Enabled encryption on production database. (#20)

codeforamerica · Apr 18, 2023 · 5cd1525 · 5cd1525
1 parent 240634e
commit 5cd1525
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 2 deletions.
diff --git a/environments/production/main.tf b/environments/production/main.tf
@@ -45,6 +45,9 @@ module "hosting" {
   database_max_capacity    = 3
   database_min_capacity    = 2
 
+  # Snapshot created in order to enable encryption at rest.
+  database_starting_snapshot = "r911-production-encrypt"
+
   environment_variables = {
     LAUNCHY_DRY_RUN : true,
     BROWSER : "/dev/null",

diff --git a/modules/data_warehouse/redshift.tf b/modules/data_warehouse/redshift.tf
@@ -11,6 +11,7 @@ resource "aws_redshiftserverless_namespace" "warehouse" {
 resource "aws_redshiftserverless_workgroup" "warehouse" {
   namespace_name       = aws_redshiftserverless_namespace.warehouse.namespace_name
   workgroup_name       = "${local.prefix}-warehouse"
+  base_capacity        = var.base_rpu
   enhanced_vpc_routing = true
   publicly_accessible  = false
   security_group_ids = [

diff --git a/modules/data_warehouse/variables.tf b/modules/data_warehouse/variables.tf
@@ -1,3 +1,9 @@
+variable "base_rpu" {
+  type = number
+  default = 32
+  description = "The base Redshift processing units (RSU) to assign to the Redshift cluster."
+}
+
 variable "data_lake_bucket" {
   type        = string
   description = "Name of the bucket to be used as a data lake."

diff --git a/modules/rails_hosting/rds.tf b/modules/rails_hosting/rds.tf
@@ -10,9 +10,9 @@ resource "aws_rds_cluster" "db" {
   db_subnet_group_name      = aws_db_subnet_group.db.name
   engine                    = "aurora-postgresql"
   engine_mode               = "provisioned"
-  engine_version            = "14.3"
   vpc_security_group_ids    = [aws_security_group.db_access.id]
   skip_final_snapshot       = var.skip_db_final_snapshot
+  final_snapshot_identifier = "${local.prefix}-final-snapshot"
   copy_tags_to_snapshot     = true
   snapshot_identifier       = var.database_starting_snapshot
 
@@ -32,7 +32,7 @@ resource "aws_rds_cluster" "db" {
 
   lifecycle {
     create_before_destroy = true
-    ignore_changes        = [cluster_identifier_prefix, master_password]
+    ignore_changes        = [master_password]
   }
 }