feat(secret): Add examples for secret manager

aws · Sep 9, 2021 · 5ba834b · 5ba834b
1 parent 6e9a95c
commit 5ba834b
Show file tree

Hide file tree

Showing 8 changed files with 96 additions and 6 deletions.
diff --git a/examples/deadline/All-In-AWS-Infrastructure-Basic/python/README.md b/examples/deadline/All-In-AWS-Infrastructure-Basic/python/README.md
@@ -123,12 +123,28 @@ These instructions assume that your working directory is `examples/deadline/All-
     ```python
     self.alarm_email_address: Optional[str] = 'username@yourdomain.com'
     ```
-15. Deploy all the stacks in the sample app:
+15. By default Secret Management is enabled but it can be disabled by chnging `enable_secret_management` variable in `package/config.py`
+16. When you are using Secret Management you can defined own admin credentials by creating secret in SecretManager in format:
+
+    ```json
+        {
+            "username": <admin user name>,
+            "password": <admin user password>,
+        }
+    ```
+    and change the value of the `secret_management_secret_arn` variable in `package/config.py` to this secret's ARN:
+
+    ```python
+    self.ubl_certificate_secret_arn: str = '<your secret arn>'
+    ```
+    It is highly recommended that you leave this parameter undefined to enable the automatic generation of a strong password.
+
+17. Deploy all the stacks in the sample app:
 
     ```bash
     cdk deploy "*"
     ```
-16. Once you are finished with the sample app, you can tear it down by running:
+18. Once you are finished with the sample app, you can tear it down by running:
 
     ```bash
     cdk destroy "*"

diff --git a/examples/deadline/All-In-AWS-Infrastructure-Basic/python/package/app.py b/examples/deadline/All-In-AWS-Infrastructure-Basic/python/package/app.py
@@ -110,7 +110,9 @@ def main():
         root_ca=security.root_ca,
         dns_zone=network.dns_zone,
         deadline_version=config.deadline_version,
-        accept_aws_thinkbox_eula=config.accept_aws_thinkbox_eula
+        accept_aws_thinkbox_eula=config.accept_aws_thinkbox_eula,
+        enable_secret_management=config.enable_secret_management,
+        secret_management_secret_arn=config.secret_management_secret_arn
     )
     service = service_tier.ServiceTier(app, 'ServiceTier', props=service_props, env=env)
 

diff --git a/examples/deadline/All-In-AWS-Infrastructure-Basic/python/package/config.py b/examples/deadline/All-In-AWS-Infrastructure-Basic/python/package/config.py
@@ -59,6 +59,14 @@ def __init__(self):
         # If false, then we use Amazon DocumentDB to back the render farm.
         self.deploy_mongo_db: bool = False
 
+        # Whether to enable secret management.
+        self.enable_secret_management: bool = True
+
+        # A secret in SecretsManager that stores the admin credentials for secret management.
+        # If not defined and secret management is enabled the secret with admin credentials will be generated.
+        self.secret_management_secret_arn: str =\
+            ''
+
         # This is only relevant if deploy_mongo_db is True.
         #
         # Change this value to MongoDbSsplLicenseAcceptance.USER_ACCEPTS_SSPL

diff --git a/examples/deadline/All-In-AWS-Infrastructure-Basic/python/package/lib/service_tier.py b/examples/deadline/All-In-AWS-Infrastructure-Basic/python/package/lib/service_tier.py
@@ -72,6 +72,10 @@ class ServiceTierProps(StackProps):
     deadline_version: str
     # Whether the AWS Thinkbox End-User License Agreement is accepted or not
     accept_aws_thinkbox_eula: AwsThinkboxEulaAcceptance
+    # Whether to enable secret management.
+    enable_secret_management: bool
+    # The ARN of the secret containing the admin credentials for secret management.
+    secret_management_secret_arn: typing.Optional[str]
 
 
 class ServiceTier(Stack):
@@ -122,6 +126,18 @@ def __init__(self, scope: Construct, stack_id: str, *, props: ServiceTierProps,
             version=props.deadline_version
         )
 
+        secrets_management_settings = None
+        if props.enable_secret_management:
+          if props.secret_management_secret_arn:
+            secrets_management_settings = {
+              "enabled": True,
+              "credentials": Secret.from_secret_arn(self, 'SMAdminUser', props.secret_management_secret_arn)
+            }
+        else:
+          secrets_management_settings = {
+            "enabled": False
+          }
+
         repository = Repository(
             self,
             'Repository',
@@ -130,7 +146,8 @@ def __init__(self, scope: Construct, stack_id: str, *, props: ServiceTierProps,
             file_system=props.mountable_file_system,
             repository_installation_timeout=Duration.minutes(20),
             repository_installation_prefix='/',
-            version=self.version
+            version=self.version,
+            secrets_management_settings=secrets_management_settings
         )
 
         images = ThinkboxDockerImages(

diff --git a/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/README.md b/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/README.md
@@ -119,6 +119,27 @@ These instructions assume that your working directory is `examples/deadline/All-
     ```ts
     public readonly alarmEmailAddress?: string = 'username@yourdomain.com';
     ```
+
+15. By default Secret Management is enabled but it can be disabled by chnging `enableSecretManagement` variable in `bin/config.ts`
+
+    ```ts
+    public readonly enableSecretManagement?: boolean = false;
+    ```
+16. When you are using Secret Management you can defined own admin credentials by creating secret in SecretManager in format:
+
+    ```json
+        {
+            "username": <admin user name>,
+            "password": <admin user password>,
+        }
+    ```
+    and change the value of the `secretManagementSecretArn` variable in `package/config.py` to this secret's ARN:
+
+    ```ts
+    public readonly secretManagementSecretArn?: string = '<your-secret-arn>';
+    ```
+    It is highly recommended that you leave this parameter undefined to enable the automatic generation of a strong password.
+
 14. Build the `aws-rfdk` package, and then build the sample app. There is some magic in the way yarn workspaces and lerna packages work that will link the built `aws-rfdk` from the base directory as the dependency to be used in the example's directory:
     ```bash
     # Navigate to the root directory of the RFDK repository (assumes you started in the example's directory)

diff --git a/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/bin/app.ts b/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/bin/app.ts
@@ -114,6 +114,8 @@ const service = new ServiceTier(app, 'ServiceTier', {
   rootCa: security.rootCa,
   dnsZone: network.dnsZone,
   acceptAwsThinkboxEula: config.acceptAwsThinkboxEula,
+  enableSecretManagement: config.enableSecretManagement,
+  secretManagementSecretArn: config.secretManagementSecretArn
 });
 
 // -------------------- //

diff --git a/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/bin/config.ts b/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/bin/config.ts
@@ -72,6 +72,17 @@ class AppConfig {
    */
   public readonly deployMongoDB: boolean = false;
 
+  /**
+   * Whether to enable secret management.
+   */ 
+  public readonly enableSecretManagement: boolean = true;
+
+  /**
+   * A secret in SecretsManager that stores the admin credentials for secret management.
+   * If not defined and secret management is enabled the secret with admin credentials will be generated.
+   */
+  public readonly secretManagementSecretArn?: string;
+
   /**
    * This is only relevant if deployMongoDB = true.
    *

diff --git a/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/lib/service-tier.ts b/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/lib/service-tier.ts
@@ -79,14 +79,26 @@ export interface ServiceTierProps extends cdk.StackProps {
 
   /**
    * Version of Deadline to use.
-   * @default The latest available release of Deadline is used
+   * @default - The latest available release of Deadline is used
    */
   readonly deadlineVersion?: string;
 
   /**
    * Whether the AWS Thinkbox End-User License Agreement is accepted or not
    */
   readonly acceptAwsThinkboxEula: AwsThinkboxEulaAcceptance;
+
+  /**
+   * Whether to enable secret management.
+   * @default - The secret management will be enabled
+   */
+   readonly enableSecretManagement?: boolean;
+
+  /**
+   * The ARN of the secret containing the admin credentials for secret management.
+   * @default - If secret management is enabled secret with admin credentials will be generated.
+   */
+   readonly secretManagementSecretArn?: string;
 }
 
 /**
@@ -129,7 +141,8 @@ export class ServiceTier extends cdk.Stack {
       repositoryInstallationTimeout: cdk.Duration.minutes(20),
       repositoryInstallationPrefix: "/",
       secretsManagementSettings: {
-        enabled: true,
+        enabled: props.enableSecretManagement ?? true,
+        credentials: props.secretManagementSecretArn ? Secret.fromSecretCompleteArn(this, 'SMAdminUser', props.secretManagementSecretArn) : undefined
       },
     });