[Issue 1119] Deploy DMS from database module, fixup #1129
Conversation
| resource "aws_iam_role" "dms_access" { | ||
| name = "dms-access-role" | ||
| name_prefix = "dms-access-role" |
There was a problem hiding this comment.
This change is to ensure the DMS can deploy to dev / staging / prod. Roles must have unique names
coilysiren
changed the title
| type = "Service" | ||
| identifiers = [ | ||
| "dms.amazonaws.com", | ||
| "dms.${data.aws_region.current.name}.amazonaws.com", |
There was a problem hiding this comment.
Error message:
"dms-access-role should have the DMS Regional Service Principal 'dms.us-east-1.amazonaws.com' as trusted entity"
| @@ -85,6 +89,6 @@ data "aws_iam_policy_document" "dms_access" { | |||
| "logs:ilterLogEvents", | |||
| "logs:GetLogEvents" | |||
| ] | |||
| resources = ["*"] # don't have log group yet | |||
There was a problem hiding this comment.
Its just logs, we should be able to do logs:*, its fine
| @@ -24,10 +24,10 @@ resource "aws_dms_endpoint" "target_endpoint" { | |||
| certificate_arn = "arn:aws:dms:us-east-1:315341936575:cert:GWOIQRTIVQVRBL5ERMCKTUPHMM33MMDGIP57J4I" | |||
| database_name = "app" | |||
| endpoint_id = "api-dev-primary" | |||
| endpoint_type = "source" | |||
| endpoint_type = "target" | |||
There was a problem hiding this comment.
Typo, this is the target endpoint
| @@ -49,7 +51,7 @@ data "aws_iam_policy_document" "dms_access" { | |||
| "iam:CreateRole", | |||
| "iam:AttachRolePolicy" | |||
| ] | |||
| resources = ["arn:aws:iam:*:${data.aws_caller_identity.current.account_id}:*"] | |||
There was a problem hiding this comment.
Error message:
creating IAM Policy (dms-access): MalformedPolicyDocument: IAM resource arn:aws:iam::315341936575: cannot contain region information.
| @@ -1,24 +0,0 @@ | |||
| # This file is maintained automatically by "terraform init". | |||
There was a problem hiding this comment.
superfluous lockfiles
| @@ -35,7 +36,8 @@ data "aws_iam_policy_document" "dms_access" { | |||
| sid = "AllowDMSAccess" | |||
| effect = "Allow" | |||
| actions = ["dms:*"] | |||
| resources = [""] # arn for the actual dms service goes here | |||
| resources = ["arn:aws:dms:*:${data.aws_caller_identity.current.account_id}:*"] | |||
| # TODO! arn for the actual dms service goes here | |||
There was a problem hiding this comment.
Do we still need the TODO comment?
There was a problem hiding this comment.
Yep! The DMS isn't up yet, and I do want to fill it in.
| engine_name = "aurora-postgresql" | ||
| kms_key_arn = aws_kms_key.dms_endpoints.arn | ||
| secrets_manager_access_role_arn = data.aws_iam_role.dms_access.arn | ||
| secrets_manager_access_role_arn = aws_iam_role.dms_access.arn |
There was a problem hiding this comment.
Since this was changed to refer directly to the role, can we remove lines 59-61 in this file? data "aws_iam_role" "dms_access" { ... }
| engine_name = "aurora-postgresql" | ||
| kms_key_arn = aws_kms_key.dms_endpoints.arn | ||
| secrets_manager_access_role_arn = data.aws_iam_role.dms_access.arn | ||
| secrets_manager_access_role_arn = aws_iam_role.dms_access.arn | ||
| ssl_mode = "verify-ca" | ||
| secrets_manager_arn = data.aws_secretsmanager_secret.target_db.arn |
There was a problem hiding this comment.
I think this is the same secret as the one defined in role-manager.tf as data "aws_secretsmanager_secret" "db_password" { ... }. Should we re-use that one, then remove lines 52-55 below with the hard-coded name?
There was a problem hiding this comment.
Mhmm! I'm planning on doing that next o7
Summary
Rolls up to #1119
Time to review: 2 mins
Context for reviewers
I tried to deploy the DMS, and noticed 2 things:
terraform init -backend-config=SOMETHINGon. So I was unable to pull the existing state. This is why I moved the IAM role to the database module, which is deployed frominfra/api/databaseI then proceeded to deploy to
devand fix everything I could findDeployment
I've already deployed this to dev to test. It still doesn't fully deploy - for reasons I will solve in a different PR tomorrow.