 from ajschofield/tf-secrets-manager

PR: merge secrets manager with extract_lambda
author: lian-manonog <160282780+lian-manonog@users.noreply.github.com> 2024-08-15 13:58:46 +0100
committer: GitHub <noreply@github.com> 2024-08-15 13:58:46 +0100
commit: 2309062a8099c04bedd7f88638abf03ebf5f5171 (patch)
tree: 1bdebb2046a9b1356faa2fe902d9187601ecb3f7
parent: 848a86b7f3b9c5ce16cd774d19e3fa62ca8ffc68 (diff)
parent: a009ffe72a2005e72e67345f728539e500b899f5 (diff)
download: de-project-bentley-2309062a8099c04bedd7f88638abf03ebf5f5171.tar.gz
de-project-bentley-2309062a8099c04bedd7f88638abf03ebf5f5171.zip
16 files changed, 600 insertions, 121 deletions
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
new file mode 100644
index 0000000..7d5b5b1
--- /dev/null
+++ b/.github/workflows/python.yml
@@ -0,0 +1,50 @@
+name: python-quality-checks
+
+on:
+    push:
+        branches: [development]
+    pull_request:
+        branches: [development, staging]
+
+jobs:
+
+    check-if-py-files-exist:
+        runs-on: ubuntu-latest
+        outputs:
+            py_files_exist: ${{ steps.check.outputs.py_files_exist }}
+        steps:
+            - uses: actions/checkout@v2
+            - id: check_files
+              run: |
+                if [ -n "$(find . -name '*.py')" ]; then
+                    echo "::set-output name=py_files_exist::true"
+                else
+                    echo "::set-output name=py_files_exist::false"
+                fi
+
+    quality-checks:
+        needs: check-if-py-files-exist
+        if: ${{ needs.check-if-py-files-exist.outputs.py_files_exist == 'true' }}
+        runs-on: ubuntu-latest
+        steps:
+            - uses : actions/checkout@v2
+            - name : Setup
+              uses : actions/setup-python@v2
+              with:
+                python-version: 3.11
+            - name : Dependencies
+              run: |
+                python -m pip install --upgrade pip
+                pip install flake8 pylint black bandit safety
+            - name : Linting
+              run: |
+                flake8 .
+                find . -name "*.py" | xargs pylint
+            - name : Formatting
+              run: |
+                black --check .
+            - name: Security
+              run: |
+                bandit -r .
+                safety check
+                
+\ No newline at end of file
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
new file mode 100644
index 0000000..c349756
--- /dev/null
+++ b/.github/workflows/terraform.yml
@@ -0,0 +1,37 @@
+name: terraform-quality-checks
+
+on:
+    push:
+        branches: [development]
+        paths:
+            - 'terraform/**.tf'
+            - 'terraform/**.tfvars'
+    pull_request:
+        branches: [development, staging]
+        paths:
+            - 'terraform/**.tf'
+            - 'terraform/**.tfvars'
+jobs:
+    terraform-validation:
+        runs-on: ubuntu-latest
+        defaults:
+            run:
+                working-directory: ./terraform
+        steps:
+            - uses: actions/checkout@v2
+            - name: Setup Terraform
+              uses: hashicorp/setup-terraform@v1
+              with:
+                  terraform_version: latest # Using the latest version, but not sure if it's the best practice
+            - name: Format
+              run: terraform fmt -check -recursive
+            - name: Init
+              run: terraform init -backend=false
+            - name: Validate
+              run: terraform validate
+            - name: Setup TFLint
+              uses: terraform-linters/setup-tflint@v2
+              with:
+                  tflint_version: latest
+            - name: Run TFLint
+              run: tflint -f compact
+\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index 428f94e..882adda 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,14 @@
+*.tfstate
+*.tfstate.*
+*.tfvars
+*.tfvars.json
+.terraform.tfstate.lock.info
+*.zip
+.terraform/
+.terraform*
+log*
+.DS_Store
+
 venv
 .env
-__pycache__/
-\ No newline at end of file
+__pycache__/
diff --git a/events.tf b/events.tf
deleted file mode 100644
index 25fb35b..0000000
--- a/events.tf
+++ /dev/null
@@ -1,52 +0,0 @@
-resource "aws_cloudwatch_event_rule" "lambda_trigger" {
-  name                = "lambda-scheduled-trigger"
-  description         = "Schedule to trigger the Lambda function"
-  schedule_expression = "rate(30 minutes)"
-  
-#   event_pattern = jsonencode({
-#     detail-type = [
-#       "AWS Console Sign In via CloudTrail"
-#     ]
-#   })
-}
-
-
-resource "aws_cloudwatch_event_target" "lambda" {
-  rule      = aws_cloudwatch_event_rule.lambda_trigger.name
-  target_id = "TargetFunctionV1"
-  arn       = aws_lambda_function.my_lambda_function.arn
-}
-
-
-
-resource "aws_lambda_permission" "allow_eventbridge" {
-  statement_id  = "AllowExecutionFromEventBridge"
-  action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.my_lambda_function.function_name 
-  principal     = "events.amazonaws.com"
-  source_arn    = aws_cloudwatch_event_rule.lambda_trigger.arn  
-}
-
-
-# below is step function 1
-resource "aws_lambda_permission" "allow_s3_ingestion" {
-  statement_id  = "AllowS3InvokeLambdaTransform"
-  action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.lambda_transform.function_name
-  principal     = "s3.amazonaws.com"
-  source_arn    = aws_s3_bucket.extract.arn
-}
-
-
-resource "aws_s3_bucket_notification" "extract_bucket_notification" {
-  bucket = aws_s3_bucket.extract.id
-
-  lambda_function {
-    events             = ["s3:ObjectCreated:*"]  
-    lambda_function_arn = aws_lambda_function.lambda_transform.arn
-  }
-
-  depends_on = [aws_lambda_permission.allow_s3_ingestion]
-}
-
-# need to duplicate and replace "2" with "3"
-\ No newline at end of file
diff --git a/src/extract_lambda.py b/src/extract_lambda.py
index a70ecdd..56b47a6 100644
--- a/src/extract_lambda.py
+++ b/src/extract_lambda.py
@@ -7,9 +7,11 @@ import logging
 import json
 from datetime import datetime
 
+
 logger = logging.getLogger()
 logger.setLevel(logging.INFO)
 
+
 class DBConnectionException(Exception):
     """Wraps pg8000.native Error or DatabaseError."""
 
diff --git a/src/load_lambda.py b/src/load_lambda.py
index e69de29..6ee681f 100644
--- a/src/load_lambda.py
+++ b/src/load_lambda.py
@@ -0,0 +1,2 @@
+def lambda_handler():
+    pass
+\ No newline at end of file
diff --git a/src/secrets_manager.py b/src/secrets_manager.py
new file mode 100644
index 0000000..c0fb61e
--- /dev/null
+++ b/src/secrets_manager.py
@@ -0,0 +1,48 @@
+import boto3
+from botocore.exceptions import ClientError
+import json
+
+
+def sm_client():
+    sm_client = boto3.client('secretsmanager')
+    yield sm_client
+
+def create_secret(sm_client, secret_name, cohort_id, user, password, host, database, port):
+    secret = {
+        "cohort_id": cohort_id,
+        "user": user,
+        "password": password,
+        "host": host,
+        "database": database,
+        "port": port
+    }
+
+    response = sm_client.create_secret(
+        Name = secret_name,
+        SecretString = json.dumps(secret)
+    )
+
+    print(response)
+    return response
+
+def list_secret(sm_client):
+    response = sm_client.list_secrets()
+    secret_dict = response['SecretList']
+    secret_names = []
+    for items in secret_dict:
+        secret_names.append(items['Name'])
+    print(f'{len(secret_names)} secret(s) available')
+    for name in secret_names:
+        print(name)
+    return secret_names
+
+def retrieve_secrets(sm_client):
+    response = sm_client.get_secrets(
+        
+    )
+
+
+
+#retrieve secret
+#so lambda can access totesy db
+#so lambda connect to the db and then retrieve the data
+\ No newline at end of file
diff --git a/src/transform_lambda.py b/src/transform_lambda.py
index e69de29..6ee681f 100644
--- a/src/transform_lambda.py
+++ b/src/transform_lambda.py
@@ -0,0 +1,2 @@
+def lambda_handler():
+    pass
+\ No newline at end of file
diff --git a/terraform/events.tf b/terraform/events.tf
index 4d68a23..263141f 100644
--- a/terraform/events.tf
+++ b/terraform/events.tf
@@ -1,72 +1,91 @@
+resource "random_string" "eventbridge_suffix" {
+  length  = 8
+  special = false
+  upper   = false
+}
+
+resource "random_string" "s3_ingestion_suffix" {
+  length  = 8
+  special = false
+  upper   = false
+}
+
+resource "random_string" "s3_transform_suffix" {
+  length  = 8
+  special = false
+  upper   = false
+}
+
 resource "aws_cloudwatch_event_rule" "lambda_trigger" {
   name                = "lambda-scheduled-trigger"
   description         = "Schedule to trigger the Lambda function"
   schedule_expression = "rate(30 minutes)"
-  
-#   event_pattern = jsonencode({
-#     detail-type = [
-#       "AWS Console Sign In via CloudTrail"
-#     ]
-#   })
 }
 
-
-resource "aws_cloudwatch_event_target" "lambda" {
-  rule      = aws_cloudwatch_event_rule.lambda_trigger.name
-  target_id = "TargetFunctionV1"
-  arn       = aws_lambda_function.my_lambda_function.arn
+resource "aws_cloudwatch_event_target" "extract_lambda_cw_event" {
+  rule       = aws_cloudwatch_event_rule.lambda_trigger.name
+  target_id  = "TargetFunctionV1"
+  arn        = aws_lambda_function.extract_lambda.arn #replaced lambda name placeholder
+  depends_on = [aws_lambda_permission.allow_eventbridge]
 }
 
-
-
 resource "aws_lambda_permission" "allow_eventbridge" {
-  statement_id  = "AllowExecutionFromEventBridge"
+  statement_id  = "AllowExecutionFromEventBridge${random_string.eventbridge_suffix.result}"
   action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.my_lambda_function.function_name 
+  function_name = aws_lambda_function.extract_lambda.function_name
   principal     = "events.amazonaws.com"
-  source_arn    = aws_cloudwatch_event_rule.lambda_trigger.arn  
-}
+  source_arn    = aws_cloudwatch_event_rule.lambda_trigger.arn
 
+  lifecycle {
+    replace_triggered_by = [random_string.eventbridge_suffix]
+  }
+}
 
 # below is step function 1
 resource "aws_lambda_permission" "allow_s3_ingestion" {
-  statement_id  = "AllowS3InvokeLambdaTransform"
+  statement_id  = "AllowS3InvokeLambdaTransform${random_string.s3_ingestion_suffix.result}"
   action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.lambda_transform.function_name
+  function_name = aws_lambda_function.transform_lambda.function_name #replaced lambda name placeholder
   principal     = "s3.amazonaws.com"
-  source_arn    = aws_s3_bucket.extract.arn
+  source_arn    = aws_s3_bucket.extract_bucket.arn #replaced bucket name placeholder
+
+  lifecycle {
+    replace_triggered_by = [random_string.s3_ingestion_suffix]
+  }
 }
 
 
 resource "aws_s3_bucket_notification" "extract_bucket_notification" {
-  bucket = aws_s3_bucket.extract.id
+  bucket = aws_s3_bucket.extract_bucket.id #replaced bucket name placeholder
 
   lambda_function {
-    events             = ["s3:ObjectCreated:*"]  
-    lambda_function_arn = aws_lambda_function.lambda_transform.arn
+    events              = ["s3:ObjectCreated:*"]
+    lambda_function_arn = aws_lambda_function.transform_lambda.arn #replaced lambda name placeholder
   }
 
   depends_on = [aws_lambda_permission.allow_s3_ingestion]
 }
 
-######
-
-resource "aws_lambda_permission" "allow_s3_transfrom_bucket" {
-  statement_id  = "AllowS3InvokeLambdaTransform"
+resource "aws_lambda_permission" "allow_s3_transform_bucket" {
+  statement_id  = "AllowS3InvokeLambdaTransform${random_string.s3_transform_suffix.result}"
   action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.lambda_transform.function_name
+  function_name = aws_lambda_function.transform_lambda.function_name #replaced lambda name placeholder
   principal     = "s3.amazonaws.com"
-  source_arn    = aws_s3_bucket.transform.arn
+  source_arn    = aws_s3_bucket.transform_bucket.arn #replaced bucket name placeholder
+
+  lifecycle {
+    replace_triggered_by = [random_string.s3_transform_suffix]
+  }
 }
 
 
 resource "aws_s3_bucket_notification" "transform_bucket_notification" {
-  bucket = aws_s3_bucket.transform.id
+  bucket = aws_s3_bucket.transform_bucket.id #replaced bucket name placeholder
 
   lambda_function {
-    events             = ["s3:ObjectCreated:*"]  
-    lambda_function_arn = aws_lambda_function.lambda_transform.arn
+    events              = ["s3:ObjectCreated:*"]
+    lambda_function_arn = aws_lambda_function.transform_lambda.arn #replaced lambda name placeholder
   }
 
-  depends_on = [aws_lambda_permission.allow_s3_transform]
-}
-\ No newline at end of file
+  depends_on = [aws_lambda_permission.allow_s3_transform_bucket]
+}
diff --git a/terraform/iam.tf b/terraform/iam.tf
new file mode 100644
index 0000000..0e5fa6d
--- /dev/null
+++ b/terraform/iam.tf
@@ -0,0 +1,158 @@
+# Description: This file contains the IAM roles and policies for the lambda functions
+########################################################################
+# IAM MULTI-ROLE SETUP
+########################################################################
+
+# DEFINE MULTI-SERVICE ROLE (lambda, s3, cloudwatch, events)
+resource "aws_iam_role" "multi_service_role" {
+  name = "multi_service_role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = [
+            "lambda.amazonaws.com",
+            "scheduler.amazonaws.com"
+          ]
+        }
+      }
+    ]
+  })
+}
+
+
+########################################################################
+# S3 SETUP                                                        
+# Description: allows allows retention/tagging/access control settings
+# Lambda IAM Policy for S3 Write
+########################################################################
+
+# S3 DEFINE POLICY
+data "aws_iam_policy_document" "s3_data_policy_doc" {
+  statement {
+    actions = [
+      "s3:PutObject",
+      "s3:PutObjectRetention",
+      "s3:PutObjectTagging",
+      "s3:PutObjectAcl"
+    ]
+    resources = [
+      "${aws_s3_bucket.extract_bucket.arn}/*",
+      "${aws_s3_bucket.transform_bucket.arn}/*",
+      "${aws_s3_bucket.lambda_code_bucket.arn}/*",
+    ]
+  }
+}
+
+
+########################################################################
+# LAMBDA SETUP
+# Description: Allows Lambda permission to write to Cloudwatch logs
+########################################################################
+
+resource "aws_iam_policy" "lambda_execution_policy" {
+  name        = "lambda_execution_policy"
+  path        = "/"
+  description = "IAM policy for Lambda execution"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "lambda:InvokeFunction",
+          "lambda:GetFunction"
+        ]
+        Resource = "*"
+      }
+    ]
+    }
+  )
+}
+
+########################################################################
+# CLOUDWATCH SETUP
+# Description: Give permission for Lambda to write to CloudWatch logs
+########################################################################
+
+data "aws_iam_policy_document" "cw_document" {
+  statement {
+    actions = ["logs:CreateLogGroup"]
+    resources = [
+      "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
+    ]
+  }
+
+  statement {
+    actions = [
+      "logs:CreateLogStream",
+      "logs:CreateLogGroup",
+      "logs:PutLogEvents"
+    ]
+    resources = [
+      "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "cw_policy" {
+  name   = "cw_policy"
+  policy = data.aws_iam_policy_document.cw_document.json
+}
+
+########################################################################
+# POLICY WRITE & ATTACH
+########################################################################
+
+# S3 WRITE POLICY
+resource "aws_iam_policy" "s3_write_policy" {
+  policy = data.aws_iam_policy_document.s3_data_policy_doc.json
+}
+
+resource "aws_iam_role_policy_attachment" "s3_attachment" {
+  role       = aws_iam_role.multi_service_role.name
+  policy_arn = aws_iam_policy.s3_write_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_attachment" {
+  role       = aws_iam_role.multi_service_role.name
+  policy_arn = aws_iam_policy.lambda_execution_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "cw_attachment" {
+  role       = aws_iam_role.multi_service_role.name
+  policy_arn = aws_iam_policy.cw_policy.arn
+}
+
+###################
+# EVENTS POLICIES #
+###################
+
+data "aws_iam_policy_document" "cloudwatch_events_policy" {
+  statement {
+    actions = [
+      "events:PutRule",
+      "events:PutTargets",
+      "events:RemoveTargets",
+      "events:DeleteRule",
+      "events:PutEvents"
+    ]
+    resources = ["*"]
+    effect    = "Allow"
+  }
+}
+
+resource "aws_iam_policy" "cloudwatch_events_policy" {
+  name   = "cloudwatch_events_policy"
+  policy = data.aws_iam_policy_document.cloudwatch_events_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "cloudwatch_events_attachment" {
+  role       = aws_iam_role.multi_service_role.name
+  policy_arn = aws_iam_policy.cloudwatch_events_policy.arn
+}
diff --git a/terraform/lambda.tf b/terraform/lambda.tf
new file mode 100644
index 0000000..72d1306
--- /dev/null
+++ b/terraform/lambda.tf
@@ -0,0 +1,83 @@
+# Extract Lambda Function
+data "archive_file" "extract_lambda_zip" {
+  type        = "zip"
+  source_file = "${path.module}/../src/extract_lambda.py"
+  output_path = "${path.module}/../extract_function.zip"
+}
+resource "aws_s3_object" "extract_lambda_code" {
+  bucket = aws_s3_bucket.lambda_code_bucket.bucket
+  key    = "${var.extract_lambda_name}/extract_function.zip"
+  source = data.archive_file.extract_lambda_zip.output_path
+  etag   = filemd5(data.archive_file.extract_lambda_zip.output_path)
+}
+
+resource "aws_lambda_function" "extract_lambda" {
+  function_name = var.extract_lambda_name
+  s3_bucket     = aws_s3_bucket.lambda_code_bucket.bucket
+  s3_key        = aws_s3_object.extract_lambda_code.key
+  role          = aws_iam_role.multi_service_role.arn
+  handler       = "extract_lambda.extract"
+  runtime       = "python3.11"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [aws_s3_object.extract_lambda_code]
+}
+
+# Transform Lambda Function
+data "archive_file" "transform_lambda_zip" {
+  type        = "zip"
+  source_file = "${path.module}/../src/transform_lambda.py"
+  output_path = "${path.module}/../transform_function.zip"
+}
+resource "aws_s3_object" "transform_lambda_code" {
+  bucket = aws_s3_bucket.lambda_code_bucket.bucket
+  key    = "${var.transform_lambda_name}/transform_function.zip"
+  source = data.archive_file.transform_lambda_zip.output_path
+  etag   = filemd5(data.archive_file.transform_lambda_zip.output_path)
+}
+
+resource "aws_lambda_function" "transform_lambda" {
+  function_name = var.transform_lambda_name
+  s3_bucket     = aws_s3_bucket.lambda_code_bucket.bucket
+  s3_key        = aws_s3_object.transform_lambda_code.key
+  role          = aws_iam_role.multi_service_role.arn
+  handler       = "transform_lambda.transform"
+  runtime       = "python3.11"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [aws_s3_object.transform_lambda_code]
+}
+
+# Load Lambda Function
+data "archive_file" "load_lambda_zip" {
+  type        = "zip"
+  source_file = "${path.module}/../src/load_lambda.py"
+  output_path = "${path.module}/../load_function.zip"
+}
+resource "aws_s3_object" "load_lambda_code" {
+  bucket = aws_s3_bucket.lambda_code_bucket.bucket
+  key    = "${var.load_lambda_name}/load_function.zip"
+  source = data.archive_file.load_lambda_zip.output_path
+  etag   = filemd5(data.archive_file.load_lambda_zip.output_path)
+}
+
+resource "aws_lambda_function" "load_lambda" {
+  function_name = var.load_lambda_name
+  s3_bucket     = aws_s3_bucket.lambda_code_bucket.bucket
+  s3_key        = aws_s3_object.load_lambda_code.key
+  role          = aws_iam_role.multi_service_role.arn
+  handler       = "load_lambda.load"
+  runtime       = "python3.11"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [aws_s3_object.load_lambda_code]
+}
diff --git a/terraform/main.tf b/terraform/main.tf
index 3ca9a3d..3b06701 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -1,26 +1,26 @@
 terraform {
   required_providers {
     aws = {
-        source = "hashicorp/aws"
-        version = "~>5.0"
+      source  = "hashicorp/aws"
+      version = "~>5.0"
     }
   }
   backend "s3" {
-    bucket = "bentley-secrets"
-    key = "bentley-project/terraform.tfstate"
+    bucket = "bentley-project-secrets"
+    key    = "bentley-project/terraform.tfstate"
     region = "eu-west-2"
   }
 }
 
 provider "aws" {
-    region =  "eu-west-2" 
-    default_tags {
-      tags = {
-        ProjectName = "Terrific-Totes"
-        Team = "Team-Bentley"
-        Environment = "Dev"
-        GitHubRepo = "de-project-bentley"
-        ManagedBy = "Terraform"
-      }
+  region = "eu-west-2"
+  default_tags {
+    tags = {
+      ProjectName = "Terrific-Totes"
+      Team        = "Team-Bentley"
+      Environment = "Dev"
+      GitHubRepo  = "de-project-bentley"
+      ManagedBy   = "Terraform"
     }
-}
-\ No newline at end of file
+  }
+}
diff --git a/terraform/rds.tf b/terraform/rds.tf
new file mode 100644
index 0000000..4b25c5f
--- /dev/null
+++ b/terraform/rds.tf
@@ -0,0 +1,78 @@
+data "aws_availability_zones" "available" {}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "2.77.0"
+
+  name                 = "${var.project_name}"
+  cidr                 = "10.0.0.0/16"
+  azs                  = data.aws_availability_zones.available.names
+  public_subnets       = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+}
+
+resource "aws_db_subnet_group" "Terrific-Totes-sub-gr" {
+  name       = "TT-db-subnet"
+  subnet_ids = module.vpc.public_subnets
+
+  tags = {
+    Name = "${var.project_name}"
+  }
+}
+
+resource "aws_security_group" "rds" {
+  name   = "${var.project_name}-rds"
+  vpc_id = module.vpc.vpc_id
+
+  ingress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.project_name}-rds"
+  }
+}
+
+resource "aws_db_parameter_group" "Terrific-Totes-param-gr" {
+  name   = "TT-db-param"
+  family = "postgres14"
+
+  parameter {
+    name  = "log_connections"
+    value = "1"
+  }
+}
+
+resource "aws_db_instance" "Terrific-Totes-rds" {
+  db_name                = "${var.project_name}"
+  instance_class         = "db.t3.micro"
+  allocated_storage      = 5
+  engine                 = "postgres"
+  engine_version         = "14.1"
+  username               = "user credentials for the root user" # we could use .env here
+  password               = "user password for the root user" # we could use .env here
+  ### alternatively to providing username nad password we can specify:
+# resource "aws_kms_key" "example_key" {
+#       description = "Example KMS Key"
+# }
+# within the resource:
+#   manage_master_user_password   = true
+#   master_user_secret_kms_key_id = aws_kms_key.example.key_id
+# }
+  db_subnet_group_name   = aws_db_subnet_group.Terrific-Totes-sub-gr.name
+  vpc_security_group_ids = [aws_security_group.rds.id]
+  parameter_group_name   = aws_db_parameter_group.Terrific-Totes-param-gr.name
+  publicly_accessible    = false
+  skip_final_snapshot    = true
+}
+\ No newline at end of file
diff --git a/terraform/s3.tf b/terraform/s3.tf
index bfe891e..d5cdee3 100644
--- a/terraform/s3.tf
+++ b/terraform/s3.tf
@@ -1,17 +1,14 @@
+### EXTRACT BUCKET SET-UP
 resource "aws_s3_bucket" "extract_bucket" {
-    bucket = "${var.s3_extract_bucket_name}"
+  bucket_prefix = "${var.s3_extract_bucket_name}-"
 }
 
+### TRANSFORM BUCKET SET-UP
 resource "aws_s3_bucket" "transform_bucket" {
-    bucket = "${var.s3_transform_bucket_name}"
+  bucket_prefix = "${var.s3_transform_bucket_name}-"
 }
 
-resource "aws_s3_bucket" "lambda_bucket" {
-    bucket = "${var.s3_code_bucket_name}"
+### LAMBDA BUCKET
+resource "aws_s3_bucket" "lambda_code_bucket" {
+  bucket_prefix = "${var.s3_code_bucket_name}-"
 }
-
-resource "aws_s3_object" "extract_lambda_code" {
-  bucket = aws_s3_bucket.s3_code_bucket_name.bucket
-  key = "${var.extract_lambda_name}/function_e.zip"
-  source = "${path.module}/../function_e.zip"
-}
-\ No newline at end of file
diff --git a/terraform/vars.tf b/terraform/vars.tf
index fa84222..d5cdafb 100644
--- a/terraform/vars.tf
+++ b/terraform/vars.tf
@@ -1,28 +1,38 @@
 variable "s3_extract_bucket_name" {
-    type = string
-    default = "extract-bucket"
+  type    = string
+  default = "extract-bucket"
 }
 
 variable "s3_transform_bucket_name" {
-    type = string
-    default = "transform-bucket"
+  type    = string
+  default = "transform-bucket"
 }
 
 variable "s3_code_bucket_name" {
-    type = string
-    default = "lambda-bucket"
+  type    = string
+  default = "lambda-bucket"
 }
 
 variable "extract_lambda_name" {
-    type = string
-    default = "extract-lambda"
+  type    = string
+  default = "extract-lambda"
 }
 
 variable "transform_lambda_name" {
+  type    = string
+  default = "transform-lambda"
+}
+
+variable "load_lambda_name" {
+  type    = string
+  default = "load-lambda"
+}
+
+variable "project_name" {
     type = string
-    default = "transform-lambda" 
+    default = "Terrific-Totes"
 }
 
 data "aws_caller_identity" "current" {}
 
-data "aws_region" "current" {}
-\ No newline at end of file
+data "aws_region" "current" {}
diff --git a/test/test_secrets_manager.py b/test/test_secrets_manager.py
new file mode 100644
index 0000000..86533bc
--- /dev/null
+++ b/test/test_secrets_manager.py
@@ -0,0 +1,34 @@
+from src.secrets_manager import sm_client, create_secret, list_secret
+import boto3
+from moto import mock_aws
+import json
+import pytest 
+import os
+
+pytest.fixture(scope='class')
+def mock_aws_credentials():
+    """Mocked AWS Credentials for moto."""
+    os.environ["AWS_ACCESS_KEY_ID"] = "testing"
+    os.environ["AWS_SECRET_ACCESS_KEY"] = "testing"
+    os.environ["AWS_SECURITY_TOKEN"] = "testing"
+    os.environ["AWS_SESSION_TOKEN"] = "testing"
+    os.environ["AWS_DEFAULT_REGION"] = "eu-west-2"
+
+@pytest.fixture(scope='class')
+def mock_sm_client(mock_aws_credentials):
+    with mock_aws():
+        yield boto3.client('secretsmanager')
+
+
+def test_create_secret_stores_secrets(mock_sm_client):
+    cohort_id = "test_cohort_id"
+    user = "test_user_id"
+    password = "test_password"
+    host = "test_host"
+    database = "test_database"
+    port = "test_port"
+
+    secret_name = "test_secret"
+    response = create_secret(mock_sm_client, secret_name, cohort_id, user, password, host, database, port)
+    
+    assert response['Name'] == secret_name
+\ No newline at end of file
author	lian-manonog <160282780+lian-manonog@users.noreply.github.com>	2024-08-15 13:58:46 +0100
committer	GitHub <noreply@github.com>	2024-08-15 13:58:46 +0100
commit	2309062a8099c04bedd7f88638abf03ebf5f5171 (patch)
tree	1bdebb2046a9b1356faa2fe902d9187601ecb3f7
parent	848a86b7f3b9c5ce16cd774d19e3fa62ca8ffc68 (diff)
parent	a009ffe72a2005e72e67345f728539e500b899f5 (diff)
download	de-project-bentley-2309062a8099c04bedd7f88638abf03ebf5f5171.tar.gz de-project-bentley-2309062a8099c04bedd7f88638abf03ebf5f5171.zip