[Issue 965] Configure RDS to pass Security Hub checks

[jamesbursa]

Summary

Fixes #965

Time to review: 10 mins

Changes proposed

• Increase backup retention period from default (1 day) to maximum (35 days).
• Change the RDS superuser from a fixed username postgres to a randomized username of the form rootd475cc8eefda848e49bff38b509233ff.
• Add variables to set the number of database instances in each environment, and increase the number of instances in prod to 2 (one writer, one reader).
• Enable performance insights with a 3 month retention period.

Context for reviewers

This addresses the issues found by Security Hub.

The requirement "RDS DB clusters should be configured for multiple Availability Zones" has a cost implication as Aurora Serverless reader instances run continuously at the minimum configured scale. Therefore we only set 2 instances in the prod environment (1 writer and 2 reader), and leave the other environments with only 1 instance (a writer).

Warning

Since this changes the database superuser username, it forces a replacement of the RDS clusters. All data would be lost. After the clusters have been recreated, we will need to re-run the role manager lambda to create other users, so that the API can connect.

Partial terraform plan:

  # module.database.aws_rds_cluster.db must be replaced
-/+ resource "aws_rds_cluster" "db" {
      ~ allocated_storage                   = 1 -> (known after apply)
      + apply_immediately                   = (known after apply)
      ~ arn                                 = "arn:aws:rds:us-east-1:...:cluster:api-dev" -> (known after apply)
      ~ availability_zones                  = [
          - "us-east-1a",
          - "us-east-1c",
          - "us-east-1d",
        ] -> (known after apply)
      - backtrack_window                    = 0 -> null
      ~ backup_retention_period             = 1 -> 35
      + cluster_identifier_prefix           = (known after apply)
      ~ cluster_members                     = [
          - "api-dev-primary",
        ] -> (known after apply)
      ~ cluster_resource_id                 = "cluster-XNKIT..." -> (known after apply)
      ~ db_cluster_parameter_group_name     = "default.aurora-postgresql14" -> (known after apply)
      ~ db_subnet_group_name                = "default" -> (known after apply)
      ~ endpoint                            = "api-dev.cluster-....us-east-1.rds.amazonaws.com" -> (known after apply)
      ~ engine_version                      = "14.6" -> (known after apply)
      ~ engine_version_actual               = "14.6" -> (known after apply)
      ~ hosted_zone_id                      = "Z2R2IT..." -> (known after apply)
      ~ iam_roles                           = [] -> (known after apply)
      ~ id                                  = "api-dev" -> (known after apply)
      - iops                                = 0 -> null
      ~ master_user_secret                  = [
          - {
              - kms_key_id    = "arn:aws:kms:us-east-1:..."
              - secret_arn    = "arn:aws:secretsmanager:us-east-1:..."
              - secret_status = "active"
            },
        ] -> (known after apply)
      + master_user_secret_kms_key_id       = (known after apply)
      ~ master_username                     = "postgres" # forces replacement -> (known after apply) # forces replacement
      ~ network_type                        = "IPV4" -> (known after apply)
      ~ preferred_backup_window             = "06:16-06:46" -> (known after apply)
      ~ preferred_maintenance_window        = "sat:05:12-sat:05:42" -> (known after apply)
      ~ reader_endpoint                     = "api-dev.cluster-ro-....us-east-1.rds.amazonaws.com" -> (known after apply)
      + storage_type                        = (known after apply)
      - tags                                = {} -> null
        # (17 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Additional information

N/A

[coilysiren]

💯

[coilysiren]

LGTM! 🚀