Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Terraform scripts to work with latest Terraform AWS provider and RDS module #1001

Merged
merged 16 commits into from
Apr 1, 2022
Merged

Update Terraform scripts to work with latest Terraform AWS provider and RDS module #1001

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
3a293d2
Append owner name to DB parameter group
pli888 Mar 25, 2022
c07a95d
Add regions for managing DBParameterGroups
pli888 Mar 25, 2022
fd2f500
Update names of attributes to use latest AWS provider version
pli888 Mar 28, 2022
0883188
Interpolate aws_region variable value into vpc name
pli888 Mar 28, 2022
296e19e
Interpolate aws owner variable into DB parameter group name
pli888 Mar 28, 2022
3f5ce64
WIP fix subnet problems
pli888 Mar 29, 2022
9aa6674
WIP test DB parameter group creation
pli888 Mar 30, 2022
c4e2d6d
Create wip-policy-rds.md
pli888 Mar 30, 2022
4f7c053
Update tf file to use latest Terraform AWS module version
pli888 Mar 30, 2022
ddb5ed0
Use reference to name of aws_db_parameter_group
pli888 Mar 30, 2022
f33cb2d
Uncomment bastion and dockerhost modules
pli888 Mar 30, 2022
509f557
Update RDS IAM policy
pli888 Mar 30, 2022
024854d
Fix Error reading tfstate file: 0.12 format
pli888 Mar 31, 2022
2c9eb0a
Fix random password used to access RDS instance
pli888 Mar 31, 2022
6e31bf2
Add AWS username to VPC name
pli888 Mar 31, 2022
53a1693
Tidy up comments providing info re: database subnet
pli888 Apr 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 14 additions & 37 deletions docs/awsdocs/policy-rds.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,7 @@ Policy Name: GigadbRDSAccess
"Sid": "AllowEC2Describe",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:DescribeSubnets"
"ec2:Describe*"
],
"Resource": "*"
},
Expand Down Expand Up @@ -60,7 +59,7 @@ Policy Name: GigadbRDSAccess
}
},
{
"Sid": "CreateRDSInstance",
"Sid": "CreateResourcesforRDSInstances",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
Expand All @@ -80,21 +79,21 @@ Policy Name: GigadbRDSAccess
"ec2:ModifyVpcAttribute",
"ec2:GetManagedPrefixListEntries",
"ec2:AssociateSubnetCidrBlock",
"ec2:GetManagedPrefixListAssociations",
"ec2:CreateNatGateway",
"rds:CreateDBParameterGroup",
"rds:CreateDBSubnetGroup",
"rds:AddTagsToResource",
"ec2:GetManagedPrefixListAssociations",
"ec2:CreateNatGateway"
"rds:ModifyDBParameterGroup",
"ram:GetResourceShareAssociations"
],
"Resource": "*"
},
{
"Sid": "CreateRDSInstancesWithRegionAndInstanceTypeRestriction",
"Effect": "Allow",
"Action": [
"rds:CreateDBInstance",
"rds:CreateDBParameterGroup",
"rds:DeleteDBParameterGroup",
"rds:DownloadCompleteDBLogFile"
"rds:CreateDBInstance"
],
"Resource": "*",
"Condition": {
Expand All @@ -103,29 +102,13 @@ Policy Name: GigadbRDSAccess
"rds:DatabaseClass": "db.t3.micro",
"aws:RequestedRegion": [
"ap-east-1",
"ap-northeast-1"
"ap-northeast-1",
"ap-northeast-2",
"eu-west-3"
]
}
}
},
{
"Sid": "CreateRDSInstancesWithOwnerTagRestriction",
"Effect": "Allow",
"Action": [
"rds:CreateDBInstance",
"rds:CreateDBParameterGroup",
"rds:ModifyDBParameterGroup",
"rds:ResetDBParameterGroup",
"rds:DeleteDBParameterGroup",
"rds:DownloadCompleteDBLogFile"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"aws:RequestTag/Owner": "${aws:username}"
}
}
},
{
"Sid": "RestoreDBInstanceToPointInTime",
"Effect": "Allow",
Expand Down Expand Up @@ -165,7 +148,7 @@ Policy Name: GigadbRDSAccess
}
},
{
"Sid": "DeleteDBSubnetWithOwnerTagRestriction",
"Sid": "ManageDBSubnetsWithOwnerTagRestriction",
"Action": [
"rds:ModifyDBSubnetGroup",
"rds:DeleteDBSubnetGroup",
Expand Down Expand Up @@ -212,22 +195,16 @@ Policy Name: GigadbRDSAccess
}
},
{
"Sid": "ManageDBParameterGroupWithOwnerTagRestriction",
"Sid": "ManageDBParameterGroupsWithOwnerTagRestriction",
"Action": [
"rds:CreateDBParameterGroup",
"rds:ModifyDBParameterGroup",
"rds:ResetDBParameterGroup",
"rds:DeleteDBParameterGroup"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"rds:pg-tag/Owner": "${aws:username}",
"aws:RequestedRegion": [
"ap-east-1",
"ap-northeast-1"
]
"rds:pg-tag/Owner": "${aws:username}"
}
}
},
Expand Down
2 changes: 1 addition & 1 deletion ops/infrastructure/inventories/terraform-inventory.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@
# bash shell wrapper for terraform-inventory.
# How to install the https://github.com/adammck/terraform-inventory command:
# brew install terraform-inventory
terraform-inventory $@
terraform-inventory $@ ./
1 change: 1 addition & 0 deletions ops/infrastructure/modules/rds-instance/input.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,6 @@ variable "gigadb_db_user" {}
variable "gigadb_db_password" {}
variable "vpc_id" {}
variable "rds_subnet_ids" {}
variable "vpc_database_subnet_group" {}
variable "snapshot_identifier" {}
variable "restore_to_point_in_time" {}
13 changes: 8 additions & 5 deletions ops/infrastructure/modules/rds-instance/rds-instance.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,18 +28,20 @@ module "db" {
snapshot_identifier = var.snapshot_identifier
restore_to_point_in_time = var.restore_to_point_in_time

name = var.gigadb_db_database
db_name = var.gigadb_db_database
username = var.gigadb_db_user
create_random_password = false
password = var.gigadb_db_password
port = 5432

subnet_ids = var.rds_subnet_ids
# Create this RDS instance in database subnet group in VPC
db_subnet_group_name = var.vpc_database_subnet_group
vpc_security_group_ids = [module.security_group.security_group_id]

create_db_option_group = false
create_db_parameter_group = false

parameter_group_name = (var.deployment_target == "staging" ? "gigadb-db-param-group" : null)
parameter_group_name = (var.deployment_target == "staging" ? aws_db_parameter_group.gigadb-db-param-group[0].name : null)
engine = "postgres"
engine_version = "11.13"
family = "postgres11" # DB parameter group
Expand All @@ -51,15 +53,16 @@ module "db" {
backup_window = "03:00-06:00" # UTC time
backup_retention_period = 5 # days
skip_final_snapshot = false # Create final snapshot
final_snapshot_identifier = "snapshot-final-${var.deployment_target}-${var.owner}-${local.tstamp}"
final_snapshot_identifier_prefix = "snapshot-final-${var.deployment_target}-${var.owner}-${local.tstamp}"
copy_tags_to_snapshot = true
delete_automated_backups = false # Do not delete backups on RDS instance termination
apply_immediately = true
}

resource "aws_db_parameter_group" "gigadb-db-param-group" {
count = var.deployment_target == "staging" ? 1 : 0
name = "gigadb-db-param-group"
name = "gigadb-db-param-group-${var.owner}"
description = "DB parameter group for staging server"
family = "postgres11"

parameter {
Expand Down
13 changes: 10 additions & 3 deletions ops/infrastructure/terraform.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,12 +93,12 @@ module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 2"

name = "vpc-ape1-${var.deployment_target}-gigadb"
name = "vpc-${var.aws_region}-${var.deployment_target}-gigadb-${data.external.callerUserName.result.userName}"
# CIDR block is a range of IPv4 addresses in the VPC. This cidr block below
# means that the main route table has the following routes: Destination =
# 10.99.0.0/18 , Target = local
cidr = "10.99.0.0/18"

# VPC spans all the availability zones in region
azs = data.aws_availability_zones.available.names

Expand Down Expand Up @@ -132,7 +132,7 @@ module "vpc" {
# You can enable communication from internet to RDS is via an internet gateway
# to provide public access to RDS instance, but is not recommended for
# production! These parameters are all false so no public access to RDS
create_database_subnet_group = false
create_database_subnet_group = true
pli888 marked this conversation as resolved.
Show resolved Hide resolved
create_database_subnet_route_table = false
create_database_internet_gateway_route = false

Expand All @@ -150,7 +150,13 @@ module "vpc" {
# one_nat_gateway_per_az = false
}

output "vpc_id" {
value = module.vpc.vpc_id
}

output "vpc_database_subnet_group" {
value = module.vpc.database_subnet_group
}

# EC2 instance for hosting Docker Host
module "ec2_dockerhost" {
Expand Down Expand Up @@ -211,6 +217,7 @@ module "rds" {

vpc_id = module.vpc.vpc_id
rds_subnet_ids = module.vpc.database_subnets
vpc_database_subnet_group = module.vpc.database_subnet_group

gigadb_db_database = var.gigadb_db_database
gigadb_db_user = var.gigadb_db_user
Expand Down
2 changes: 1 addition & 1 deletion ops/scripts/ansible_init.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ cp ../../dockerhost_playbook.yml .
cp ../../bastion_playbook.yml .

# Update Gitlab gigadb_db_host variable with RDS instance address from terraform-inventory
rds_inst_addr=$(../../inventories/terraform-inventory.sh --list | jq -r '.all.vars.rds_instance_address')
rds_inst_addr=$(../../inventories/terraform-inventory.sh --list ./ | jq -r '.all.vars.rds_instance_address')
curl -s --request PUT --header "PRIVATE-TOKEN: $GITLAB_PRIVATE_TOKEN" "$PROJECT_VARIABLES_URL/gigadb_db_host?filter%5benvironment_scope%5d=$target_environment" --form "value=$rds_inst_addr"

# Update properties file with values from GitLab so Ansible can configure the services
Expand Down