From 3b73324b7acd8863654687ad6b34eadd54793e58 Mon Sep 17 00:00:00 2001
From: Kevin Tinn <kttinn@amazon.com>
Date: Tue, 5 Oct 2021 15:42:40 -0600
Subject: [PATCH] getting rds pwd arn from build job env var

---
 README.md                     | 10 ++++++++--
 cdk/bin/api.ts                |  2 +-
 cdk/lib/cdk-pipeline-stack.ts | 14 +++++++++-----
 cdk/lib/rds-stack.ts          |  6 +++---
 4 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 4fa04a9..5d965df 100644
--- a/README.md
+++ b/README.md
@@ -40,8 +40,14 @@ export GITHUB_REPO=YOUR_GITHUB_BRANCH
 
 *Note:* To deploy application without pipeline locally, change `cdk.json` line 2 from `"app": "npx ts-node --prefer-ts-exts cdk/bin/pipeline.ts",` to `"app": "npx ts-node --prefer-ts-exts cdk/bin/api.ts",` 
 
-Deploy pipeline manually one time: `cdk deploy`
+
 
 
 `aws iam attach-role-policy --role-name $PIPELINE_ROLE  --policy-arn $POLICY_ARN`
-`cdk bootstrap --trust $PIPELINE_ACCOUNT_ID --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://$SECONDRY_ACCOUNT_ID/us-west-2`
\ No newline at end of file
+`cdk bootstrap --trust $PIPELINE_ACCOUNT_ID --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://$SECONDRY_ACCOUNT_ID/us-west-2`
+Deploy pipeline manually one time: `cdk deploy`
+Cacnel execution of pipeline
+Set Env Var `` in CodeBuild step
+In source account, add ability to assume cdk roles created by bootstrap command to policy used for cross account access
+In source account, add policy to role used to build and deploy that was created when the pipeline was deployed
+Create ssm param `rds-password-secret-arn` for arn to secret manager entry with db pwd secret (In account 1)
\ No newline at end of file
diff --git a/cdk/bin/api.ts b/cdk/bin/api.ts
index 6c57f76..de59d1b 100644
--- a/cdk/bin/api.ts
+++ b/cdk/bin/api.ts
@@ -15,7 +15,7 @@ const vpcStack = new VpcStack(app, "VPCStack");
 const rdsStack = new RDSStack(app, "RDSStack", {
   vpc: vpcStack.vpc,
   securityGroup: vpcStack.ingressSecurityGroup,
-  rdsPwdSecretArnSsmParameterName: rdsPasswordArnSsmParamName
+  rdsPwdSecretArn: process.env.RDS_PWD_ARN || ""
 });
 
 // Serverless Lambda/API Gateway Graphql API
diff --git a/cdk/lib/cdk-pipeline-stack.ts b/cdk/lib/cdk-pipeline-stack.ts
index 48e913b..a2b117b 100644
--- a/cdk/lib/cdk-pipeline-stack.ts
+++ b/cdk/lib/cdk-pipeline-stack.ts
@@ -7,7 +7,7 @@ import { RDSStack } from "./rds-stack";
 
 // Define deployable unit of our app in a stage; consider putting this in seperate file
 interface AppStageProps extends StageProps {
-  rdsPasswordSecretArnSsmParamName: string;
+  rdsPasswordSecretArn: string;
 }
 
 class AppStage extends Stage {
@@ -22,7 +22,7 @@ class AppStage extends Stage {
     this.rdsStack = new RDSStack(this, "RDSStack", {
       vpc: vpcStack.vpc,
       securityGroup: vpcStack.ingressSecurityGroup,
-      rdsPwdSecretArnSsmParameterName: props?.rdsPasswordSecretArnSsmParamName || ""
+      rdsPwdSecretArn: props?.rdsPasswordSecretArn || ""
     });
 
     this.apiStack = new GraphqlApiStack(this, "APIStack", {
@@ -51,8 +51,10 @@ export class CdkPipelineStack extends Stack {
     const githubOrg = process.env.GITHUB_ORG || "kevasync";
     const githubRepo = process.env.GITHUB_REPO || "awsmug-serverless-graphql-api";
     const githubBranch = process.env.GITHUB_REPO || "master";
+    const crossAccountId = process.env.SECONDARY_ACCOUNT_ID || "";
+    const rdsPasswordArn = process.env.RDS_PWD_ARN || "";
     // const crossAccountRole = process.env.CROSS_ACCOUNT_PIPELINE_ROLE || "OrganizationAccountAccessRole";
-    const crossAccountId = process.env.SECONDARY_ACCOUNT_ID;
+    
 
     const pipeline = new CodePipeline(this, "Pipeline", {
       crossAccountKeys: true,
@@ -83,16 +85,18 @@ export class CdkPipelineStack extends Stack {
     //   resources: [`arn:aws:iam::${crossAccountRole}:role/${crossAccountRole}`]
     // }));
 
+    
+
     const devStage = new AppStage(this, "dev", {
       env: { account: Aws.ACCOUNT_ID, region: Aws.REGION },
-      rdsPasswordSecretArnSsmParamName: "rds-password-secret-arn"
+      rdsPasswordSecretArn: rdsPasswordArn
     });
     const devWave = pipeline.addWave("devWave");
     devWave.addStage(devStage);
 
     const prdStage = new AppStage(this, "prd", {
       env: { account: crossAccountId, region: "us-west-2" },
-      rdsPasswordSecretArnSsmParamName: "rds-password-secret-arn"
+      rdsPasswordSecretArn: rdsPasswordArn
     });
     const prdWave = pipeline.addWave("prdWave");
     prdWave.addStage(prdStage);
diff --git a/cdk/lib/rds-stack.ts b/cdk/lib/rds-stack.ts
index cd25629..02ec6c2 100644
--- a/cdk/lib/rds-stack.ts
+++ b/cdk/lib/rds-stack.ts
@@ -14,7 +14,7 @@ import { SecurityGroup, SubnetType, Vpc } from "@aws-cdk/aws-ec2";
 export interface RDSStackProps extends StackProps {
   vpc: Vpc;
   securityGroup: SecurityGroup;
-  rdsPwdSecretArnSsmParameterName: string;
+  rdsPwdSecretArn: string;
 }
 
 export class RDSStack extends Stack {
@@ -31,9 +31,9 @@ export class RDSStack extends Stack {
   constructor(scope: Construct, id: string, props: RDSStackProps) {
     super(scope, id, props);
     
-    const secretArn = StringParameter.valueForStringParameter(this, props.rdsPwdSecretArnSsmParameterName);
+    
     this.rdsPassword = Secret.fromSecretAttributes(this, "rdsPassword", {
-      secretArn: secretArn
+      secretArn: props.rdsPwdSecretArn
     });
     
     this.postgresRDSInstance = new DatabaseInstance(