feat: add jwt secret for component-component auth

Author: ividito

infrastructure/ecs_services/iam.tf

@@ -112,6 +112,7 @@ resource "aws_iam_policy" "secret_manager_read_secret" {
         Effect = "Allow"
         Resource = [
           var.fernet_key_ssm_arn,
+          var.jwt_secret_ssm_arn,
           var.sql_alchemy_conn_ssm_arn,
           var.celery_result_backend_ssm_arn
         ]

infrastructure/ecs_services/variables.tf

@@ -36,6 +36,9 @@ variable "airflow_task_common_environment" {
 # Allow ECS services to read secrets from AWS Secret Manager.
 variable "fernet_key_ssm_arn" {
 
+}
+
+variable "jwt_secret_ssm_arn" {
 }
 variable "sql_alchemy_conn_ssm_arn" {
 }

infrastructure/locals.tf

@@ -42,6 +42,10 @@ locals {
       name  = "AIRFLOW__CORE__FERNET_KEY_SECRET"
       value = substr(module.secrets.fernet_key_name, length(var.prefix) + 16, -1)
     },
+    {
+      name  = "AIRFLOW__API_AUTH__JWT_SECRET_SECRET"
+      value = substr(module.secrets.jwt_secret_name, length(var.prefix) + 16, -1)
+    },
     {
       name  = "AIRFLOW__CELERY__RESULT_BACKEND_SECRET"
       value = substr(module.secrets.celery_result_backend_name, length(var.prefix) + 16, -1)

infrastructure/main.tf

@@ -39,6 +39,7 @@ module "secrets" {
   db_port                = var.airflow_db.port
   db_username            = var.airflow_db.username
   fernet_key             = var.fernet_key
+  jwt_secret             = var.jwt_secret
   prefix                 = var.prefix
   airflow_admin_username = var.airflow_admin_username
   airflow_admin_password = var.airflow_admin_password
@@ -79,6 +80,7 @@ module "ecs_services" {
   airflow_bucket_arn               = data.aws_s3_bucket.airflow_bucket.arn
   celery_result_backend_ssm_arn    = module.secrets.celery_result_backend_arn
   fernet_key_ssm_arn               = module.secrets.fernet_key_arn
+  jwt_secret_ssm_arn               = module.secrets.jwt_secret_arn
   permission_boundaries_arn        = var.permission_boundaries_arn
   sql_alchemy_conn_ssm_arn         = module.secrets.sql_alchemy_conn_arn
   sqs_arns_list                    = concat(var.sqs_arns_list, [module.sqs_queue.celery_broker_arn])

infrastructure/secrets/main.tf

@@ -8,6 +8,15 @@ resource "aws_secretsmanager_secret_version" "fernet_key" {
   secret_string = var.fernet_key
 }
 
+resource "aws_secretsmanager_secret" "jwt_secret" {
+  name_prefix = "${var.prefix}/airflow/config/jwt_secret/"
+}
+
+resource "aws_secretsmanager_secret_version" "jwt_secret" {
+  secret_id     = aws_secretsmanager_secret.jwt_secret.id
+  secret_string = var.jwt_secret
+}
+
 # Store core.sql_alchemy_conn setting for consumption by airflow SecretsManagerBackend.
 # The config options must follow the config prefix naming convention defined within the secrets backend.
 # This means that sql_alchemy_conn is not defined with a connection prefix, but with "config" prefix.

infrastructure/secrets/outputs.tf

@@ -25,6 +25,14 @@ output "sql_alchemy_conn_arn" {
 output "fernet_key_arn" {
   value = aws_secretsmanager_secret.fernet_key.arn
 }
+
+output "jwt_secret_name" {
+  value = aws_secretsmanager_secret.jwt_secret.name
+}
+
+output "jwt_secret_arn" {
+  value = aws_secretsmanager_secret.jwt_secret.arn
+}
 output "airflow_secrets" {
   value = aws_secretsmanager_secret.airflow_secrets.name
 }

infrastructure/secrets/variables.tf

@@ -18,6 +18,10 @@ variable "prefix" {
 
 variable "fernet_key" {
 }
+
+variable "jwt_secret" {
+  sensitive = true
+}
 variable "airflow_admin_username" {
 
 }

infrastructure/variables.tf

@@ -51,6 +51,12 @@ variable "airflow_db" {
 variable "fernet_key" {
 }
 
+variable "jwt_secret" {
+  description = "Symmetric secret for signing Airflow 3 component JWTs (api_auth.jwt_secret). Required for multi-worker api-server. Generate with `openssl rand -hex 32`."
+  type        = string
+  sensitive   = true
+}
+
 variable "permission_boundaries_arn" {
   default = "null"
 }