feat: cron schedule for secret rotation

.github/workflows/kubectl.yml

@@ -1,6 +1,9 @@
 name: Deploy coder
 on:
   workflow_dispatch:
+  schedule:
+  - cron: "0 0 * * *"
+
 
 env:
   PROJECT_ENV: digital-defiance-cloud-infrastructure-prod
@@ -16,8 +19,7 @@ jobs:
     outputs:
       label: ${{ steps.start-ec2-runner.outputs.label }}
       ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
-      db_username: ${{ steps.get-aws-info.outputs.db_master_username }}
-      db_endpoint: ${{ steps.get-aws-info.outputs.db_instance_endpoint }}
+      DB_URL: ${{ steps.get-aws-info.outputs.DB_URL }}
 
     steps:
 
@@ -32,19 +34,10 @@ jobs:
       shell: bash
       env: 
         OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-        AWS_SECRET_ACCESS_KEY: "op://${{ env.PROJECT_ENV }}/aws_credentials/AWS_SECRET_ACCESS_KEY"
-        AWS_ACCESS_KEY_ID: "op://${{ env.PROJECT_ENV }}/aws_credentials/AWS_ACCESS_KEY_ID"
         TF_TOKEN_app_terraform_io: "op://${{ env.PROJECT_ENV }}/terraform_credentials/TF_TOKEN_app_terraform_io"
-      run: |
-        op run -- terraform init
-        op run -- terraform apply -auto-approve
-        TERRAFORM_OUTPUT=$(op run -- terraform output -json)
-        echo "AMI=$( echo "$TERRAFORM_OUTPUT" | jq .ami.value | tr -d '"' )" >> $GITHUB_ENV
-        echo "SECURITY_GROUP_ID=$( echo "$TERRAFORM_OUTPUT" | jq .security_group_id.value | tr -d '"' )" >> $GITHUB_ENV
-        echo "SUBNET_ID=$(echo "$TERRAFORM_OUTPUT" | jq .subnet_ids.value.ids[0] | tr -d '"' )" >> $GITHUB_ENV
-        echo "db_master_username=$( echo "$TERRAFORM_OUTPUT" | jq .db_instance_master_username.value | tr -d '"' )" >> $GITHUB_OUTPUT
-        echo "db_instance_endpoint=$( echo "$TERRAFORM_OUTPUT" | jq .db_instance_endpoint.value | tr -d '"' )" >> $GITHUB_OUTPUT
-    
+        SECRET_ARN: ${{ secrets.SECRET_ARN }}
+      run: make actions_kubectl_get_info
+
     -
       name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v1
@@ -92,7 +85,7 @@ jobs:
         shell: bash
         env:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          DB_URL: postgresql://${{ needs.start-runner.outputs.db_username }}:${{ secrets.db_password }}@${{ needs.start-runner.outputs.db_endpoint }}/postgres
+          DB_URL: ${{ needs.start-runner.outputs.DB_URL }}
           AWS_SECRET_ACCESS_KEY: "op://${{ env.PROJECT_ENV }}/aws_credentials/AWS_SECRET_ACCESS_KEY"
           AWS_ACCESS_KEY_ID: "op://${{ env.PROJECT_ENV }}/aws_credentials/AWS_ACCESS_KEY_ID"
         run: make kubectl_deploy

coder-deployment/terraform_info/aws_info.tf

@@ -78,6 +78,23 @@ data "aws_db_instance" "selected" {
   }
 }
 
+variable "secret_arn" {
+  type = string
+}
+
+data "aws_secretsmanager_secret" "secrets" {
+  arn = var.secret_arn
+}
+
+data "aws_secretsmanager_secret_version" "current" {
+  secret_id = data.aws_secretsmanager_secret.secrets.id
+}
+
+output "db_instance_password" {
+  value     = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["password"]
+  sensitive = true
+}
+
 output "db_instance_master_username" {
   value = data.aws_db_instance.selected.master_username
 }

makefile

@@ -54,3 +54,32 @@ kubectl_deploy:
 	make kubectl_updatesecret
 	make kubectl_restartdeployment
 
+
+actions_kubectl_get_info:
+	# fetch information from aws 
+	cd coder-deployment/terraform_info
+	op run -- terraform init
+	op run -- terraform apply -auto-approve -var="secret_arn=$$SECRET_ARN"
+	TERRAFORM_OUTPUT=$$( op run -- terraform output -json )
+
+	# parse information 
+	extract_out() {
+		echo "$$TERRAFORM_OUTPUT" | jq ".$$1.value" | tr -d '"'
+	}
+	DB_MASTER_USERNAME=$$(extract_out db_instance_master_username) 
+	DB_INSTANCE_ENDPOINT=$$(extract_out db_instance_endpoint) 
+	DB_PASSWORD=$$( extract_out db_instance_password) 
+	DB_PASSWORD_URLENCODED=$$(jq -rn --arg x "$$DB_PASSWORD" '$$x|@uri')
+	DB_URL="postgresql://$$DB_MASTER_USERNAME:$$DB_PASSWORD_URLENCODED@$$DB_INSTANCE_ENDPOINT/postgres"
+
+	# save information to env
+	cat << EOF >> $$GITHUB_ENV
+	AMI=$$(extract_out ami)
+	SECURITY_GROUP_ID=$$(extract_out security_group_id)
+	SUBNET_ID=$$(extract_out subnet_ids)
+	EOF
+
+	# save information to output
+	cat << EOF >> $$GITHUB_OUTPUT
+	DB_URL=$$DB_URL
+	EOF