From 3511ad350954d39af237cd5a79ac58ab29346512 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Sat, 24 Aug 2024 22:02:01 -0500
Subject: [PATCH] #5 store rds password arn in ssm parameter

---
 ssm_parameter.tf | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 ssm_parameter.tf

diff --git a/ssm_parameter.tf b/ssm_parameter.tf
new file mode 100644
index 0000000..d58ef82
--- /dev/null
+++ b/ssm_parameter.tf
@@ -0,0 +1,28 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter
+resource "aws_ssm_parameter" "rds_secret_arn" {
+  name   = "/${var.name}/rds-password-arn"
+  type   = "SecureString"
+  value  = aws_db_instance.postgresql.master_user_secret[0].secret_arn
+}
+#Create a policy to read from the specific parameter store
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
+resource "aws_iam_policy" "ssm_parameter_policy" {
+  name        = "${var.name}-ssm-parameter-read-policy"
+  path        = "/"
+  description = "Policy to read the RDS Password ARN stored in the SSM Parameter Store."
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "ssm:GetParameters",
+          "ssm:GetParameter"
+        ],
+        Resource = [aws_ssm_parameter.rds_secret_arn.arn]
+      }
+    ]
+  })
+}
\ No newline at end of file