PLT-697:Apply shared terraform for database to BCDA test #164
Conversation
|
one of the bcda environment fails (bcda-opensbx) fails due to environment naming conflict. ab2d has ab2d-sbx and bcda has bcda-opensbx. no backend configuration doe bcda-opensbx but for bcda-sbx. Also AB2D has some minor changes as a result to this integration |
| "bcda-${var.env}-vpn-public", | ||
| "bcda-${var.env}-remote-management", | ||
| "bcda-${var.env}-enterprise-tools" | ||
| ] |
There was a problem hiding this comment.
Why are these called "gedit" security groups?
| var.app == "bcda" && var.env != "opensbx" ? ["${var.app}-${var.env}-az1-data", "${var.app}-${var.env}-az2-data", "${var.app}-${var.env}-az3-data"] : [] | ||
| ]) | ||
| } | ||
| } |
There was a problem hiding this comment.
Rather than "count = var.app" on these subnet resources, there should be one data "aws_subnets" "db" resource that has a ternary on the filter values for each app. Also, we can drop the "az3-data" subnet from bcda. The only database in that us-east-1c subnet is dev and it can be restored in another subnet after the change is applied.
terraform/services/api-rds/main.tf
Outdated
| username = data.aws_secretsmanager_secret_version.database_user.secret_string | ||
| password = data.aws_secretsmanager_secret_version.database_password.secret_string | ||
| kms_key_id = var.app == "ab2d" && length(data.aws_kms_alias.main_kms) > 0 ? data.aws_kms_alias.main_kms[0].target_key_arn : null | ||
| multi_az = var.app == "bcda" ? true : local.db_name == "ab2d-east-prod" |
There was a problem hiding this comment.
Only the prod environment in each app should be multi-az.
terraform/services/api-rds/main.tf
Outdated
| multi_az = var.app == "bcda" ? true : local.db_name == "ab2d-east-prod" | ||
| vpc_security_group_ids = var.app == "bcda" ? concat([aws_security_group.sg_database.id], local.gedit_security_group_ids) : [aws_security_group.sg_database.id] | ||
| username = var.app == "bcda" && length(data.aws_secretsmanager_secret_version.database_secret_version) > 0 ? jsondecode(data.aws_secretsmanager_secret_version.database_secret_version[0].secret_string)["username"] : var.app == "ab2d" && length(data.aws_secretsmanager_secret_version.database_user) > 0 ? data.aws_secretsmanager_secret_version.database_user[0].secret_string : null | ||
| password = var.app == "bcda" && length(data.aws_secretsmanager_secret_version.database_secret_version) > 0 ? jsondecode(data.aws_secretsmanager_secret_version.database_secret_version[0].secret_string)["password"] : var.app == "ab2d" && length(data.aws_secretsmanager_secret_version.database_user) > 0 ? data.aws_secretsmanager_secret_version.database_user[0].secret_string : null |
There was a problem hiding this comment.
The conditional on username and password is difficult to read and will only get worse if we continue in this direction with dpc. Instead, try creating username and password secrets for BCDA via the AWS console under this naming scheme: ${var.app}/${var.env}/db/username and ${var.app}/${var.env}/db/password. Use a ternary on the name for data "aws_secretsmanager_secret" "db_password" and data "aws_secretsmanager_secret" "db_password" resources for all three apps.
I have imported aws_db_instance.api, aws_db_subnet_group.subnet_group, aws_route53_record.rds[0] and aws_route53_zone.local_zone[0] in test environment. I haven't imported aws_security_group.sg_database because it hasn't been created in bcda account. I also haven't imported aws_vpc_security_group_ingress_rule.db_access_from_mgmt and aws_vpc_security_group_ingress_rule.db_access_from_jenkins_agent because it involves aws_security_group.sg_database and the security group ID is unknown since it hasn't been created yet in the bcda account |
|
I also noticed the difference in naming convention for "${local.db_name}-rds-parameter-group-v16" as in environment its like this dev-rds-parameter-group-v16 (doesn't have application name) and so I haven't yet imported the resource also terraform plan for bcda-prod fails because I haven't yet created ${var.app}/${var.env}/db/password for prod because I initial omitted a letter in the password upon creating it and so I had to delete and re-create but AWS has a 7 day wait period to do so. I recreate it on Monday |
🎫 Ticket
PLT-697
🛠 Changes
BCDA was added to app in api-res-plan workflow
ℹ️ Context
switching out management of database infra from bcda-ops to platform
🧪 Validation
See terraform plans in checks.