new terraform job to fetch db credentials from secrets manager

2026-06-08 11:17:27 +00:00 · 2026-02-06 13:19:36 +00:00 · 2026-02-06 13:19:36 +00:00 · f66aa25268
commit f66aa25268
parent 04bc8a1407
1 changed files with 34 additions and 1 deletions
--- a/.github/workflows/deploy_terraform.yml
+++ b/.github/workflows/deploy_terraform.yml
@ -66,6 +66,35 @@ jobs:
        working-directory: infrastructure/terraform/shared
        run: terraform apply -auto-approve tfplan

+  # ============================================================
+  # Fetch DB credentials
+  # ============================================================
+  fetch_db:
+    needs: determine_stage
+    runs-on: ubuntu-latest
+    outputs:
+      db_username: ${{ steps.get_db.outputs.db_username }}
+      db_password: ${{ steps.get_db.outputs.db_password }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.DEV_AWS_REGION }}
+
+      - id: get_db
+        run: |
+          SECRET=$(aws secretsmanager get-secret-value \
+            --secret-id "${{ needs.determine_stage.outputs.stage }}/assessment_model/db_credentials" \
+            --query SecretString --output text)
+          echo "db_username=$(echo $SECRET | jq -r .db_assessment_model_username)" >> $GITHUB_OUTPUT
+          echo "db_password=$(echo $SECRET | jq -r .db_assessment_model_password)" >> $GITHUB_OUTPUT
+
+
  # ============================================================
  # 2️⃣ Build Address 2 UPRN image and Push
  # ============================================================
@ -157,7 +186,7 @@ jobs:
  # Deploy Condition ETL Lambda
  # ============================================================
  condition_etl_lambda:
-    needs: [condition_etl_image, determine_stage]
+    needs: [condition_etl_image, fetch_db, determine_stage]
    uses: ./.github/workflows/_deploy_lambda.yml
    with:
      lambda_name: condition-etl
@ -165,6 +194,10 @@ jobs:
      stage: ${{ needs.determine_stage.outputs.stage }}
      ecr_repo: condition-etl-${{ needs.determine_stage.outputs.stage }}
      image_digest: ${{ needs.condition_etl_image.outputs.image_digest }}
+      environment_vars: |
+        DB_USERNAME=${{ needs.fetch_db.outputs.db_username }}
+        DB_PASSWORD=${{ needs.fetch_db.outputs.db_password }}
+        AWS_DEFAULT_REGION=${{ secrets.DEV_AWS_REGION }}
    secrets:
      AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}