diff --git a/docs/awsdocs/policy-rds.md b/docs/awsdocs/policy-rds.md index 5763217a24..8e3de65541 100644 --- a/docs/awsdocs/policy-rds.md +++ b/docs/awsdocs/policy-rds.md @@ -18,8 +18,7 @@ Policy Name: GigadbRDSAccess "Sid": "AllowEC2Describe", "Effect": "Allow", "Action": [ - "ec2:Describe*", - "ec2:DescribeSubnets" + "ec2:Describe*" ], "Resource": "*" }, @@ -60,7 +59,7 @@ Policy Name: GigadbRDSAccess } }, { - "Sid": "CreateRDSInstance", + "Sid": "CreateResourcesforRDSInstances", "Effect": "Allow", "Action": [ "iam:CreateRole", @@ -80,10 +79,13 @@ Policy Name: GigadbRDSAccess "ec2:ModifyVpcAttribute", "ec2:GetManagedPrefixListEntries", "ec2:AssociateSubnetCidrBlock", + "ec2:GetManagedPrefixListAssociations", + "ec2:CreateNatGateway", + "rds:CreateDBParameterGroup", "rds:CreateDBSubnetGroup", "rds:AddTagsToResource", - "ec2:GetManagedPrefixListAssociations", - "ec2:CreateNatGateway" + "rds:ModifyDBParameterGroup", + "ram:GetResourceShareAssociations" ], "Resource": "*" }, @@ -91,10 +93,7 @@ Policy Name: GigadbRDSAccess "Sid": "CreateRDSInstancesWithRegionAndInstanceTypeRestriction", "Effect": "Allow", "Action": [ - "rds:CreateDBInstance", - "rds:CreateDBParameterGroup", - "rds:DeleteDBParameterGroup", - "rds:DownloadCompleteDBLogFile" + "rds:CreateDBInstance" ], "Resource": "*", "Condition": { @@ -103,29 +102,13 @@ Policy Name: GigadbRDSAccess "rds:DatabaseClass": "db.t3.micro", "aws:RequestedRegion": [ "ap-east-1", - "ap-northeast-1" + "ap-northeast-1", + "ap-northeast-2", + "eu-west-3" ] } } }, - { - "Sid": "CreateRDSInstancesWithOwnerTagRestriction", - "Effect": "Allow", - "Action": [ - "rds:CreateDBInstance", - "rds:CreateDBParameterGroup", - "rds:ModifyDBParameterGroup", - "rds:ResetDBParameterGroup", - "rds:DeleteDBParameterGroup", - "rds:DownloadCompleteDBLogFile" - ], - "Resource": "*", - "Condition": { - "StringEqualsIgnoreCase": { - "aws:RequestTag/Owner": "${aws:username}" - } - } - }, { "Sid": "RestoreDBInstanceToPointInTime", "Effect": "Allow", @@ -165,7 +148,7 @@ Policy Name: GigadbRDSAccess } }, { - "Sid": "DeleteDBSubnetWithOwnerTagRestriction", + "Sid": "ManageDBSubnetsWithOwnerTagRestriction", "Action": [ "rds:ModifyDBSubnetGroup", "rds:DeleteDBSubnetGroup", @@ -212,10 +195,8 @@ Policy Name: GigadbRDSAccess } }, { - "Sid": "ManageDBParameterGroupWithOwnerTagRestriction", + "Sid": "ManageDBParameterGroupsWithOwnerTagRestriction", "Action": [ - "rds:CreateDBParameterGroup", - "rds:ModifyDBParameterGroup", "rds:ResetDBParameterGroup", "rds:DeleteDBParameterGroup" ], @@ -223,11 +204,7 @@ Policy Name: GigadbRDSAccess "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { - "rds:pg-tag/Owner": "${aws:username}", - "aws:RequestedRegion": [ - "ap-east-1", - "ap-northeast-1" - ] + "rds:pg-tag/Owner": "${aws:username}" } } }, diff --git a/ops/infrastructure/inventories/terraform-inventory.sh b/ops/infrastructure/inventories/terraform-inventory.sh index fc5b982e7d..eb7cf20800 100755 --- a/ops/infrastructure/inventories/terraform-inventory.sh +++ b/ops/infrastructure/inventories/terraform-inventory.sh @@ -3,4 +3,4 @@ # bash shell wrapper for terraform-inventory. # How to install the https://github.com/adammck/terraform-inventory command: # brew install terraform-inventory -terraform-inventory $@ +terraform-inventory $@ ./ diff --git a/ops/infrastructure/modules/rds-instance/input.tf b/ops/infrastructure/modules/rds-instance/input.tf index a043dbb5cf..71cbb81da6 100644 --- a/ops/infrastructure/modules/rds-instance/input.tf +++ b/ops/infrastructure/modules/rds-instance/input.tf @@ -5,5 +5,6 @@ variable "gigadb_db_user" {} variable "gigadb_db_password" {} variable "vpc_id" {} variable "rds_subnet_ids" {} +variable "vpc_database_subnet_group" {} variable "snapshot_identifier" {} variable "restore_to_point_in_time" {} \ No newline at end of file diff --git a/ops/infrastructure/modules/rds-instance/rds-instance.tf b/ops/infrastructure/modules/rds-instance/rds-instance.tf index cbc3d2476e..5531207c30 100644 --- a/ops/infrastructure/modules/rds-instance/rds-instance.tf +++ b/ops/infrastructure/modules/rds-instance/rds-instance.tf @@ -28,18 +28,20 @@ module "db" { snapshot_identifier = var.snapshot_identifier restore_to_point_in_time = var.restore_to_point_in_time - name = var.gigadb_db_database + db_name = var.gigadb_db_database username = var.gigadb_db_user + create_random_password = false password = var.gigadb_db_password port = 5432 - subnet_ids = var.rds_subnet_ids + # Create this RDS instance in database subnet group in VPC + db_subnet_group_name = var.vpc_database_subnet_group vpc_security_group_ids = [module.security_group.security_group_id] create_db_option_group = false create_db_parameter_group = false - parameter_group_name = (var.deployment_target == "staging" ? "gigadb-db-param-group" : null) + parameter_group_name = (var.deployment_target == "staging" ? aws_db_parameter_group.gigadb-db-param-group[0].name : null) engine = "postgres" engine_version = "11.13" family = "postgres11" # DB parameter group @@ -51,7 +53,7 @@ module "db" { backup_window = "03:00-06:00" # UTC time backup_retention_period = 5 # days skip_final_snapshot = false # Create final snapshot - final_snapshot_identifier = "snapshot-final-${var.deployment_target}-${var.owner}-${local.tstamp}" + final_snapshot_identifier_prefix = "snapshot-final-${var.deployment_target}-${var.owner}-${local.tstamp}" copy_tags_to_snapshot = true delete_automated_backups = false # Do not delete backups on RDS instance termination apply_immediately = true @@ -59,7 +61,8 @@ module "db" { resource "aws_db_parameter_group" "gigadb-db-param-group" { count = var.deployment_target == "staging" ? 1 : 0 - name = "gigadb-db-param-group" + name = "gigadb-db-param-group-${var.owner}" + description = "DB parameter group for staging server" family = "postgres11" parameter { diff --git a/ops/infrastructure/terraform.tf b/ops/infrastructure/terraform.tf index 498a3d737a..cb2aac4a8d 100644 --- a/ops/infrastructure/terraform.tf +++ b/ops/infrastructure/terraform.tf @@ -93,12 +93,12 @@ module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 2" - name = "vpc-ape1-${var.deployment_target}-gigadb" + name = "vpc-${var.aws_region}-${var.deployment_target}-gigadb-${data.external.callerUserName.result.userName}" # CIDR block is a range of IPv4 addresses in the VPC. This cidr block below # means that the main route table has the following routes: Destination = # 10.99.0.0/18 , Target = local cidr = "10.99.0.0/18" - + # VPC spans all the availability zones in region azs = data.aws_availability_zones.available.names @@ -129,10 +129,11 @@ module "vpc" { Name = "subnet-database" } - # You can enable communication from internet to RDS is via an internet gateway + # RDS instance will be launched into database subnet + create_database_subnet_group = true + # You can enable communication from internet to RDS via an internet gateway # to provide public access to RDS instance, but is not recommended for - # production! These parameters are all false so no public access to RDS - create_database_subnet_group = false + # production! The parameters below are all false so no public access to RDS create_database_subnet_route_table = false create_database_internet_gateway_route = false @@ -150,7 +151,13 @@ module "vpc" { # one_nat_gateway_per_az = false } +output "vpc_id" { + value = module.vpc.vpc_id +} +output "vpc_database_subnet_group" { + value = module.vpc.database_subnet_group +} # EC2 instance for hosting Docker Host module "ec2_dockerhost" { @@ -211,6 +218,7 @@ module "rds" { vpc_id = module.vpc.vpc_id rds_subnet_ids = module.vpc.database_subnets + vpc_database_subnet_group = module.vpc.database_subnet_group gigadb_db_database = var.gigadb_db_database gigadb_db_user = var.gigadb_db_user diff --git a/ops/scripts/ansible_init.sh b/ops/scripts/ansible_init.sh index d0050e1a6a..c0516096c5 100755 --- a/ops/scripts/ansible_init.sh +++ b/ops/scripts/ansible_init.sh @@ -37,7 +37,7 @@ cp ../../dockerhost_playbook.yml . cp ../../bastion_playbook.yml . # Update Gitlab gigadb_db_host variable with RDS instance address from terraform-inventory -rds_inst_addr=$(../../inventories/terraform-inventory.sh --list | jq -r '.all.vars.rds_instance_address') +rds_inst_addr=$(../../inventories/terraform-inventory.sh --list ./ | jq -r '.all.vars.rds_instance_address') curl -s --request PUT --header "PRIVATE-TOKEN: $GITLAB_PRIVATE_TOKEN" "$PROJECT_VARIABLES_URL/gigadb_db_host?filter%5benvironment_scope%5d=$target_environment" --form "value=$rds_inst_addr" # Update properties file with values from GitLab so Ansible can configure the services