Merge pull request #9 from synapsestudios/replace-rds-module

chrisshiplet · web-flow · commit aa0c7b072b0a · 2023-02-22T16:48:11.000-07:00
Pull RDS module into this one since it is not reused elsewhere
diff --git a/README.md b/README.md
@@ -25,7 +25,7 @@ You can do this by commenting out the entire module, running a terraform apply,
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_database"></a> [database](#module\_database) | git::https://github.com/synapsestudios/terraform-aws-rds-aurora-cluster.git | v1.0.0 |
+| <a name="module_database"></a> [database](#module\_database) | ./rds_cluster | n/a |
 | <a name="module_service_container_definition"></a> [service\_container\_definition](#module\_service\_container\_definition) | cloudposse/ecs-container-definition/aws | 0.58.1 |
 
 ## Resources
@@ -58,9 +58,12 @@ You can do this by commenting out the entire module, running a terraform apply,
 | <a name="input_azs"></a> [azs](#input\_azs) | Availability zones | `list(string)` | n/a | yes |
 | <a name="input_cluster_arn"></a> [cluster\_arn](#input\_cluster\_arn) | ECS cluster to deploy into | `string` | n/a | yes |
 | <a name="input_command"></a> [command](#input\_command) | Container startup command | `list(string)` | n/a | yes |
+| <a name="input_container_image"></a> [container\_image](#input\_container\_image) | Image tag of the Docker container to use for this service | `string` | n/a | yes |
 | <a name="input_container_port"></a> [container\_port](#input\_container\_port) | Port exposed by the container | `number` | n/a | yes |
 | <a name="input_container_secrets"></a> [container\_secrets](#input\_container\_secrets) | The Secrets to Pass to the container. | <pre>list(object({<br>    name      = string<br>    valueFrom = string<br>  }))</pre> | `[]` | no |
-| <a name="input_ecr_host"></a> [ecr\_host](#input\_ecr\_host) | Hostname of the ECR repository with no trailing slash | `string` | n/a | yes |
+| <a name="input_db_instance_class"></a> [db\_instance\_class](#input\_db\_instance\_class) | Size of instances within the RDS cluster | `string` | `"db.t4g.medium"` | no |
+| <a name="input_db_instance_count"></a> [db\_instance\_count](#input\_db\_instance\_count) | How many RDS instances to create | `number` | `1` | no |
+| <a name="input_db_name"></a> [db\_name](#input\_db\_name) | Name of the postgres database to create, if creating an RDS cluster | `string` | `"main"` | no |
 | <a name="input_ecs_desired_count"></a> [ecs\_desired\_count](#input\_ecs\_desired\_count) | How many tasks to launch in ECS service | `number` | `1` | no |
 | <a name="input_environment_variables"></a> [environment\_variables](#input\_environment\_variables) | The environment variables to pass to the container. This is a list of maps. | <pre>list(object({<br>    name  = string<br>    value = string<br>  }))</pre> | `[]` | no |
 | <a name="input_health_check_path"></a> [health\_check\_path](#input\_health\_check\_path) | Path to use for health checks | `string` | n/a | yes |
diff --git a/alb_target_group.tf b/alb_target_group.tf
@@ -5,7 +5,6 @@ resource "aws_lb_target_group" "this" {
   protocol             = "HTTP"
   target_type          = "ip"
   vpc_id               = var.vpc_id
-  #  tags                 = var.tags # TODO
 
   lifecycle {
     create_before_destroy = true
diff --git a/db.tf b/db.tf
@@ -1,11 +1,11 @@
 module "database" {
-  count                           = var.use_database_cluster ? 1 : 0
-  source                          = "git::https://github.com/synapsestudios/terraform-aws-rds-aurora-cluster.git?ref=v1.0.0"
-  availability_zones              = var.azs
-  database_subnets                = var.subnets
-  db_cluster_parameter_group_name = "default.aurora-postgresql14"
-  instance_class                  = "db.t4g.medium"
-  name                            = "backend"
-  vpc_id                          = var.vpc_id
-  database_name                   = "backend"
+  count              = var.use_database_cluster ? 1 : 0
+  source             = "./rds_cluster"
+  availability_zones = var.azs
+  database_subnets   = var.subnets
+  instance_class     = var.db_instance_class
+  instance_count     = var.db_instance_count
+  name               = var.service_name
+  vpc_id             = var.vpc_id
+  database_name      = var.db_name
 }
diff --git a/ecs_task_definitions.tf b/ecs_task_definitions.tf
@@ -8,20 +8,19 @@ resource "aws_ecs_task_definition" "service" {
   memory                   = 2048
   cpu                      = 1024
   requires_compatibilities = ["FARGATE"]
-  #  tags                     = var.tags # TODO
 }
 
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
 resource "aws_cloudwatch_log_group" "service" {
   name_prefix = var.service_name
-  #  tags = var.tags # TODO
 }
 
 module "service_container_definition" {
   source  = "cloudposse/ecs-container-definition/aws"
   version = "0.58.1"
 
   container_name   = var.service_name
-  container_image  = "${var.ecr_host}/${var.service_name}:latest"
+  container_image  = var.container_image
   container_memory = 2048
   essential        = true
   environment      = var.environment_variables
diff --git a/ecs_task_security_group.tf b/ecs_task_security_group.tf
@@ -2,7 +2,6 @@ resource "aws_security_group" "ecs_task" {
   description = "ECS Tasks traffic rules"
   vpc_id      = var.vpc_id
   name_prefix = "${var.service_name}-ecs-task-default"
-  #  tags        = merge(var.tags, { Name = "ECSTasks" }) # TODO
 
   egress {
     from_port   = 0
diff --git a/rds_cluster/main.tf b/rds_cluster/main.tf
@@ -0,0 +1,116 @@
+resource "random_id" "final_snapshot_suffix" {
+  byte_length = 8
+}
+
+#tfsec:ignore:aws-rds-encrypt-cluster-storage-data
+resource "aws_rds_cluster" "this" {
+  cluster_identifier_prefix       = var.name
+  engine                          = "aurora-postgresql"
+  engine_version                  = "14.6"
+  database_name                   = var.database_name
+  skip_final_snapshot             = false
+  final_snapshot_identifier       = "${var.name}-final-${random_id.final_snapshot_suffix.hex}"
+  master_username                 = "root"
+  master_password                 = aws_secretsmanager_secret_version.root_password.secret_string
+  db_subnet_group_name            = aws_db_subnet_group.this.name
+  storage_encrypted               = true
+  availability_zones              = var.availability_zones
+  preferred_backup_window         = "07:00-09:00"
+  backup_retention_period         = 30
+  vpc_security_group_ids          = concat([aws_security_group.this.id], var.additional_security_groups)
+  tags                            = var.tags
+  db_cluster_parameter_group_name = "default.aurora-postgresql14"
+  deletion_protection             = true
+}
+
+resource "random_password" "password" {
+  length           = 32
+  special          = true
+  min_special      = 1
+  override_special = "-._~" # URL-safe characters prevent parsing errors when using this password in a connection string
+}
+
+#tfsec:ignore:aws-ssm-secret-use-customer-key
+resource "aws_secretsmanager_secret" "root_password" {
+  name_prefix = "${var.name}-aurora-root-password"
+  description = "Root password for the ${var.name} aurora cluster database"
+  tags        = var.tags
+}
+
+resource "aws_secretsmanager_secret_version" "root_password" {
+  secret_id     = aws_secretsmanager_secret.root_password.id
+  secret_string = random_password.password.result
+}
+
+#tfsec:ignore:aws-ssm-secret-use-customer-key
+resource "aws_secretsmanager_secret" "connection_string" {
+  name_prefix = "${var.name}-aurora-connection-string"
+  description = "Connection String for the ${var.name} aurora cluster database"
+  tags        = var.tags
+}
+
+resource "aws_secretsmanager_secret_version" "connection_string" {
+  secret_id     = aws_secretsmanager_secret.connection_string.id
+  secret_string = "postgresql://${aws_rds_cluster.this.master_username}:${aws_secretsmanager_secret_version.root_password.secret_string}@${aws_rds_cluster.this.endpoint}:${aws_rds_cluster.this.port}/${aws_rds_cluster.this.database_name}"
+}
+
+#tfsec:ignore:aws-rds-enable-performance-insights-encryption
+resource "aws_rds_cluster_instance" "this" {
+  count                           = var.instance_count
+  engine                          = "aurora-postgresql"
+  engine_version                  = "14.6"
+  identifier_prefix               = "${var.name}-${count.index + 1}"
+  performance_insights_enabled    = true
+  cluster_identifier              = aws_rds_cluster.this.id
+  instance_class                  = var.instance_class
+  db_subnet_group_name            = aws_db_subnet_group.this.name
+  tags                            = var.tags
+}
+
+resource "aws_db_subnet_group" "this" {
+  name_prefix = var.name
+  description = "${var.name} RDS Subnet Group"
+  subnet_ids  = var.database_subnets
+  tags        = var.tags
+}
+
+resource "aws_security_group" "this" {
+  name_prefix = "${var.name}-database-access"
+  description = "Database traffic rules"
+  vpc_id      = var.vpc_id
+  tags        = merge(var.tags, { name = "database" })
+  ingress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = [data.aws_vpc.database_vpc.cidr_block]
+    description = "Database ingress"
+  }
+  egress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = [data.aws_vpc.database_vpc.cidr_block]
+    description = "Database egress"
+  }
+}
+
+data "aws_vpc" "database_vpc" {
+  id = var.vpc_id
+}
+
+output "db_cluster_id" {
+  value = aws_rds_cluster.this.cluster_identifier
+}
+
+output "security_group_id" {
+  value = aws_security_group.this.id
+}
+
+output "root_password_secret_id" {
+  value = aws_secretsmanager_secret.root_password.id
+}
+
+output "connection_string_arn" {
+  value = aws_secretsmanager_secret.connection_string.arn
+}
diff --git a/rds_cluster/variables.tf b/rds_cluster/variables.tf
@@ -0,0 +1,46 @@
+variable "name" {
+  type        = string
+  description = "Determines naming convention of assets. Generally follows DNS naming convention."
+}
+
+variable "database_name" {
+  type        = string
+  description = "Name of the default database to create"
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "The ID of the vpc the database belongs to"
+}
+
+variable "availability_zones" {
+  type        = list(string)
+  description = "Availability zones for the database"
+}
+
+variable "database_subnets" {
+  type        = list(string)
+  description = "Subnets for the database"
+}
+
+variable "additional_security_groups" {
+  type        = list(string)
+  default     = []
+  description = "Any additional security groups the cluster should be added to"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "A mapping of tags to assign to the AWS resources."
+  default     = {}
+}
+
+variable "instance_count" {
+  type        = number
+  description = "How many RDS instances to create"
+}
+
+variable "instance_class" {
+  type        = string
+  description = "Instance class"
+}
diff --git a/variables.tf b/variables.tf
@@ -13,9 +13,9 @@ variable "subnets" {
   description = "List of subnet names the service will reside on."
 }
 
-variable "ecr_host" {
+variable "container_image" {
   type        = string
-  description = "Hostname of the ECR repository with no trailing slash"
+  description = "Image tag of the Docker container to use for this service"
 }
 
 variable "azs" {
@@ -97,3 +97,21 @@ variable "ecs_desired_count" {
   default     = 1
   description = "How many tasks to launch in ECS service"
 }
+
+variable "db_name" {
+  type        = string
+  default     = "main"
+  description = "Name of the postgres database to create, if creating an RDS cluster"
+}
+
+variable "db_instance_class" {
+  type        = string
+  default     = "db.t4g.medium"
+  description = "Size of instances within the RDS cluster"
+}
+
+variable "db_instance_count" {
+  type        = number
+  default     = 1
+  description = "How many RDS instances to create"
+}
