From a6aea7a47b70e8f9819189cecef8cae19b1f877e Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 27 Feb 2025 12:06:26 -0500 Subject: [PATCH 1/2] add oracle password rotation --- .../oracle-secret-rotation/README.md | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 aws/proposals/oracle-secret-rotation/README.md diff --git a/aws/proposals/oracle-secret-rotation/README.md b/aws/proposals/oracle-secret-rotation/README.md new file mode 100644 index 00000000..b1028387 --- /dev/null +++ b/aws/proposals/oracle-secret-rotation/README.md @@ -0,0 +1,29 @@ +# Oracle Password Secret Rotation + +Format: + +```script +/db/{rds-instance-name}/{database-name}/{username} +``` + +Tags: + +* rds_username = JBID +* rds_fqdn = DNS name of RDS instance + +Rotation: + +* per-user (meaning an original passsword needs to be provided or an admin sets it on creation of the secret) +* daily at say 10pm M-F + +Permission: + +Grant access to the secret by username from SSO, plus and admins (inf-terraform, inf-admin-t*) + +Script: + +Create script (python, powershell) to pull secret with AWS CLI or SDK: + + get-oracle-password --rds-instance NAME --database NAME --username NAME + +outputs password From a2e91a96bd6c5bf3db468a8976bca69a7ceee72e Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 27 Feb 2025 12:09:19 -0500 Subject: [PATCH 2/2] update --- aws/proposals/oracle-secret-rotation/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/aws/proposals/oracle-secret-rotation/README.md b/aws/proposals/oracle-secret-rotation/README.md index b1028387..55e402ca 100644 --- a/aws/proposals/oracle-secret-rotation/README.md +++ b/aws/proposals/oracle-secret-rotation/README.md @@ -27,3 +27,11 @@ Create script (python, powershell) to pull secret with AWS CLI or SDK: get-oracle-password --rds-instance NAME --database NAME --username NAME outputs password + +## Deployment + +* use SAM (TF resource) once per region for the Lambda stuff + * prefix of ent-oracle-user-secret-rotation (maybe) +* create module to create the secret (using the form above) and inputs of all the other things + * perhaps with the starter password too? or generate it and have an admin add it? +