chore: Update example-rds-instance and rds-aurora modules

Author: ulises-jeremias

live/common-infra/example-rds-instance.tf

@@ -15,8 +15,8 @@ module "exampledb" {
 
   name = "${module.label.id}-exampledb"
 
-  vpc_id          = data.aws_ssm_parameter.vpc_id.value
-  db_subnet_group = data.aws_ssm_parameter.database_subnet_group.value
+  vpc_id                 = data.aws_ssm_parameter.vpc_id.value
+  db_subnet_group        = data.aws_ssm_parameter.database_subnet_group.value
   vpc_security_group_ids = [module.security_group.security_group_id]
 
   db_name            = var.example_db_name

live/core-networking/vpc-endpoints-sg.tf

@@ -0,0 +1,57 @@
+locals {
+  # Check if the bastion exists (based on the length of the module.bastion array)
+  bastion_sg_rule = length(module.bastion) > 0 ? [{
+    rule                     = "https-443-tcp"
+    source_security_group_id = module.bastion[0].security_group_id
+    description              = "vpc ssm vpce security group ingress rule for bastion host"
+  }] : []
+
+  # Define the ingress rules for app security group
+  app_sg_rule = [{
+    rule                     = "https-443-tcp"
+    source_security_group_id = module.vpc.app_security_group
+    description              = "vpc ssm vpce security group ingress rule for app security group"
+  }]
+
+  # Concatenate the rules for app SG and bastion SG (if bastion exists)
+  final_ssm_vpce_rules = concat(local.app_sg_rule, local.bastion_sg_rule)
+}
+
+module "ssm_vpce_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "4.17.1"
+
+  name        = "${module.label.id}-vpc-ssm-vpce-security-group"
+  description = "Security group for SSM VPC endpoint"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress_with_source_security_group_id = local.final_ssm_vpce_rules
+
+  tags = var.tags
+}
+
+module "ec2messages_vpce_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "4.17.1"
+
+  name        = "${module.label.id}-vpc-ec2messages-vpce-security-group"
+  description = "Security group for EC2 Messages VPC endpoint"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress_with_source_security_group_id = local.final_ssm_vpce_rules
+
+  tags = var.tags
+}
+
+module "ssmmessages_vpce_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "4.17.1"
+
+  name        = "${module.label.id}-vpc-ssmmessages-vpce-security-group"
+  description = "Security group for SSM Messages VPC endpoint"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress_with_source_security_group_id = local.final_ssm_vpce_rules
+
+  tags = var.tags
+}

live/core-networking/vpc-endpoints.tf

@@ -5,14 +5,41 @@ module "vpc_endpoints" {
 
   endpoints = {
     s3 = {
-      service         = "s3"
-      service_type    = "Gateway"
-      route_table_ids = module.vpc.public_route_table_ids
-      policy          = null
-      tags            = { Name = "${module.label.id}-s3-vpc-endpoint" }
+      service            = "s3"
+      service_type       = "Gateway"
+      route_table_ids    = module.vpc.public_route_table_ids
+      security_group_ids = [module.vpc.default_security_group_id]
+      policy             = null
+      tags               = { Name = "${module.label.id}-s3-vpc-endpoint" }
     },
+    ssm = {
+      service             = "ssm"
+      service_type        = "Interface"
+      security_group_ids  = [module.ssm_vpce_sg.security_group_id]
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+      policy              = null
+      tags                = { Name = "${var.name}-ssm-vpc-endpoint" }
+    },
+    ec2messages = {
+      service             = "ec2messages"
+      service_type        = "Interface"
+      security_group_ids  = [module.ec2messages_vpce_sg.security_group_id]
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+      policy              = null
+      tags                = { Name = "${var.name}-ec2messages-vpc-endpoint" }
+    },
+    ssmmessages = {
+      service             = "ssmmessages"
+      service_type        = "Interface"
+      security_group_ids  = [module.ssmmessages_vpce_sg.security_group_id]
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+      policy              = null
+      tags                = { Name = "${var.name}-ssmmessages-vpc-endpoint" }
+    }
   }
 
-  security_group_ids = [module.vpc.default_security_group_id]
-  tags               = module.label.tags
+  tags = module.label.tags
 }

live/services-platform/ecr-repositories.tf

@@ -0,0 +1,49 @@
+variable "ecr_repositories" {
+  description = "List of ECR repositories to create"
+  type = map(object({
+    repository_image_tag_mutability = optional(string)
+  }))
+}
+
+module "ecr" {
+  source  = "terraform-aws-modules/ecr/aws"
+  version = "2.3.0"
+
+  for_each = var.ecr_repositories
+
+  repository_name                 = each.key
+  repository_image_tag_mutability = each.value.repository_image_tag_mutability
+
+  repository_read_write_access_arns = concat([data.aws_caller_identity.current.arn],
+    module.eks_cluster.eks_cluster_node_group_roles_arns
+  )
+  create_lifecycle_policy = true
+  repository_lifecycle_policy = jsonencode({
+    rules = [
+      {
+        rulePriority = 1,
+        description  = "Keep last 30 images",
+        selection = {
+          tagStatus     = "tagged",
+          tagPrefixList = ["v"],
+          countType     = "imageCountMoreThan",
+          countNumber   = 30
+        },
+        action = {
+          type = "expire"
+        }
+      }
+    ]
+  })
+
+  repository_force_delete = true
+
+  tags = module.label.tags
+}
+
+output "ecr_repository_urls" {
+  value = [
+    for repo in module.ecr : repo.repository_url
+  ]
+  description = "List of ECR repository URLs"
+}

live/services-platform/eks-access-entries.tf

@@ -120,3 +120,33 @@ resource "aws_eks_access_policy_association" "access_policies_associations" {
     namespaces = [each.value.namespace]
   }
 }
+
+
+resource "aws_iam_policy" "ebs_csi_policy" {
+  name = "${module.label.id}-ebs-csi-policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "ec2:CreateVolume",
+          "ec2:AttachVolume",
+          "ec2:DeleteVolume",
+          "ec2:DetachVolume",
+          "ec2:CreateTags",
+          "ec2:DeleteTags",
+          "ec2:DescribeVolumes"
+        ],
+        Effect   = "Allow",
+        Resource = "*"
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "attach_ebs_csi_policy" {
+  for_each   = toset(module.eks_cluster.eks_cluster_node_group_roles_names)
+  role       = each.value
+  policy_arn = aws_iam_policy.ebs_csi_policy.arn
+}

live/services-platform/eks.tf

@@ -30,8 +30,8 @@ variable "node_groups" {
     max_size                       = number
     desired_size                   = number
     health_check_type              = string
-    start_stop_schedule_enabled    = bool
     ami_image_id                   = optional(string)
+    start_stop_schedule_enabled    = optional(bool)
     start_schedule_recurrence_cron = optional(string)
     stop_schedule_recurrence_cron  = optional(string)
     kubernetes_labels              = optional(map(string))

live/services-platform/vpc.tf

@@ -26,6 +26,10 @@ data "aws_ssm_parameter" "public_subnets" {
   name = "${var.core_networking_ssm_parameter_prefix}/public_subnets"
 }
 
+data "aws_ssm_parameter" "app_security_group" {
+  name = "${var.core_networking_ssm_parameter_prefix}/app_security_group"
+}
+
 data "aws_security_group" "default" {
   vpc_id = local.vpc_id
 
@@ -41,5 +45,10 @@ data "aws_vpc" "vpc" {
 
 data "aws_security_group" "bastion_security_group" {
   name   = var.bastion_security_group_name
-  vpc_id = local.vpc_id
+  vpc_id = data.aws_vpc.vpc.id
+}
+
+data "aws_security_group" "app_security_group" {
+  id     = data.aws_ssm_parameter.app_security_group.value
+  vpc_id = data.aws_vpc.vpc.id
 }

modules/bastion/docs/MODULE.md

@@ -46,13 +46,15 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_allowed_cidrs"></a> [allowed\_cidrs](#input\_allowed\_cidrs) | Allow these CIDR blocks to instance | `string` | `null` | no |
 | <a name="input_ami"></a> [ami](#input\_ami) | AMI to use for the instance - will default to latest Ubuntu | `string` | `""` | no |
+| <a name="input_create_vpc_endpoints"></a> [create\_vpc\_endpoints](#input\_create\_vpc\_endpoints) | Create VPC endpoints for SSM, EC2 Messages, and SSM Messages | `bool` | `true` | no |
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | EC2 instance type/size - the default is not part of free tier! | `string` | `"t3.nano"` | no |
 | <a name="input_key_name"></a> [key\_name](#input\_key\_name) | SSH key name to use for the instance | `string` | `""` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be used on all the resources as identifier | `string` | `""` | no |
 | <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | List of private subnets in which the EC2 instance is to be created. | `list(string)` | n/a | yes |
 | <a name="input_root_volume_size"></a> [root\_volume\_size](#input\_root\_volume\_size) | Size of the root volume in GB | `number` | `8` | no |
 | <a name="input_root_volume_type"></a> [root\_volume\_type](#input\_root\_volume\_type) | Type of the root volume | `string` | `"gp2"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Any extra tags to assign to objects | `map(any)` | `{}` | no |
+| <a name="input_vpc_endpoint_security_group_ids"></a> [vpc\_endpoint\_security\_group\_ids](#input\_vpc\_endpoint\_security\_group\_ids) | List of security group IDs to attach to the VPC endpoints. Will be ignored if create\_vpc\_endpoints is false. | `list(string)` | `[]` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC id in which the EC2 instance is to be created. | `string` | n/a | yes |
 
 ## Outputs
@@ -61,5 +63,6 @@
 |------|-------------|
 | <a name="output_instance_id"></a> [instance\_id](#output\_instance\_id) | n/a |
 | <a name="output_instance_profile"></a> [instance\_profile](#output\_instance\_profile) | n/a |
+| <a name="output_security_group_id"></a> [security\_group\_id](#output\_security\_group\_id) | n/a |
 | <a name="output_ssm_parameter_ssh_key"></a> [ssm\_parameter\_ssh\_key](#output\_ssm\_parameter\_ssh\_key) | n/a |
 <!-- END_TF_DOCS -->

modules/bastion/outputs.tf

@@ -9,3 +9,7 @@ output "instance_profile" {
 output "ssm_parameter_ssh_key" {
   value = try(aws_ssm_parameter.ssh_key[0].name, null)
 }
+
+output "security_group_id" {
+  value = module.ec2_security_group.security_group_id
+}

modules/bastion/scripts/connect.sh

@@ -97,8 +97,9 @@ if [[ -n "$tunnel_target_user" && -n "$tunnel_target_key" ]]; then
     tunnel_host=$(echo "$tunnel" | cut -d':' -f2)
     ssh_proxy_command_option="ProxyCommand ssh -i $tunnel_target_key -W %h:%p $tunnel_target_user@$tunnel_host"
     ssh_tunnel_proxy_command_option="ProxyCommand ssh -i $tunnel_target_key -W %h:%p $tunnel_target_user@$tunnel_host"
+    echo "Tunnel established. Press Ctrl+C to close the tunnel."
     ssh -i "$SSH_KEY_PATH" -o "$ssh_proxy_command_option" -L "$tunnel" -o "$ssh_tunnel_proxy_command_option" -N "$BASTION_USER@$instance_id"
 else
+    echo "Tunnel established. Press Ctrl+C to close the tunnel."
     ssh -i "$SSH_KEY_PATH" -o "$ssh_proxy_command_option" -L "$tunnel" -N "$BASTION_USER@$instance_id"
 fi
-echo "Tunnel established through Bastion host."