From 6f38e8bc1d553700670fb7104a23f3e0b0b3a9cb Mon Sep 17 00:00:00 2001 From: Nicholas Molnar <65710+neekolas@users.noreply.github.com> Date: Mon, 2 Dec 2024 17:34:21 -0800 Subject: [PATCH] Add postgres config (#7) ### TL;DR Adds RDS Aurora PostgreSQL database configuration and connects it to xmtpd services. ### What changed? - Added RDS Aurora PostgreSQL 16 cluster configuration with 2 instances - Updated module sources to reference GitHub repository paths - Connected database URL to xmtpd-api and xmtpd-worker services - Configured security groups for database access within VPC - Set up database parameter groups and subnet groups - Implemented password generation for database access --- .tflint.hcl | 2 +- terraform/examples/aws-complete/main.tf | 13 ++-- terraform/examples/aws-complete/rds.tf | 86 +++++++++++++++++++++++++ 3 files changed, 95 insertions(+), 6 deletions(-) create mode 100644 terraform/examples/aws-complete/rds.tf diff --git a/.tflint.hcl b/.tflint.hcl index df19dd4..21dcacf 100644 --- a/.tflint.hcl +++ b/.tflint.hcl @@ -12,4 +12,4 @@ rule "terraform_required_providers" { rule "terraform_required_version" { enabled = false -} \ No newline at end of file +} diff --git a/terraform/examples/aws-complete/main.tf b/terraform/examples/aws-complete/main.tf index 8816980..23163b7 100644 --- a/terraform/examples/aws-complete/main.tf +++ b/terraform/examples/aws-complete/main.tf @@ -1,6 +1,7 @@ module "mls_validation_service" { - source = "./aws/xmtp-validation-service" # TODO: Replace with git URL once merged to main + # tflint-ignore: terraform_module_pinned_source + source = "github.com/xmtp/xmtpd-infrastructure//terraform/aws/xmtp-validation-service" depends_on = [module.vpc, aws_service_discovery_private_dns_namespace.xmtp] env = terraform.workspace @@ -18,7 +19,8 @@ module "mls_validation_service" { } module "xmtpd_api" { - source = "./aws/xmtpd-api" # TODO: Replace with git URL once merged to main + # tflint-ignore: terraform_module_pinned_source + source = "github.com/xmtp/xmtpd-infrastructure//terraform/aws/xmtpd-api" vpc_id = module.vpc.vpc_id public_subnets = module.vpc.public_subnets @@ -36,7 +38,7 @@ module "xmtpd_api" { service_secrets = { signer_private_key = var.signer_private_key chain_rpc_url = var.chain_rpc_url - database_url = "CHANGE_ME" # TODO:nm add database + database_url = "postgres://${aws_rds_cluster.cluster.master_username}:${aws_rds_cluster.cluster.master_password}@${aws_rds_cluster.cluster.endpoint}:5432/${aws_rds_cluster.cluster.database_name}?sslmode=disable" } enable_debug_logs = false @@ -46,7 +48,8 @@ module "xmtpd_api" { } module "xmtpd_worker" { - source = "./aws/xmtpd-worker" # TODO: Replace with git URL once merged to main + # tflint-ignore: terraform_module_pinned_source + source = "github.com/xmtp/xmtpd-infrastructure//terraform/aws/xmtpd-worker" vpc_id = module.vpc.vpc_id public_subnets = module.vpc.public_subnets @@ -62,7 +65,7 @@ module "xmtpd_worker" { service_secrets = { signer_private_key = var.signer_private_key chain_rpc_url = var.chain_rpc_url - database_url = "CHANGE_ME" # TODO:nm add database + database_url = "postgres://${aws_rds_cluster.cluster.master_username}:${aws_rds_cluster.cluster.master_password}@${aws_rds_cluster.cluster.endpoint}:5432/${aws_rds_cluster.cluster.database_name}?sslmode=disable" } enable_debug_logs = false diff --git a/terraform/examples/aws-complete/rds.tf b/terraform/examples/aws-complete/rds.tf new file mode 100644 index 0000000..eeeb452 --- /dev/null +++ b/terraform/examples/aws-complete/rds.tf @@ -0,0 +1,86 @@ +locals { + db_engine_version = "16" + db_name = "xmtp" + db_root_user = "xmtp" + is_production_environment = false + db_num_instances = 2 + db_instance_class = "db.t4g.medium" + db_ca_certificate_identifier = "rds-ca-rsa2048-g1" + db_parameter_group_family = "aurora-postgresql16" +} + +resource "random_password" "password" { + length = 64 + special = false +} + +resource "aws_rds_cluster" "cluster" { + engine = "aurora-postgresql" + engine_version = local.db_engine_version + availability_zones = module.vpc.azs + database_name = local.db_name + master_username = local.db_root_user + master_password = random_password.password.result + db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.default.name + db_subnet_group_name = aws_db_subnet_group.cluster.name + vpc_security_group_ids = [aws_security_group.rds.id] + deletion_protection = local.is_production_environment + apply_immediately = true + # These will need to be turned off for production usage + backup_retention_period = local.is_production_environment ? 30 : 1 + skip_final_snapshot = local.is_production_environment ? false : true + + lifecycle { + ignore_changes = [ + availability_zones + ] + } +} + +resource "aws_rds_cluster_instance" "instances" { + count = local.db_num_instances + + cluster_identifier = aws_rds_cluster.cluster.id + instance_class = local.db_instance_class + engine = aws_rds_cluster.cluster.engine + engine_version = aws_rds_cluster.cluster.engine_version + auto_minor_version_upgrade = false + ca_cert_identifier = local.db_ca_certificate_identifier + publicly_accessible = false + performance_insights_enabled = true + db_subnet_group_name = aws_db_subnet_group.cluster.name + apply_immediately = true +} + +resource "aws_db_subnet_group" "cluster" { + subnet_ids = module.vpc.private_subnets +} + +# Create a parameter group so that we can adjust parameters later without recreating the cluster +resource "aws_rds_cluster_parameter_group" "default" { + family = local.db_parameter_group_family + description = "RDS cluster parameter group" + + parameter { + name = "log_temp_files" + # Log any temp files greater than 1MB + value = "1000" + apply_method = "pending-reboot" + } +} + + +resource "aws_security_group" "rds" { + description = "RDS security group" + vpc_id = module.vpc.vpc_id +} + +resource "aws_security_group_rule" "ingress" { + description = "Allow Postgres traffic from our VPC" + cidr_blocks = [module.vpc.vpc_cidr_block] + from_port = 5432 + protocol = "tcp" + security_group_id = aws_security_group.rds.id + to_port = 5432 + type = "ingress" +}