Merge pull request #3 from Flaconi/plt-0-add-license-key-secret

PLT-9 - Add License Key Secret to allow usage of lambda extension for…
Flaconi · Dec 18, 2020 · 0b9b167 · 0b9b167
2 parents 50f4ad8 + 94ed263
commit 0b9b167
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -47,6 +47,16 @@ resource "aws_cloudformation_stack" "newrelic_log_ingestion" {
   }
 }
 
+resource "aws_cloudformation_stack" "newrelic_license_key_secret" {
+  name          = "NewRelicLicenseKeySecret"
+  template_body = file("${path.module}/nr-license-key-secret.yaml")
+  capabilities  = ["CAPABILITY_NAMED_IAM"]
+  parameters = {
+    Region     = var.region
+    LicenseKey = "${data.aws_ssm_parameter.newrelic_license_key.value}"
+  }
+}
+
 output "newrelic_log_ingestion_lambda_arn" {
   value = lookup(aws_cloudformation_stack.newrelic_log_ingestion.outputs, "LambdaArn")
 }

diff --git a/nr-license-key-secret.yaml b/nr-license-key-secret.yaml
@@ -0,0 +1,56 @@
+AWSTemplateFormatVersion: 2010-09-09
+Parameters:
+  LicenseKey:
+    Type: String
+    Description: The New Relic account license key
+    AllowedPattern: '(?:eu-)?[0-9a-f]+(?:[A-Z]{4})?'
+    NoEcho: true
+  SecretName:
+    Type: String
+    Description: The friendly name for the license key secret
+    Default: NEW_RELIC_LICENSE_KEY
+  PolicyName:
+    Type: String
+    Description: Policy name of the policy to use to allow access to the license key secret.
+    Default: NewRelic-ViewLicenseKey
+  LicenseKeySecretExportName:
+    Type: String
+    Default: NewRelic-LicenseKeySecretARN
+  ViewPolicyExportName:
+    Type: String
+    Default: NewRelic-ViewLicenseKeyPolicyARN
+  Region:
+    Type: String
+
+Resources:
+  LicenseKeySecret:
+    Type: 'AWS::SecretsManager::Secret'
+    Properties:
+      Description: The New Relic license key, for sending telemetry
+      Name: !Sub "${SecretName}"
+      SecretString: !Sub '{ "LicenseKey": "${LicenseKey}" }'
+  ViewNewRelicLicenseKeyPolicy:
+    Type: 'AWS::IAM::ManagedPolicy'
+    Properties:
+      ManagedPolicyName: !Sub
+        - ${PolicyName}-${Region}
+        - { PolicyName: !Ref PolicyName, Region: !Ref Region }
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - 'secretsmanager:GetSecretValue'
+            Resource: !Ref LicenseKeySecret
+
+Outputs:
+  LicenseKeySecretARN:
+    Description: The ARN of the LicenseKey Secret
+    Value: !Ref LicenseKeySecret
+    Export:
+      Name: !Sub "${AWS::StackName}-${LicenseKeySecretExportName}"
+  ViewPolicyARN:
+    Description: The ARN of the LicenseKey Secret's view policy
+    Value: !Ref ViewNewRelicLicenseKeyPolicy
+    Export:
+      Name: !Sub "${AWS::StackName}-${ViewPolicyExportName}"
diff --git a/variables.tf b/variables.tf
@@ -5,3 +5,7 @@ variable "newrelic_license_key_path" {
 variable "newrelic_account_number" {
   default = ""
 }
+
+variable "region" {
+  default = "eu-central-1"
+}