From 3a293d2ce3f696104cba9fdaf4b487726230f9b1 Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Fri, 25 Mar 2022 10:48:31 +0800
Subject: [PATCH 01/16] Append owner name to DB parameter group

This should enable each AWS user to create their own DB parameter
group which will allow it to be deleted when terraform destroy is
executed by any AWS user.
---
 ops/infrastructure/modules/rds-instance/rds-instance.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ops/infrastructure/modules/rds-instance/rds-instance.tf b/ops/infrastructure/modules/rds-instance/rds-instance.tf
index cbc3d2476e..5dee81fd45 100644
--- a/ops/infrastructure/modules/rds-instance/rds-instance.tf
+++ b/ops/infrastructure/modules/rds-instance/rds-instance.tf
@@ -39,7 +39,7 @@ module "db" {
   create_db_option_group    = false
   create_db_parameter_group = false
 
-  parameter_group_name      = (var.deployment_target == "staging" ? "gigadb-db-param-group" : null)
+  parameter_group_name      = (var.deployment_target == "staging" ? "gigadb-db-param-group.name" : null)
   engine                    = "postgres"
   engine_version            = "11.13"
   family                    = "postgres11"  # DB parameter group
@@ -59,7 +59,7 @@ module "db" {
 
 resource "aws_db_parameter_group" "gigadb-db-param-group" {
   count = var.deployment_target == "staging" ? 1 : 0
-  name = "gigadb-db-param-group"
+  name = "gigadb-db-param-group-${var.owner}"
   family = "postgres11"
 
   parameter {

From c07a95dfbf225b5f036078817a8fac7acf8c4a3f Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Fri, 25 Mar 2022 13:42:10 +0800
Subject: [PATCH 02/16] Add regions for managing DBParameterGroups

ap-northeast-1 is Japan which is the default regions used by HK
developers. ap-northeast-2 is Seoul which is also for dev work.
---
 docs/awsdocs/policy-rds.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/awsdocs/policy-rds.md b/docs/awsdocs/policy-rds.md
index 5763217a24..2d717146ef 100644
--- a/docs/awsdocs/policy-rds.md
+++ b/docs/awsdocs/policy-rds.md
@@ -226,7 +226,9 @@ Policy Name: GigadbRDSAccess
                     "rds:pg-tag/Owner": "${aws:username}",
                     "aws:RequestedRegion": [
                         "ap-east-1",
-                        "ap-northeast-1"
+                        "ap-northeast-1",
+                        "ap-northeast-2",
+                        "eu-west-3"
                     ]
                 }
             }

From fd2f50080ddf02de6a1d2cf5a2f385c14e3cdf2b Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Mon, 28 Mar 2022 10:51:53 +0800
Subject: [PATCH 03/16] Update names of attributes to use latest AWS provider
 version

---
 ops/infrastructure/modules/rds-instance/rds-instance.tf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ops/infrastructure/modules/rds-instance/rds-instance.tf b/ops/infrastructure/modules/rds-instance/rds-instance.tf
index 5dee81fd45..309deba6fa 100644
--- a/ops/infrastructure/modules/rds-instance/rds-instance.tf
+++ b/ops/infrastructure/modules/rds-instance/rds-instance.tf
@@ -28,7 +28,7 @@ module "db" {
   snapshot_identifier = var.snapshot_identifier
   restore_to_point_in_time = var.restore_to_point_in_time
 
-  name                   = var.gigadb_db_database
+  db_name                = var.gigadb_db_database
   username               = var.gigadb_db_user
   password               = var.gigadb_db_password
   port                   = 5432
@@ -39,7 +39,7 @@ module "db" {
   create_db_option_group    = false
   create_db_parameter_group = false
 
-  parameter_group_name      = (var.deployment_target == "staging" ? "gigadb-db-param-group.name" : null)
+  parameter_group_name      = (var.deployment_target == "staging" ? "gigadb-db-param-group" : null)
   engine                    = "postgres"
   engine_version            = "11.13"
   family                    = "postgres11"  # DB parameter group
@@ -51,7 +51,7 @@ module "db" {
   backup_window             = "03:00-06:00"  # UTC time
   backup_retention_period   = 5  # days
   skip_final_snapshot       = false  # Create final snapshot
-  final_snapshot_identifier = "snapshot-final-${var.deployment_target}-${var.owner}-${local.tstamp}"
+  final_snapshot_identifier_prefix = "snapshot-final-${var.deployment_target}-${var.owner}-${local.tstamp}"
   copy_tags_to_snapshot     = true
   delete_automated_backups  = false  # Do not delete backups on RDS instance termination
   apply_immediately         = true
@@ -59,7 +59,7 @@ module "db" {
 
 resource "aws_db_parameter_group" "gigadb-db-param-group" {
   count = var.deployment_target == "staging" ? 1 : 0
-  name = "gigadb-db-param-group-${var.owner}"
+  name = "gigadb-db-param-group"
   family = "postgres11"
 
   parameter {

From 088318802a9c69e69b7020dbc82186722e4e6b50 Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Mon, 28 Mar 2022 12:40:13 +0800
Subject: [PATCH 04/16] Interpolate aws_region variable value into vpc name

---
 ops/infrastructure/terraform.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ops/infrastructure/terraform.tf b/ops/infrastructure/terraform.tf
index 498a3d737a..734eb89062 100644
--- a/ops/infrastructure/terraform.tf
+++ b/ops/infrastructure/terraform.tf
@@ -93,7 +93,7 @@ module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "~> 2"
 
-  name = "vpc-ape1-${var.deployment_target}-gigadb"
+  name = "vpc-${var.aws_region}-${var.deployment_target}-gigadb"
   # CIDR block is a range of IPv4 addresses in the VPC. This cidr block below 
   # means that the main route table has the following routes: Destination = 
   # 10.99.0.0/18 , Target = local

From 296e19ef47e91724a9460c07937b1816a7061247 Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Mon, 28 Mar 2022 21:28:35 +0800
Subject: [PATCH 05/16] Interpolate aws owner variable into DB parameter group
 name

---
 ops/infrastructure/modules/rds-instance/rds-instance.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ops/infrastructure/modules/rds-instance/rds-instance.tf b/ops/infrastructure/modules/rds-instance/rds-instance.tf
index 309deba6fa..ccfd5d43a0 100644
--- a/ops/infrastructure/modules/rds-instance/rds-instance.tf
+++ b/ops/infrastructure/modules/rds-instance/rds-instance.tf
@@ -39,7 +39,7 @@ module "db" {
   create_db_option_group    = false
   create_db_parameter_group = false
 
-  parameter_group_name      = (var.deployment_target == "staging" ? "gigadb-db-param-group" : null)
+  parameter_group_name      = (var.deployment_target == "staging" ? "gigadb-db-param-group-${var.owner}" : null)
   engine                    = "postgres"
   engine_version            = "11.13"
   family                    = "postgres11"  # DB parameter group
@@ -59,7 +59,7 @@ module "db" {
 
 resource "aws_db_parameter_group" "gigadb-db-param-group" {
   count = var.deployment_target == "staging" ? 1 : 0
-  name = "gigadb-db-param-group"
+  name = "gigadb-db-param-group-${var.owner}"
   family = "postgres11"
 
   parameter {

From 3f5ce640e3ffaa6cc532964a58cfa23beaf73e2e Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Tue, 29 Mar 2022 13:16:43 +0800
Subject: [PATCH 06/16] WIP fix subnet problems

---
 .../modules/rds-instance/input.tf             |  1 +
 .../modules/rds-instance/rds-instance.tf      |  7 +-
 ops/infrastructure/terraform.tf               | 89 ++++++++++---------
 3 files changed, 56 insertions(+), 41 deletions(-)

diff --git a/ops/infrastructure/modules/rds-instance/input.tf b/ops/infrastructure/modules/rds-instance/input.tf
index a043dbb5cf..71cbb81da6 100644
--- a/ops/infrastructure/modules/rds-instance/input.tf
+++ b/ops/infrastructure/modules/rds-instance/input.tf
@@ -5,5 +5,6 @@ variable "gigadb_db_user" {}
 variable "gigadb_db_password" {}
 variable "vpc_id" {}
 variable "rds_subnet_ids" {}
+variable "vpc_database_subnet_group" {}
 variable "snapshot_identifier" {}
 variable "restore_to_point_in_time" {}
\ No newline at end of file
diff --git a/ops/infrastructure/modules/rds-instance/rds-instance.tf b/ops/infrastructure/modules/rds-instance/rds-instance.tf
index ccfd5d43a0..8a0d16af0f 100644
--- a/ops/infrastructure/modules/rds-instance/rds-instance.tf
+++ b/ops/infrastructure/modules/rds-instance/rds-instance.tf
@@ -21,6 +21,10 @@ module "security_group" {
   ]
 }
 
+output "rds_security_group_vpc_id" {
+  value = var.vpc_id
+}
+
 module "db" {
   source = "terraform-aws-modules/rds/aws"
   identifier = "rds-server-${var.deployment_target}-${var.owner}"
@@ -33,7 +37,8 @@ module "db" {
   password               = var.gigadb_db_password
   port                   = 5432
 
-  subnet_ids             = var.rds_subnet_ids
+  #  subnet_ids             = var.rds_subnet_ids
+  db_subnet_group_name   = var.vpc_database_subnet_group
   vpc_security_group_ids = [module.security_group.security_group_id]
 
   create_db_option_group    = false
diff --git a/ops/infrastructure/terraform.tf b/ops/infrastructure/terraform.tf
index 734eb89062..03da704468 100644
--- a/ops/infrastructure/terraform.tf
+++ b/ops/infrastructure/terraform.tf
@@ -98,7 +98,7 @@ module "vpc" {
   # means that the main route table has the following routes: Destination = 
   # 10.99.0.0/18 , Target = local
   cidr = "10.99.0.0/18"
-  
+
   # VPC spans all the availability zones in region
   azs = data.aws_availability_zones.available.names
 
@@ -132,7 +132,7 @@ module "vpc" {
   # You can enable communication from internet to RDS is via an internet gateway
   # to provide public access to RDS instance, but is not recommended for 
   # production! These parameters are all false so no public access to RDS
-  create_database_subnet_group = false
+  create_database_subnet_group = true
   create_database_subnet_route_table = false
   create_database_internet_gateway_route = false
 
@@ -150,51 +150,59 @@ module "vpc" {
   # one_nat_gateway_per_az = false
 }
 
-
-
-# EC2 instance for hosting Docker Host
-module "ec2_dockerhost" {
-  source = "../../modules/aws-instance"
-
-  owner = data.external.callerUserName.result.userName
-  deployment_target = var.deployment_target
-  key_name = var.key_name
-  eip_tag_name = "eip-gigadb-${var.deployment_target}-${data.external.callerUserName.result.userName}"
-  vpc_id = module.vpc.vpc_id
-  # Locate Dockerhost EC2 instance in public subnet so users can access website 
-  # container app
-  public_subnet_id = module.vpc.public_subnets[0]
-}
-
-output "ec2_public_ip" {
-  value = module.ec2_dockerhost.instance_public_ip_addr
+output "vpc_id" {
+  value = module.vpc.vpc_id
 }
 
-output "ec2_private_ip" {
-  value = module.ec2_dockerhost.instance_ip_addr
+output "vpc_database_subnet_group" {
+  value = module.vpc.database_subnet_group
 }
 
-# EC2 instance for bastion server to access RDS for PostgreSQL admin
-module "ec2_bastion" {
-  source = "../../modules/bastion-aws-instance"
 
-  owner = data.external.callerUserName.result.userName
-  deployment_target = var.deployment_target
-  key_name = var.key_name
-
-  # Bastion instance goes into a public subnet for developer access
-  vpc_id = module.vpc.vpc_id
-  public_subnet_id = module.vpc.public_subnets[0]
-}
 
-output "ec2_bastion_private_ip" {
-  value = module.ec2_bastion.bastion_private_ip
-}
+# EC2 instance for hosting Docker Host
+#module "ec2_dockerhost" {
+#  source = "../../modules/aws-instance"
+#
+#  owner = data.external.callerUserName.result.userName
+#  deployment_target = var.deployment_target
+#  key_name = var.key_name
+#  eip_tag_name = "eip-gigadb-${var.deployment_target}-${data.external.callerUserName.result.userName}"
+#  vpc_id = module.vpc.vpc_id
+#  # Locate Dockerhost EC2 instance in public subnet so users can access website 
+#  # container app
+#  public_subnet_id = module.vpc.public_subnets[0]
+#}
+
+#output "ec2_public_ip" {
+#  value = module.ec2_dockerhost.instance_public_ip_addr
+#}
+#
+#output "ec2_private_ip" {
+#  value = module.ec2_dockerhost.instance_ip_addr
+#}
 
-output "ec2_bastion_public_ip" {
-  description = "Public IP address of the EC2 bastion instance"
-  value = module.ec2_bastion.bastion_public_ip
-}
+# EC2 instance for bastion server to access RDS for PostgreSQL admin
+#module "ec2_bastion" {
+#  source = "../../modules/bastion-aws-instance"
+#
+#  owner = data.external.callerUserName.result.userName
+#  deployment_target = var.deployment_target
+#  key_name = var.key_name
+#
+#  # Bastion instance goes into a public subnet for developer access
+#  vpc_id = module.vpc.vpc_id
+#  public_subnet_id = module.vpc.public_subnets[0]
+#}
+
+#output "ec2_bastion_private_ip" {
+#  value = module.ec2_bastion.bastion_private_ip
+#}
+#
+#output "ec2_bastion_public_ip" {
+#  description = "Public IP address of the EC2 bastion instance"
+#  value = module.ec2_bastion.bastion_public_ip
+#}
 
 # RDS instance for hosting GigaDB's PostgreSQL database
 module "rds" {
@@ -211,6 +219,7 @@ module "rds" {
 
   vpc_id = module.vpc.vpc_id
   rds_subnet_ids = module.vpc.database_subnets
+  vpc_database_subnet_group = module.vpc.database_subnet_group
 
   gigadb_db_database = var.gigadb_db_database
   gigadb_db_user = var.gigadb_db_user

From 9aa667402f09b724c882dd404afd313aedac3bf7 Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Wed, 30 Mar 2022 09:53:49 +0800
Subject: [PATCH 07/16] WIP test DB parameter group creation

---
 .../modules/rds-instance/rds-instance.tf      | 80 +++++++++----------
 ops/infrastructure/terraform.tf               |  6 +-
 2 files changed, 43 insertions(+), 43 deletions(-)

diff --git a/ops/infrastructure/modules/rds-instance/rds-instance.tf b/ops/infrastructure/modules/rds-instance/rds-instance.tf
index 8a0d16af0f..ff4e77960d 100644
--- a/ops/infrastructure/modules/rds-instance/rds-instance.tf
+++ b/ops/infrastructure/modules/rds-instance/rds-instance.tf
@@ -25,43 +25,6 @@ output "rds_security_group_vpc_id" {
   value = var.vpc_id
 }
 
-module "db" {
-  source = "terraform-aws-modules/rds/aws"
-  identifier = "rds-server-${var.deployment_target}-${var.owner}"
-
-  snapshot_identifier = var.snapshot_identifier
-  restore_to_point_in_time = var.restore_to_point_in_time
-
-  db_name                = var.gigadb_db_database
-  username               = var.gigadb_db_user
-  password               = var.gigadb_db_password
-  port                   = 5432
-
-  #  subnet_ids             = var.rds_subnet_ids
-  db_subnet_group_name   = var.vpc_database_subnet_group
-  vpc_security_group_ids = [module.security_group.security_group_id]
-
-  create_db_option_group    = false
-  create_db_parameter_group = false
-
-  parameter_group_name      = (var.deployment_target == "staging" ? "gigadb-db-param-group-${var.owner}" : null)
-  engine                    = "postgres"
-  engine_version            = "11.13"
-  family                    = "postgres11"  # DB parameter group
-  major_engine_version      = "11"          # DB option group
-  instance_class            = "db.t3.micro"
-  allocated_storage         = 8
-  deletion_protection       = false
-  maintenance_window        = "Mon:00:00-Mon:03:00"
-  backup_window             = "03:00-06:00"  # UTC time
-  backup_retention_period   = 5  # days
-  skip_final_snapshot       = false  # Create final snapshot
-  final_snapshot_identifier_prefix = "snapshot-final-${var.deployment_target}-${var.owner}-${local.tstamp}"
-  copy_tags_to_snapshot     = true
-  delete_automated_backups  = false  # Do not delete backups on RDS instance termination
-  apply_immediately         = true
-}
-
 resource "aws_db_parameter_group" "gigadb-db-param-group" {
   count = var.deployment_target == "staging" ? 1 : 0
   name = "gigadb-db-param-group-${var.owner}"
@@ -80,6 +43,43 @@ resource "aws_db_parameter_group" "gigadb-db-param-group" {
   }
 }
 
-output "rds_instance_address" {
-  value = module.db.db_instance_address
-}
+#module "db" {
+#  source = "terraform-aws-modules/rds/aws"
+#  identifier = "rds-server-${var.deployment_target}-${var.owner}"
+#
+#  snapshot_identifier = var.snapshot_identifier
+#  restore_to_point_in_time = var.restore_to_point_in_time
+#
+#  db_name                = var.gigadb_db_database
+#  username               = var.gigadb_db_user
+#  password               = var.gigadb_db_password
+#  port                   = 5432
+#
+#  #  subnet_ids             = var.rds_subnet_ids
+#  db_subnet_group_name   = var.vpc_database_subnet_group
+#  vpc_security_group_ids = [module.security_group.security_group_id]
+#
+#  create_db_option_group    = false
+#  create_db_parameter_group = false
+#
+#  parameter_group_name      = (var.deployment_target == "staging" ? "gigadb-db-param-group-${var.owner}" : null)
+#  engine                    = "postgres"
+#  engine_version            = "11.13"
+#  family                    = "postgres11"  # DB parameter group
+#  major_engine_version      = "11"          # DB option group
+#  instance_class            = "db.t3.micro"
+#  allocated_storage         = 8
+#  deletion_protection       = false
+#  maintenance_window        = "Mon:00:00-Mon:03:00"
+#  backup_window             = "03:00-06:00"  # UTC time
+#  backup_retention_period   = 5  # days
+#  skip_final_snapshot       = false  # Create final snapshot
+#  final_snapshot_identifier_prefix = "snapshot-final-${var.deployment_target}-${var.owner}-${local.tstamp}"
+#  copy_tags_to_snapshot     = true
+#  delete_automated_backups  = false  # Do not delete backups on RDS instance termination
+#  apply_immediately         = true
+#}
+
+#output "rds_instance_address" {
+#  value = module.db.db_instance_address
+#}
diff --git a/ops/infrastructure/terraform.tf b/ops/infrastructure/terraform.tf
index 03da704468..bdfbe602f8 100644
--- a/ops/infrastructure/terraform.tf
+++ b/ops/infrastructure/terraform.tf
@@ -229,6 +229,6 @@ module "rds" {
   # of bastion server and ec2_dockerhost instance.
 }
 
-output "rds_instance_address" {
-  value = module.rds.rds_instance_address
-}
+#output "rds_instance_address" {
+#  value = module.rds.rds_instance_address
+#}

From c4e2d6d37d9c45f8e70355421c7880bcb794fda9 Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Wed, 30 Mar 2022 13:01:56 +0800
Subject: [PATCH 08/16] Create wip-policy-rds.md

This is a WIP for an updated policy-rds.md that is more tidy. N.B.
That rds:ModifyDBParameterGroup is in the CreateResourcesforRDSInstances
section. For some unknown reason, I will not work in the
ManageDBParameterGroupsWithOwnerTagRestriction section.
---
 ops/infrastructure/modules/rds-instance/rds-instance.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ops/infrastructure/modules/rds-instance/rds-instance.tf b/ops/infrastructure/modules/rds-instance/rds-instance.tf
index ff4e77960d..253827e694 100644
--- a/ops/infrastructure/modules/rds-instance/rds-instance.tf
+++ b/ops/infrastructure/modules/rds-instance/rds-instance.tf
@@ -28,6 +28,7 @@ output "rds_security_group_vpc_id" {
 resource "aws_db_parameter_group" "gigadb-db-param-group" {
   count = var.deployment_target == "staging" ? 1 : 0
   name = "gigadb-db-param-group-${var.owner}"
+  description = "DB parameter group for staging server"
   family = "postgres11"
 
   parameter {

From 4f7c053dd3ed5e63fb0852c83aa50d5d0d9b801a Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Wed, 30 Mar 2022 13:23:09 +0800
Subject: [PATCH 09/16] Update tf file to use latest Terraform AWS module
 version

---
 .../modules/rds-instance/rds-instance.tf      | 80 +++++++++----------
 1 file changed, 38 insertions(+), 42 deletions(-)

diff --git a/ops/infrastructure/modules/rds-instance/rds-instance.tf b/ops/infrastructure/modules/rds-instance/rds-instance.tf
index 253827e694..5741ccdc02 100644
--- a/ops/infrastructure/modules/rds-instance/rds-instance.tf
+++ b/ops/infrastructure/modules/rds-instance/rds-instance.tf
@@ -21,8 +21,41 @@ module "security_group" {
   ]
 }
 
-output "rds_security_group_vpc_id" {
-  value = var.vpc_id
+module "db" {
+  source = "terraform-aws-modules/rds/aws"
+  identifier = "rds-server-${var.deployment_target}-${var.owner}"
+
+  snapshot_identifier = var.snapshot_identifier
+  restore_to_point_in_time = var.restore_to_point_in_time
+
+  db_name                = var.gigadb_db_database
+  username               = var.gigadb_db_user
+  password               = var.gigadb_db_password
+  port                   = 5432
+
+  # Create this RDS instance in database subnet group in VPC
+  db_subnet_group_name   = var.vpc_database_subnet_group
+  vpc_security_group_ids = [module.security_group.security_group_id]
+
+  create_db_option_group    = false
+  create_db_parameter_group = false
+
+  parameter_group_name      = (var.deployment_target == "staging" ? "gigadb-db-param-group-${var.owner}" : null)
+  engine                    = "postgres"
+  engine_version            = "11.13"
+  family                    = "postgres11"  # DB parameter group
+  major_engine_version      = "11"          # DB option group
+  instance_class            = "db.t3.micro"
+  allocated_storage         = 8
+  deletion_protection       = false
+  maintenance_window        = "Mon:00:00-Mon:03:00"
+  backup_window             = "03:00-06:00"  # UTC time
+  backup_retention_period   = 5  # days
+  skip_final_snapshot       = false  # Create final snapshot
+  final_snapshot_identifier_prefix = "snapshot-final-${var.deployment_target}-${var.owner}-${local.tstamp}"
+  copy_tags_to_snapshot     = true
+  delete_automated_backups  = false  # Do not delete backups on RDS instance termination
+  apply_immediately         = true
 }
 
 resource "aws_db_parameter_group" "gigadb-db-param-group" {
@@ -44,43 +77,6 @@ resource "aws_db_parameter_group" "gigadb-db-param-group" {
   }
 }
 
-#module "db" {
-#  source = "terraform-aws-modules/rds/aws"
-#  identifier = "rds-server-${var.deployment_target}-${var.owner}"
-#
-#  snapshot_identifier = var.snapshot_identifier
-#  restore_to_point_in_time = var.restore_to_point_in_time
-#
-#  db_name                = var.gigadb_db_database
-#  username               = var.gigadb_db_user
-#  password               = var.gigadb_db_password
-#  port                   = 5432
-#
-#  #  subnet_ids             = var.rds_subnet_ids
-#  db_subnet_group_name   = var.vpc_database_subnet_group
-#  vpc_security_group_ids = [module.security_group.security_group_id]
-#
-#  create_db_option_group    = false
-#  create_db_parameter_group = false
-#
-#  parameter_group_name      = (var.deployment_target == "staging" ? "gigadb-db-param-group-${var.owner}" : null)
-#  engine                    = "postgres"
-#  engine_version            = "11.13"
-#  family                    = "postgres11"  # DB parameter group
-#  major_engine_version      = "11"          # DB option group
-#  instance_class            = "db.t3.micro"
-#  allocated_storage         = 8
-#  deletion_protection       = false
-#  maintenance_window        = "Mon:00:00-Mon:03:00"
-#  backup_window             = "03:00-06:00"  # UTC time
-#  backup_retention_period   = 5  # days
-#  skip_final_snapshot       = false  # Create final snapshot
-#  final_snapshot_identifier_prefix = "snapshot-final-${var.deployment_target}-${var.owner}-${local.tstamp}"
-#  copy_tags_to_snapshot     = true
-#  delete_automated_backups  = false  # Do not delete backups on RDS instance termination
-#  apply_immediately         = true
-#}
-
-#output "rds_instance_address" {
-#  value = module.db.db_instance_address
-#}
+output "rds_instance_address" {
+  value = module.db.db_instance_address
+}

From ddb5ed02957531a1efe2a9887a50e5689c7f3106 Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Wed, 30 Mar 2022 20:49:04 +0800
Subject: [PATCH 10/16] Use reference to name of aws_db_parameter_group

This reference is to provide the name of the gigadb db parameter
group for the parameter_group_name variable in db module.
---
 ops/infrastructure/modules/rds-instance/rds-instance.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ops/infrastructure/modules/rds-instance/rds-instance.tf b/ops/infrastructure/modules/rds-instance/rds-instance.tf
index 5741ccdc02..ea54934708 100644
--- a/ops/infrastructure/modules/rds-instance/rds-instance.tf
+++ b/ops/infrastructure/modules/rds-instance/rds-instance.tf
@@ -40,7 +40,7 @@ module "db" {
   create_db_option_group    = false
   create_db_parameter_group = false
 
-  parameter_group_name      = (var.deployment_target == "staging" ? "gigadb-db-param-group-${var.owner}" : null)
+  parameter_group_name      = (var.deployment_target == "staging" ? aws_db_parameter_group.gigadb-db-param-group[0].name : null)
   engine                    = "postgres"
   engine_version            = "11.13"
   family                    = "postgres11"  # DB parameter group

From f33cb2da4921b8cfbc6510b28e916260aa0ef638 Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Wed, 30 Mar 2022 21:31:41 +0800
Subject: [PATCH 11/16] Uncomment bastion and dockerhost modules

---
 ops/infrastructure/terraform.tf | 86 ++++++++++++++++-----------------
 1 file changed, 42 insertions(+), 44 deletions(-)

diff --git a/ops/infrastructure/terraform.tf b/ops/infrastructure/terraform.tf
index bdfbe602f8..1443fe9549 100644
--- a/ops/infrastructure/terraform.tf
+++ b/ops/infrastructure/terraform.tf
@@ -158,51 +158,49 @@ output "vpc_database_subnet_group" {
   value = module.vpc.database_subnet_group
 }
 
+# EC2 instance for hosting Docker Host
+module "ec2_dockerhost" {
+  source = "../../modules/aws-instance"
+
+  owner = data.external.callerUserName.result.userName
+  deployment_target = var.deployment_target
+  key_name = var.key_name
+  eip_tag_name = "eip-gigadb-${var.deployment_target}-${data.external.callerUserName.result.userName}"
+  vpc_id = module.vpc.vpc_id
+  # Locate Dockerhost EC2 instance in public subnet so users can access website 
+  # container app
+  public_subnet_id = module.vpc.public_subnets[0]
+}
 
+output "ec2_public_ip" {
+  value = module.ec2_dockerhost.instance_public_ip_addr
+}
 
-# EC2 instance for hosting Docker Host
-#module "ec2_dockerhost" {
-#  source = "../../modules/aws-instance"
-#
-#  owner = data.external.callerUserName.result.userName
-#  deployment_target = var.deployment_target
-#  key_name = var.key_name
-#  eip_tag_name = "eip-gigadb-${var.deployment_target}-${data.external.callerUserName.result.userName}"
-#  vpc_id = module.vpc.vpc_id
-#  # Locate Dockerhost EC2 instance in public subnet so users can access website 
-#  # container app
-#  public_subnet_id = module.vpc.public_subnets[0]
-#}
-
-#output "ec2_public_ip" {
-#  value = module.ec2_dockerhost.instance_public_ip_addr
-#}
-#
-#output "ec2_private_ip" {
-#  value = module.ec2_dockerhost.instance_ip_addr
-#}
+output "ec2_private_ip" {
+  value = module.ec2_dockerhost.instance_ip_addr
+}
 
 # EC2 instance for bastion server to access RDS for PostgreSQL admin
-#module "ec2_bastion" {
-#  source = "../../modules/bastion-aws-instance"
-#
-#  owner = data.external.callerUserName.result.userName
-#  deployment_target = var.deployment_target
-#  key_name = var.key_name
-#
-#  # Bastion instance goes into a public subnet for developer access
-#  vpc_id = module.vpc.vpc_id
-#  public_subnet_id = module.vpc.public_subnets[0]
-#}
-
-#output "ec2_bastion_private_ip" {
-#  value = module.ec2_bastion.bastion_private_ip
-#}
-#
-#output "ec2_bastion_public_ip" {
-#  description = "Public IP address of the EC2 bastion instance"
-#  value = module.ec2_bastion.bastion_public_ip
-#}
+module "ec2_bastion" {
+  source = "../../modules/bastion-aws-instance"
+
+  owner = data.external.callerUserName.result.userName
+  deployment_target = var.deployment_target
+  key_name = var.key_name
+
+  # Bastion instance goes into a public subnet for developer access
+  vpc_id = module.vpc.vpc_id
+  public_subnet_id = module.vpc.public_subnets[0]
+}
+
+output "ec2_bastion_private_ip" {
+  value = module.ec2_bastion.bastion_private_ip
+}
+
+output "ec2_bastion_public_ip" {
+  description = "Public IP address of the EC2 bastion instance"
+  value = module.ec2_bastion.bastion_public_ip
+}
 
 # RDS instance for hosting GigaDB's PostgreSQL database
 module "rds" {
@@ -229,6 +227,6 @@ module "rds" {
   # of bastion server and ec2_dockerhost instance.
 }
 
-#output "rds_instance_address" {
-#  value = module.rds.rds_instance_address
-#}
+output "rds_instance_address" {
+  value = module.rds.rds_instance_address
+}

From 509f557655395654c7b603efd91ce987a9177dfc Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Wed, 30 Mar 2022 22:04:34 +0800
Subject: [PATCH 12/16] Update RDS IAM policy

CreateDBParameterGroup permission moved to CreateResourcesforRDSInstances
section. CreateDBParameterGroup was originally in
ManageDBParameterGroupsWithOwnerTagRestriction section but this was
causing problems with creating DB parameter groups.
---
 docs/awsdocs/policy-rds.md | 53 ++++++++++----------------------------
 1 file changed, 14 insertions(+), 39 deletions(-)

diff --git a/docs/awsdocs/policy-rds.md b/docs/awsdocs/policy-rds.md
index 2d717146ef..8e3de65541 100644
--- a/docs/awsdocs/policy-rds.md
+++ b/docs/awsdocs/policy-rds.md
@@ -18,8 +18,7 @@ Policy Name: GigadbRDSAccess
             "Sid": "AllowEC2Describe",
             "Effect": "Allow",
             "Action": [
-                "ec2:Describe*",
-                "ec2:DescribeSubnets"
+                "ec2:Describe*"
             ],
             "Resource": "*"
         },
@@ -60,7 +59,7 @@ Policy Name: GigadbRDSAccess
             }
         },
         {
-            "Sid": "CreateRDSInstance",
+            "Sid": "CreateResourcesforRDSInstances",
             "Effect": "Allow",
             "Action": [
                 "iam:CreateRole",
@@ -80,10 +79,13 @@ Policy Name: GigadbRDSAccess
                 "ec2:ModifyVpcAttribute",
                 "ec2:GetManagedPrefixListEntries",
                 "ec2:AssociateSubnetCidrBlock",
+                "ec2:GetManagedPrefixListAssociations",
+                "ec2:CreateNatGateway",
+                "rds:CreateDBParameterGroup",
                 "rds:CreateDBSubnetGroup",
                 "rds:AddTagsToResource",
-                "ec2:GetManagedPrefixListAssociations",
-                "ec2:CreateNatGateway"
+                "rds:ModifyDBParameterGroup",
+                "ram:GetResourceShareAssociations"
             ],
             "Resource": "*"
         },
@@ -91,10 +93,7 @@ Policy Name: GigadbRDSAccess
             "Sid": "CreateRDSInstancesWithRegionAndInstanceTypeRestriction",
             "Effect": "Allow",
             "Action": [
-                "rds:CreateDBInstance",
-                "rds:CreateDBParameterGroup",
-                "rds:DeleteDBParameterGroup",
-                "rds:DownloadCompleteDBLogFile"
+                "rds:CreateDBInstance"
             ],
             "Resource": "*",
             "Condition": {
@@ -103,29 +102,13 @@ Policy Name: GigadbRDSAccess
                     "rds:DatabaseClass": "db.t3.micro",
                     "aws:RequestedRegion": [
                         "ap-east-1",
-                        "ap-northeast-1"
+                        "ap-northeast-1",
+                        "ap-northeast-2",
+                        "eu-west-3"
                     ]
                 }
             }
         },
-        {
-            "Sid": "CreateRDSInstancesWithOwnerTagRestriction",
-            "Effect": "Allow",
-            "Action": [
-                "rds:CreateDBInstance",
-                "rds:CreateDBParameterGroup",
-                "rds:ModifyDBParameterGroup",
-                "rds:ResetDBParameterGroup",
-                "rds:DeleteDBParameterGroup",
-                "rds:DownloadCompleteDBLogFile"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "StringEqualsIgnoreCase": {
-                    "aws:RequestTag/Owner": "${aws:username}"
-                }
-            }
-        },
         {
             "Sid": "RestoreDBInstanceToPointInTime",
             "Effect": "Allow",
@@ -165,7 +148,7 @@ Policy Name: GigadbRDSAccess
             }
         },
         {
-            "Sid": "DeleteDBSubnetWithOwnerTagRestriction",
+            "Sid": "ManageDBSubnetsWithOwnerTagRestriction",
             "Action": [
                 "rds:ModifyDBSubnetGroup",
                 "rds:DeleteDBSubnetGroup",
@@ -212,10 +195,8 @@ Policy Name: GigadbRDSAccess
             }
         },
         {
-            "Sid": "ManageDBParameterGroupWithOwnerTagRestriction",
+            "Sid": "ManageDBParameterGroupsWithOwnerTagRestriction",
             "Action": [
-                "rds:CreateDBParameterGroup",
-                "rds:ModifyDBParameterGroup",
                 "rds:ResetDBParameterGroup",
                 "rds:DeleteDBParameterGroup"
             ],
@@ -223,13 +204,7 @@ Policy Name: GigadbRDSAccess
             "Resource": "*",
             "Condition": {
                 "StringEqualsIgnoreCase": {
-                    "rds:pg-tag/Owner": "${aws:username}",
-                    "aws:RequestedRegion": [
-                        "ap-east-1",
-                        "ap-northeast-1",
-                        "ap-northeast-2",
-                        "eu-west-3"
-                    ]
+                    "rds:pg-tag/Owner": "${aws:username}"
                 }
             }
         },

From 024854d7d5864b9c519f782aed6fea23d173f0d2 Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Thu, 31 Mar 2022 13:56:23 +0800
Subject: [PATCH 13/16] Fix Error reading tfstate file: 0.12 format

Seems like we need to provide the path to the directory with the
.tfstate file. Adding ./ does this.

See https://github.com/adammck/terraform-inventory/issues/121
---
 ops/infrastructure/inventories/terraform-inventory.sh | 2 +-
 ops/scripts/ansible_init.sh                           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ops/infrastructure/inventories/terraform-inventory.sh b/ops/infrastructure/inventories/terraform-inventory.sh
index fc5b982e7d..eb7cf20800 100755
--- a/ops/infrastructure/inventories/terraform-inventory.sh
+++ b/ops/infrastructure/inventories/terraform-inventory.sh
@@ -3,4 +3,4 @@
 # bash shell wrapper for terraform-inventory.
 # How to install the https://github.com/adammck/terraform-inventory command:
 # brew install terraform-inventory
-terraform-inventory $@
+terraform-inventory $@ ./
diff --git a/ops/scripts/ansible_init.sh b/ops/scripts/ansible_init.sh
index d0050e1a6a..c0516096c5 100755
--- a/ops/scripts/ansible_init.sh
+++ b/ops/scripts/ansible_init.sh
@@ -37,7 +37,7 @@ cp ../../dockerhost_playbook.yml .
 cp ../../bastion_playbook.yml .
 
 # Update Gitlab gigadb_db_host variable with RDS instance address from terraform-inventory
-rds_inst_addr=$(../../inventories/terraform-inventory.sh --list | jq -r '.all.vars.rds_instance_address')
+rds_inst_addr=$(../../inventories/terraform-inventory.sh --list ./ | jq -r '.all.vars.rds_instance_address')
 curl -s --request PUT --header "PRIVATE-TOKEN: $GITLAB_PRIVATE_TOKEN" "$PROJECT_VARIABLES_URL/gigadb_db_host?filter%5benvironment_scope%5d=$target_environment" --form "value=$rds_inst_addr"
 
 # Update properties file with values from GitLab so Ansible can configure the services

From 2c9eb0a2c49697feb68036487cb7a6534753934b Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Thu, 31 Mar 2022 14:01:58 +0800
Subject: [PATCH 14/16] Fix random password used to access RDS instance

---
 ops/infrastructure/modules/rds-instance/rds-instance.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ops/infrastructure/modules/rds-instance/rds-instance.tf b/ops/infrastructure/modules/rds-instance/rds-instance.tf
index ea54934708..5531207c30 100644
--- a/ops/infrastructure/modules/rds-instance/rds-instance.tf
+++ b/ops/infrastructure/modules/rds-instance/rds-instance.tf
@@ -30,6 +30,7 @@ module "db" {
 
   db_name                = var.gigadb_db_database
   username               = var.gigadb_db_user
+  create_random_password = false
   password               = var.gigadb_db_password
   port                   = 5432
 

From 6e31bf2f22cc560f15abee27e911a25608a8cb9f Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Thu, 31 Mar 2022 14:03:10 +0800
Subject: [PATCH 15/16] Add AWS username to VPC name

---
 ops/infrastructure/terraform.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ops/infrastructure/terraform.tf b/ops/infrastructure/terraform.tf
index 1443fe9549..16c9e41acb 100644
--- a/ops/infrastructure/terraform.tf
+++ b/ops/infrastructure/terraform.tf
@@ -93,7 +93,7 @@ module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "~> 2"
 
-  name = "vpc-${var.aws_region}-${var.deployment_target}-gigadb"
+  name = "vpc-${var.aws_region}-${var.deployment_target}-gigadb-${data.external.callerUserName.result.userName}"
   # CIDR block is a range of IPv4 addresses in the VPC. This cidr block below 
   # means that the main route table has the following routes: Destination = 
   # 10.99.0.0/18 , Target = local

From 53a16937648c8b7d01fd9a1c5a9b8fa1b0bf48bf Mon Sep 17 00:00:00 2001
From: Peter Li <peter@gigasciencejournal.com>
Date: Fri, 1 Apr 2022 21:49:28 +0800
Subject: [PATCH 16/16] Tidy up comments providing info re: database subnet

---
 ops/infrastructure/terraform.tf | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ops/infrastructure/terraform.tf b/ops/infrastructure/terraform.tf
index 16c9e41acb..cb2aac4a8d 100644
--- a/ops/infrastructure/terraform.tf
+++ b/ops/infrastructure/terraform.tf
@@ -129,10 +129,11 @@ module "vpc" {
     Name = "subnet-database"
   }
 
-  # You can enable communication from internet to RDS is via an internet gateway
-  # to provide public access to RDS instance, but is not recommended for 
-  # production! These parameters are all false so no public access to RDS
+  # RDS instance will be launched into database subnet
   create_database_subnet_group = true
+  # You can enable communication from internet to RDS via an internet gateway
+  # to provide public access to RDS instance, but is not recommended for 
+  # production! The parameters below are all false so no public access to RDS
   create_database_subnet_route_table = false
   create_database_internet_gateway_route = false