Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Issue 1267] Adds foreign data wrapper security group permissions #1271

Merged
merged 2 commits into from
Feb 20, 2024
Merged

[Issue 1267] Adds foreign data wrapper security group permissions #1271

merged 2 commits into from
Feb 20, 2024

Conversation

coilysiren
Copy link
Collaborator

@coilysiren coilysiren commented Feb 16, 2024
edited
Loading

Summary

Helps with #1267

Time to review: 2 mins

Changes proposed

  • Adds permissions for the database to query Oracle on port 1521, via means of the foreign data wrapper.
  • Renames a variable since it won't be exclusively used for DMS anymore

Relevant terraform plan output

  # module.database.aws_vpc_security_group_egress_rule.egress_to_oracle will be created
  + resource "aws_vpc_security_group_egress_rule" "egress_to_oracle" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "10.220.0.0/16"
      + description            = "Allow Orcale I/O into database"
      + from_port              = 1521
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = "sg-0011e7397e1025c78"
      + security_group_rule_id = (known after apply)
      + tags_all               = {
          + "description"         = "Database resources for the dev environment"
          + "environment"         = "dev"
          + "owner"               = "navapbc"
          + "project"             = "simpler-grants-gov"
          + "repository"          = "https://github.com/HHS/simpler-grants-gov"
          + "terraform"           = "true"
          + "terraform_workspace" = "default"
        }
      + to_port                = 1521
    }

  # module.database.aws_vpc_security_group_ingress_rule.ingress_from_oracle will be created
  + resource "aws_vpc_security_group_ingress_rule" "ingress_from_oracle" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "10.220.0.0/16"
      + description            = "Allow Orcale I/O into database"
      + from_port              = 1521
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = "sg-0011e7397e1025c78"
      + security_group_rule_id = (known after apply)
      + tags_all               = {
          + "description"         = "Database resources for the dev environment"
          + "environment"         = "dev"
          + "owner"               = "navapbc"
          + "project"             = "simpler-grants-gov"
          + "repository"          = "https://github.com/HHS/simpler-grants-gov"
          + "terraform"           = "true"
          + "terraform_workspace" = "default"
        }
      + to_port                = 1521
    }

Testing

image

@coilysiren coilysiren self-assigned this Feb 16, 2024
@coilysiren coilysiren changed the title Adds foreign data wrapper security group permissions [Issue 1267] Adds foreign data wrapper security group permissions Feb 16, 2024
@coilysiren coilysiren marked this pull request as ready for review February 16, 2024 21:49
aplybeah
aplybeah reviewed Feb 20, 2024
View reviewed changes
infra/project-config/main.tf
second_octet = 0 # The second octet our the VPC CIDR block
dms_source_cidr_block = "10.220.0.0/16" # MicroHealth cidr block, where the origin database for the DMS is located
vpc_name = "dev"
second_octet = 0 # The second octet our the VPC CIDR block
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-blocker: I would appreciate some clarity on this comment

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aplybeah a VPC CIDR is composed of 4 octets, eg. A.B.C.D. This value is the 2nd octet for our VPC CIDRs. It's the B in A.B.C.D. This specific one is the 0 in 10.0.0.0.

Does that explain the comment? The comment is intentionally succinct because it relies on the reader having previous knowledge of what a "octet VPC CIDR" is.

aplybeah
aplybeah reviewed Feb 20, 2024
View reviewed changes
infra/modules/dms-networking/main.tf
our_target_cidr_block = var.dms_target_cidr_block # our [Nava] cidr block, where the target database for the DMS is located
their_source_cidr_block = var.dms_source_cidr_block # their [MicroHealth] cidr block, where the origin database for the DMS is located
our_target_cidr_block = var.dms_target_cidr_block # our [Nava] cidr block, where the target database for the DMS is located
their_source_cidr_block = var.grants_gov_oracle_cidr_block # their [MicroHealth] cidr block, where the origin database for the DMS is located
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

non-blcker: What else is this cidr going to be used for?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aplybeah I/O for the foreign data wrapper, which is what this PR is allowing.

@coilysiren coilysiren requested a review from aplybeah February 20, 2024 16:43
@coilysiren coilysiren merged commit 6cdc644 into main Feb 20, 2024
7 checks passed
@coilysiren coilysiren deleted the fdw-sg branch February 20, 2024 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aplybeah aplybeah aplybeah approved these changes

@jamesbursa jamesbursa Awaiting requested review from jamesbursa

Assignees

@coilysiren coilysiren

Labels
terraform
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@coilysiren @aplybeah