From d3fccde048dc8299890e5c770948d537e79e2ad7 Mon Sep 17 00:00:00 2001 From: Benn Simon Date: Fri, 17 May 2024 10:51:04 +0300 Subject: [PATCH] Update database replica configuration (#28) - Removes conflicting variables. - Adds `security_groups` option support on ingress block. - Adds `Group` tag. - Fix `postgresql_replicate_source_db` with default value being `null`. --- network.tf | 13 ++++++++----- storage.tf | 12 ++++++------ variables.tf | 6 ++++++ 3 files changed, 20 insertions(+), 11 deletions(-) diff --git a/network.tf b/network.tf index 17fa993..c842c1d 100644 --- a/network.tf +++ b/network.tf @@ -4,10 +4,11 @@ resource "aws_security_group" "firewall_rule" { vpc_id = var.postgresql_vpc_id ingress { - from_port = var.postgresql_port - to_port = var.postgresql_port - protocol = "tcp" - cidr_blocks = var.postgresql_firewall_rule_ingress_cidr_blocks + from_port = var.postgresql_port + to_port = var.postgresql_port + protocol = "tcp" + security_groups = var.postgresql_firewall_rule_ingress_security_groups + cidr_blocks = var.postgresql_firewall_rule_ingress_cidr_blocks } egress { @@ -31,6 +32,7 @@ resource "aws_security_group" "firewall_rule" { EndDate = var.postgresql_end_date ProjectList = var.postgresql_project DeploymentType = var.postgresql_deployment_type + Group = "${var.postgresql_project}-${var.postgresql_env}" } } @@ -45,6 +47,7 @@ resource "aws_db_subnet_group" "main" { ProjectList = var.postgresql_project DeploymentType = var.postgresql_deployment_type EndDate = var.postgresql_end_date + Group = "${var.postgresql_project}-${var.postgresql_env}" } } @@ -55,5 +58,5 @@ resource "aws_route53_record" "main" { type = "CNAME" allow_overwrite = var.allow_dns_record_overwrite ttl = "300" - records = [length(var.postgresql_source_snapshot_identifier) == 0 ? (length(var.postgresql_replicate_source_db) == 0 ? aws_db_instance.blank-database[0].address : aws_db_instance.replica-database[0].address) : aws_db_instance.from-snapshot[0].address] + records = [length(var.postgresql_source_snapshot_identifier) == 0 ? (var.postgresql_replicate_source_db == null ? aws_db_instance.blank-database[0].address : aws_db_instance.replica-database[0].address) : aws_db_instance.from-snapshot[0].address] } diff --git a/storage.tf b/storage.tf index 9feecba..b595ece 100644 --- a/storage.tf +++ b/storage.tf @@ -23,7 +23,7 @@ resource "aws_db_instance" "blank-database" { final_snapshot_identifier = var.postgresql_name backup_retention_period = var.postgresql_backup_retention_period backup_window = var.postgresql_backup_window - replicate_source_db = length(var.postgresql_source_snapshot_identifier) == 0 && length(var.postgresql_replicate_source_db) != 0 ? var.postgresql_replicate_source_db : null + replicate_source_db = length(var.postgresql_source_snapshot_identifier) == 0 && var.postgresql_replicate_source_db != null ? var.postgresql_replicate_source_db : null publicly_accessible = var.postgresql_publicly_accessible performance_insights_enabled = var.postgresql_performance_insights_enabled enabled_cloudwatch_logs_exports = ["postgresql"] @@ -35,6 +35,7 @@ resource "aws_db_instance" "blank-database" { ProjectList = var.postgresql_project DeploymentType = var.postgresql_deployment_type EndDate = var.postgresql_end_date + Group = "${var.postgresql_project}-${var.postgresql_env}" } } @@ -66,6 +67,7 @@ resource "aws_db_instance" "from-snapshot" { ProjectList = var.postgresql_project DeploymentType = var.postgresql_deployment_type EndDate = var.postgresql_end_date + Group = "${var.postgresql_project}-${var.postgresql_env}" } lifecycle { @@ -86,11 +88,7 @@ resource "aws_db_instance" "replica-database" { identifier = var.postgresql_name allocated_storage = var.postgresql_allocated_storage storage_type = var.postgresql_storage_type - engine = "postgres" - engine_version = var.postgresql_version instance_class = var.postgresql_instance_class - db_name = var.postgresql_db_name - username = var.postgresql_username parameter_group_name = aws_db_parameter_group.main.name db_subnet_group_name = aws_db_subnet_group.main.name deletion_protection = var.postgresql_deletion_protection @@ -98,7 +96,6 @@ resource "aws_db_instance" "replica-database" { port = var.postgresql_port copy_tags_to_snapshot = var.postgresql_copy_tags_to_snapshot storage_encrypted = var.postgresql_storage_encrypted - kms_key_id = aws_kms_key.main.arn vpc_security_group_ids = [aws_security_group.firewall_rule.id] replicate_source_db = var.is_promoted_to_standalone ? "" : var.postgresql_replicate_source_db publicly_accessible = var.postgresql_publicly_accessible @@ -115,6 +112,7 @@ resource "aws_db_instance" "replica-database" { ProjectList = var.postgresql_project DeploymentType = var.postgresql_deployment_type EndDate = var.postgresql_end_date + Group = "${var.postgresql_project}-${var.postgresql_env}" } } @@ -175,6 +173,7 @@ resource "aws_db_parameter_group" "main" { ProjectList = var.postgresql_project DeploymentType = var.postgresql_deployment_type EndDate = var.postgresql_end_date + Group = "${var.postgresql_project}-${var.postgresql_env}" } } @@ -187,6 +186,7 @@ resource "aws_kms_key" "main" { ProjectList = var.postgresql_project DeploymentType = var.postgresql_deployment_type EndDate = var.postgresql_end_date + Group = "${var.postgresql_project}-${var.postgresql_env}" } } diff --git a/variables.tf b/variables.tf index 4acb11a..eef1872 100644 --- a/variables.tf +++ b/variables.tf @@ -370,3 +370,9 @@ variable "allow_dns_record_overwrite" { default = false description = "Allow creation of this record in Terraform to overwrite an existing record, if any." } + +variable "postgresql_firewall_rule_ingress_security_groups" { + type = list(string) + default = [] + description = "Security groups to allow to access the PostgreSQL instance" +}