feat: Create app-credentials for DB

2026-04-17 03:21:51 -05:00 · 2025-08-15 11:33:32 +02:00
parent dceda3f6f2
commit 4c9b936f4b
4 changed files with 29 additions and 4 deletions
--- a/infra/flake.nix
+++ b/infra/flake.nix
@@ -16,12 +16,28 @@
          inherit system;
          config.allowUnfree = true;
        };
+        helm-with-plugins = (
+          pkgs.wrapHelm pkgs.kubernetes-helm {
+            plugins = with pkgs.kubernetes-helmPlugins; [
+              helm-secrets
+              helm-diff
+              helm-s3
+              helm-git
+            ];
+          }
+        );
+        helmfile-with-plugins = pkgs.helmfile-wrapped.override {
+          inherit (helm-with-plugins) pluginsDir;
+        };
      in
      with pkgs;
      {
        devShells.default = mkShell {
          buildInputs = [
            awscli
+            kubectl
+            helm-with-plugins
+            helmfile-with-plugins
            terraform
          ];
        };
--- a/infra/formbricks-cloud-helm/values-staging.yaml.gotmpl
+++ b/infra/formbricks-cloud-helm/values-staging.yaml.gotmpl
@@ -70,6 +70,9 @@ deployment:
    app-env:
      nameSuffix: app-env
      type: secret
+    db-secrets:
+      nameSuffix: db-secrets
+      type: secret
  nodeSelector:
    karpenter.sh/capacity-type: spot
  reloadOnChange: true
@@ -103,6 +106,9 @@ externalSecret:
    app-secrets:
      dataFrom:
        key: stage/formbricks/secrets
+    db-secrets:
+      dataFrom:
+        key: stage/formbricks/terraform/rds/credentials
  refreshInterval: 1m
  secretStore:
    kind: ClusterSecretStore
--- a/infra/terraform/db_users/locals.tf
+++ b/infra/terraform/db_users/locals.tf
@@ -1,7 +1,7 @@
 locals {
  env_roles = {
-    staging    = { dev_users = "ro", ops_users = "rw", admin_users = "admin" }
-    production = { dev_users = "ro", ops_users = "ro", admin_users = "admin" }
+    staging    = { dev_users = "ro", ops_users = "rw", sa_rw_users = "rw", sa_ro_users = "ro", admin_users = "admin" }
+    production = { dev_users = "ro", ops_users = "ro", sa_rw_users = "rw", sa_ro_users = "ro", admin_users = "admin" }
  }

  # List of application user identities
@@ -16,6 +16,9 @@ locals {
      "johannes",
      "matti",
    ]
+    sa_rw_users = [
+      "formbricks-app",
+    ]
  }

  # Flatten users across all teams, creating a map of username => role
--- a/infra/terraform/db_users/secrets.tf
+++ b/infra/terraform/db_users/secrets.tf
@@ -22,7 +22,7 @@ resource "aws_secretsmanager_secret_version" "db_user_secrets" {
    username = each.key
    password = random_password.db_user_secrets[each.key].result
    dbname   = local.rds_database_name
-    port     = "${data.terraform_remote_state.main.outputs.rds["stage"].cluster_port}"
+    port     = data.terraform_remote_state.main.outputs.rds["stage"].cluster_port
  })
 }

@@ -45,7 +45,7 @@ resource "aws_secretsmanager_secret_policy" "db_user_secrets" {

          },
          ArnNotEquals = {
-            "aws:PrincipalArn" = "${module.lambda_rotate_db_secret.lambda_function_arn}"
+            "aws:PrincipalArn" = module.lambda_rotate_db_secret.lambda_function_arn
          }
        }
      }