From ed9ab4bcf06c8cebef691ff6cdb2cb5ea812c0e5 Mon Sep 17 00:00:00 2001
From: Yevhen Ivantsov <yivantsov@atlassian.com>
Date: Thu, 20 Jul 2023 14:03:00 +1000
Subject: [PATCH] Generate secretsmanager properties in confluence.cfg.xml

---
 group_vars/aws_node_local.yml                           | 3 +++
 roles/confluence_config/templates/confluence.cfg.xml.j2 | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/group_vars/aws_node_local.yml b/group_vars/aws_node_local.yml
index fca7c2b..6f85bbd 100644
--- a/group_vars/aws_node_local.yml
+++ b/group_vars/aws_node_local.yml
@@ -118,6 +118,9 @@ atl_jdbc_query_params_for_engine:
   aurora_postgres: "?targetServerType=master"
 atl_jdbc_url: "jdbc:postgresql://{{ atl_db_host }}:{{ atl_db_port }}/{{ atl_jdbc_db_name }}{{ atl_jdbc_query_params_for_engine[atl_db_engine] | default('') }}"
 
+atl_secretsmanager_aws_region: "{{ lookup('env', 'ATL_SECRETSMANAGER_AWS_REGION') }}"
+atl_secretsmanager_aws_secret_id: "{{ lookup('env', 'ATL_SECRETSMANAGER_AWS_SECRET_ID') }}"
+
 atl_jvm_heap: "{{ lookup('env', 'ATL_JVM_HEAP') or '2048m' }}"
 atl_jvm_opts: "{{ lookup('env', 'ATL_JVM_OPTS') or '' }}"
 atl_catalina_opts: "{{ lookup('env', 'ATL_CATALINA_OPTS') or '' }}"
diff --git a/roles/confluence_config/templates/confluence.cfg.xml.j2 b/roles/confluence_config/templates/confluence.cfg.xml.j2
index 86c0865..fec620d 100644
--- a/roles/confluence_config/templates/confluence.cfg.xml.j2
+++ b/roles/confluence_config/templates/confluence.cfg.xml.j2
@@ -17,7 +17,13 @@
     <property name="hibernate.connection.driver_class">{{ atl_db_driver }}</property>
     <property name="hibernate.connection.url">{{ atl_jdbc_url }}</property>
     <property name="hibernate.connection.username">{{ atl_jdbc_user }}</property>
+
+    {% if atl_product_version.split(".")[:2] | join(".") is version('8.6', '>=') and atl_secretsmanager_aws_region is defined and atl_secretsmanager_aws_region != "" and atl_secretsmanager_aws_secret_id is defined and atl_secretsmanager_aws_secret_id != "" -%}
+    <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.aws.AwsSecretsManagerStore</property>
+    <property name="hibernate.connection.password">{"region": "{{ atl_secretsmanager_aws_region }}", "secretId": "{{ atl_secretsmanager_aws_secret_id }}"}</property>
+    {% else -%}
     <property name="hibernate.connection.password">{{ atl_jdbc_password | replace("&", "&amp;") }}</property>
+    {% endif -%}
 
     {# Confluence versions 7.13 and newer #}
     {% if (atl_product_version.split(".")[0] | int() == 7 and atl_product_version.split(".")[1] | int() <= 13) or atl_product_version.split(".")[0] | int() < 7 %}