Skip to content

Commit

Permalink
Update Terraform scripts to work with latest Terraform AWS provider a…
Browse files Browse the repository at this point in the history
…nd RDS module Merge pull request #1001 from pli888/fix-terraform-error

Terraform scripts now able to work with latest version 4.8.0 of Terraform AWS provider and version 4.2.0 of Terraform AWS RDS module.
rija authored Apr 1, 2022
2 parents 382c470 + 53a1693 commit a10b052
Showing 6 changed files with 38 additions and 49 deletions.
51 changes: 14 additions & 37 deletions docs/awsdocs/policy-rds.md
Original file line number Diff line number Diff line change
@@ -18,8 +18,7 @@ Policy Name: GigadbRDSAccess
"Sid": "AllowEC2Describe",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:DescribeSubnets"
"ec2:Describe*"
],
"Resource": "*"
},
@@ -60,7 +59,7 @@ Policy Name: GigadbRDSAccess
}
},
{
"Sid": "CreateRDSInstance",
"Sid": "CreateResourcesforRDSInstances",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
@@ -80,21 +79,21 @@ Policy Name: GigadbRDSAccess
"ec2:ModifyVpcAttribute",
"ec2:GetManagedPrefixListEntries",
"ec2:AssociateSubnetCidrBlock",
"ec2:GetManagedPrefixListAssociations",
"ec2:CreateNatGateway",
"rds:CreateDBParameterGroup",
"rds:CreateDBSubnetGroup",
"rds:AddTagsToResource",
"ec2:GetManagedPrefixListAssociations",
"ec2:CreateNatGateway"
"rds:ModifyDBParameterGroup",
"ram:GetResourceShareAssociations"
],
"Resource": "*"
},
{
"Sid": "CreateRDSInstancesWithRegionAndInstanceTypeRestriction",
"Effect": "Allow",
"Action": [
"rds:CreateDBInstance",
"rds:CreateDBParameterGroup",
"rds:DeleteDBParameterGroup",
"rds:DownloadCompleteDBLogFile"
"rds:CreateDBInstance"
],
"Resource": "*",
"Condition": {
@@ -103,29 +102,13 @@ Policy Name: GigadbRDSAccess
"rds:DatabaseClass": "db.t3.micro",
"aws:RequestedRegion": [
"ap-east-1",
"ap-northeast-1"
"ap-northeast-1",
"ap-northeast-2",
"eu-west-3"
]
}
}
},
{
"Sid": "CreateRDSInstancesWithOwnerTagRestriction",
"Effect": "Allow",
"Action": [
"rds:CreateDBInstance",
"rds:CreateDBParameterGroup",
"rds:ModifyDBParameterGroup",
"rds:ResetDBParameterGroup",
"rds:DeleteDBParameterGroup",
"rds:DownloadCompleteDBLogFile"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"aws:RequestTag/Owner": "${aws:username}"
}
}
},
{
"Sid": "RestoreDBInstanceToPointInTime",
"Effect": "Allow",
@@ -165,7 +148,7 @@ Policy Name: GigadbRDSAccess
}
},
{
"Sid": "DeleteDBSubnetWithOwnerTagRestriction",
"Sid": "ManageDBSubnetsWithOwnerTagRestriction",
"Action": [
"rds:ModifyDBSubnetGroup",
"rds:DeleteDBSubnetGroup",
@@ -212,22 +195,16 @@ Policy Name: GigadbRDSAccess
}
},
{
"Sid": "ManageDBParameterGroupWithOwnerTagRestriction",
"Sid": "ManageDBParameterGroupsWithOwnerTagRestriction",
"Action": [
"rds:CreateDBParameterGroup",
"rds:ModifyDBParameterGroup",
"rds:ResetDBParameterGroup",
"rds:DeleteDBParameterGroup"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"rds:pg-tag/Owner": "${aws:username}",
"aws:RequestedRegion": [
"ap-east-1",
"ap-northeast-1"
]
"rds:pg-tag/Owner": "${aws:username}"
}
}
},
2 changes: 1 addition & 1 deletion ops/infrastructure/inventories/terraform-inventory.sh
Original file line number Diff line number Diff line change
@@ -3,4 +3,4 @@
# bash shell wrapper for terraform-inventory.
# How to install the https://github.com/adammck/terraform-inventory command:
# brew install terraform-inventory
terraform-inventory $@
terraform-inventory $@ ./
1 change: 1 addition & 0 deletions ops/infrastructure/modules/rds-instance/input.tf
Original file line number Diff line number Diff line change
@@ -5,5 +5,6 @@ variable "gigadb_db_user" {}
variable "gigadb_db_password" {}
variable "vpc_id" {}
variable "rds_subnet_ids" {}
variable "vpc_database_subnet_group" {}
variable "snapshot_identifier" {}
variable "restore_to_point_in_time" {}
13 changes: 8 additions & 5 deletions ops/infrastructure/modules/rds-instance/rds-instance.tf
Original file line number Diff line number Diff line change
@@ -28,18 +28,20 @@ module "db" {
snapshot_identifier = var.snapshot_identifier
restore_to_point_in_time = var.restore_to_point_in_time

name = var.gigadb_db_database
db_name = var.gigadb_db_database
username = var.gigadb_db_user
create_random_password = false
password = var.gigadb_db_password
port = 5432

subnet_ids = var.rds_subnet_ids
# Create this RDS instance in database subnet group in VPC
db_subnet_group_name = var.vpc_database_subnet_group
vpc_security_group_ids = [module.security_group.security_group_id]

create_db_option_group = false
create_db_parameter_group = false

parameter_group_name = (var.deployment_target == "staging" ? "gigadb-db-param-group" : null)
parameter_group_name = (var.deployment_target == "staging" ? aws_db_parameter_group.gigadb-db-param-group[0].name : null)
engine = "postgres"
engine_version = "11.13"
family = "postgres11" # DB parameter group
@@ -51,15 +53,16 @@ module "db" {
backup_window = "03:00-06:00" # UTC time
backup_retention_period = 5 # days
skip_final_snapshot = false # Create final snapshot
final_snapshot_identifier = "snapshot-final-${var.deployment_target}-${var.owner}-${local.tstamp}"
final_snapshot_identifier_prefix = "snapshot-final-${var.deployment_target}-${var.owner}-${local.tstamp}"
copy_tags_to_snapshot = true
delete_automated_backups = false # Do not delete backups on RDS instance termination
apply_immediately = true
}

resource "aws_db_parameter_group" "gigadb-db-param-group" {
count = var.deployment_target == "staging" ? 1 : 0
name = "gigadb-db-param-group"
name = "gigadb-db-param-group-${var.owner}"
description = "DB parameter group for staging server"
family = "postgres11"

parameter {
18 changes: 13 additions & 5 deletions ops/infrastructure/terraform.tf
Original file line number Diff line number Diff line change
@@ -93,12 +93,12 @@ module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 2"

name = "vpc-ape1-${var.deployment_target}-gigadb"
name = "vpc-${var.aws_region}-${var.deployment_target}-gigadb-${data.external.callerUserName.result.userName}"
# CIDR block is a range of IPv4 addresses in the VPC. This cidr block below
# means that the main route table has the following routes: Destination =
# 10.99.0.0/18 , Target = local
cidr = "10.99.0.0/18"

# VPC spans all the availability zones in region
azs = data.aws_availability_zones.available.names

@@ -129,10 +129,11 @@ module "vpc" {
Name = "subnet-database"
}

# You can enable communication from internet to RDS is via an internet gateway
# RDS instance will be launched into database subnet
create_database_subnet_group = true
# You can enable communication from internet to RDS via an internet gateway
# to provide public access to RDS instance, but is not recommended for
# production! These parameters are all false so no public access to RDS
create_database_subnet_group = false
# production! The parameters below are all false so no public access to RDS
create_database_subnet_route_table = false
create_database_internet_gateway_route = false

@@ -150,7 +151,13 @@ module "vpc" {
# one_nat_gateway_per_az = false
}

output "vpc_id" {
value = module.vpc.vpc_id
}

output "vpc_database_subnet_group" {
value = module.vpc.database_subnet_group
}

# EC2 instance for hosting Docker Host
module "ec2_dockerhost" {
@@ -211,6 +218,7 @@ module "rds" {

vpc_id = module.vpc.vpc_id
rds_subnet_ids = module.vpc.database_subnets
vpc_database_subnet_group = module.vpc.database_subnet_group

gigadb_db_database = var.gigadb_db_database
gigadb_db_user = var.gigadb_db_user
2 changes: 1 addition & 1 deletion ops/scripts/ansible_init.sh
Original file line number Diff line number Diff line change
@@ -37,7 +37,7 @@ cp ../../dockerhost_playbook.yml .
cp ../../bastion_playbook.yml .

# Update Gitlab gigadb_db_host variable with RDS instance address from terraform-inventory
rds_inst_addr=$(../../inventories/terraform-inventory.sh --list | jq -r '.all.vars.rds_instance_address')
rds_inst_addr=$(../../inventories/terraform-inventory.sh --list ./ | jq -r '.all.vars.rds_instance_address')
curl -s --request PUT --header "PRIVATE-TOKEN: $GITLAB_PRIVATE_TOKEN" "$PROJECT_VARIABLES_URL/gigadb_db_host?filter%5benvironment_scope%5d=$target_environment" --form "value=$rds_inst_addr"

# Update properties file with values from GitLab so Ansible can configure the services

0 comments on commit a10b052

Please sign in to comment.