From ecf3f7997b49cdfa7a6af93b3b56477a89bb538e Mon Sep 17 00:00:00 2001 From: Mike Helmick Date: Mon, 1 Feb 2021 18:13:05 -0800 Subject: [PATCH 1/3] don't pass redis password when auth disabled --- terraform/redis.tf | 2 +- terraform/services.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/redis.tf b/terraform/redis.tf index 4903c294b..e68552b57 100644 --- a/terraform/redis.tf +++ b/terraform/redis.tf @@ -56,7 +56,7 @@ resource "google_secret_manager_secret" "redis-auth" { resource "google_secret_manager_secret_version" "redis-auth" { secret = google_secret_manager_secret.redis-auth.id - secret_data = google_redis_instance.cache.auth_string + secret_data = coalesce(google_redis_instance.cache.auth_string, "unused") } # Create secret for the HMAC cache keys diff --git a/terraform/services.tf b/terraform/services.tf index e58c5912f..d4f990de4 100644 --- a/terraform/services.tf +++ b/terraform/services.tf @@ -34,7 +34,7 @@ locals { CACHE_HMAC_KEY = "secret://${google_secret_manager_secret_version.cache-hmac-key.id}" CACHE_REDIS_HOST = google_redis_instance.cache.host CACHE_REDIS_PORT = google_redis_instance.cache.port - CACHE_REDIS_PASSWORD = "secret://${google_secret_manager_secret_version.redis-auth.id}" + CACHE_REDIS_PASSWORD = var.redis_enable_auth ? "secret://${google_secret_manager_secret_version.redis-auth.id}" : "" } database_config = { From 46712ad73f563148dd265bd4b376b6680df8f783 Mon Sep 17 00:00:00 2001 From: Mike Helmick Date: Mon, 1 Feb 2021 18:19:17 -0800 Subject: [PATCH 2/3] add to export as well --- terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/main.tf b/terraform/main.tf index ef6812ae8..f7b5adf83 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -191,7 +191,7 @@ export FIREBASE_STORAGE_BUCKET="${data.google_firebase_web_app_config.default.st export CACHE_TYPE="REDIS" export CACHE_REDIS_HOST="${google_redis_instance.cache.host}" export CACHE_REDIS_PORT="${google_redis_instance.cache.port}" -export CACHE_REDIS_PASSWORD="secret://${google_secret_manager_secret_version.redis-auth.id}" +export CACHE_REDIS_PASSWORD=var.redis_enable_auth ? "secret://${google_secret_manager_secret_version.redis-auth.id}" : "" export RATE_LIMIT_TYPE="REDIS" export RATE_LIMIT_TOKENS="60" From 570498275f04965931065b7060fd1687fa89726d Mon Sep 17 00:00:00 2001 From: Mike Helmick Date: Mon, 1 Feb 2021 18:55:59 -0800 Subject: [PATCH 3/3] and rate limiting... --- terraform/main.tf | 2 +- terraform/services.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index f7b5adf83..6ef302083 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -198,7 +198,7 @@ export RATE_LIMIT_TOKENS="60" export RATE_LIMIT_INTERVAL="1m" export RATE_LIMIT_REDIS_HOST="${google_redis_instance.cache.host}" export RATE_LIMIT_REDIS_PORT="${google_redis_instance.cache.port}" -export RATE_LIMIT_REDIS_PASSWORD="secret://${google_secret_manager_secret_version.redis-auth.id}" +export RATE_LIMIT_REDIS_PASSWORD=var.redis_enable_auth ? "secret://${google_secret_manager_secret_version.redis-auth.id}" : "" export CERTIFICATE_SIGNING_KEY="${trimprefix(data.google_kms_crypto_key_version.certificate-signer-version.id, "//cloudkms.googleapis.com/v1/")}" export TOKEN_SIGNING_KEY="${trimprefix(data.google_kms_crypto_key_version.token-signer-version.id, "//cloudkms.googleapis.com/v1/")}" diff --git a/terraform/services.tf b/terraform/services.tf index d4f990de4..5fbc0f4e3 100644 --- a/terraform/services.tf +++ b/terraform/services.tf @@ -73,7 +73,7 @@ locals { RATE_LIMIT_INTERVAL = "1m" RATE_LIMIT_REDIS_HOST = google_redis_instance.cache.host RATE_LIMIT_REDIS_PORT = google_redis_instance.cache.port - RATE_LIMIT_REDIS_PASSWORD = "secret://${google_secret_manager_secret_version.redis-auth.id}" + RATE_LIMIT_REDIS_PASSWORD = var.redis_enable_auth ? "secret://${google_secret_manager_secret_version.redis-auth.id}" : "" } signing_config = {