Merge branch 'master' into decommission

terraform · Feb 27, 2025 · 0ca1c14 · 0ca1c14
2 parents 390d44b + 99d6b4b
commit 0ca1c14
Showing 1 changed file with 37 additions and 0 deletions.
diff --git a/aws/proposals/oracle-secret-rotation/README.md b/aws/proposals/oracle-secret-rotation/README.md
@@ -0,0 +1,37 @@
+# Oracle Password Secret Rotation
+
+Format:
+
+```script
+/db/{rds-instance-name}/{database-name}/{username}
+```
+
+Tags:
+
+* rds_username = JBID
+* rds_fqdn = DNS name of RDS instance
+
+Rotation:
+
+* per-user (meaning an original passsword needs to be provided or an admin sets it on creation of the secret)
+* daily at say 10pm M-F
+
+Permission:
+
+Grant access to the secret by username from SSO, plus and admins (inf-terraform, inf-admin-t*)
+
+Script:
+
+Create script (python, powershell) to pull secret with AWS CLI or SDK:
+
+  get-oracle-password --rds-instance NAME --database NAME --username NAME
+
+outputs password
+
+## Deployment
+
+* use SAM (TF resource) once per region for the Lambda stuff
+  * prefix of ent-oracle-user-secret-rotation (maybe)
+* create module to create the secret (using the form above) and inputs of all the other things
+  * perhaps with the starter password too?  or generate it and have an admin add it?
+