From a44ded3a93afad0aea32a92d688ba1fe0e6ad584 Mon Sep 17 00:00:00 2001 From: Vijay John Stephen Date: Fri, 1 Nov 2024 20:00:07 +0530 Subject: [PATCH] add examples for RDS proxy, RDS , Aurora Cluster and Aurora serverless --- README.md | 38 +++-- aurora-cluster.tf | 35 +++-- common.tf | 22 ++- docs/example/README.md | 83 ---------- docs/module-usage-guide/README.md | 28 +++- example/.terraform.lock.hcl | 89 ----------- example/README.md | 47 ------ example/main.tf | 125 --------------- example/variables.tf | 54 ------- .../aurora-serverless}/.terraform-version | 0 .../aurora-serverless/.terraform.lock.hcl | 65 ++++++++ examples/aurora-serverless/README.md | 50 ++++++ .../aurora-serverless}/data.tf | 24 +-- examples/aurora-serverless/main.tf | 93 ++++++++++++ examples/aurora-serverless/output.tf | 49 ++++++ examples/aurora-serverless/variables.tf | 20 +++ examples/aurora/.terraform-version | 1 + examples/aurora/.terraform.lock.hcl | 65 ++++++++ examples/aurora/README.md | 50 ++++++ examples/aurora/data.tf | 24 +++ examples/aurora/main.tf | 58 +++++++ examples/aurora/output.tf | 49 ++++++ examples/aurora/variables.tf | 20 +++ examples/rds-proxy/.terraform-version | 1 + examples/rds-proxy/.terraform.lock.hcl | 65 ++++++++ examples/rds-proxy/README.md | 50 ++++++ examples/rds-proxy/data.tf | 24 +++ examples/rds-proxy/main.tf | 142 ++++++++++++++++++ examples/rds-proxy/output.tf | 49 ++++++ examples/rds-proxy/variables.tf | 20 +++ examples/rds/.terraform-version | 1 + examples/rds/.terraform.lock.hcl | 65 ++++++++ examples/rds/README.md | 50 ++++++ examples/rds/data.tf | 20 +++ examples/rds/main.tf | 79 ++++++++++ examples/rds/output.tf | 49 ++++++ examples/rds/variables.tf | 20 +++ locals.tf | 12 +- main.tf | 8 +- outputs.tf | 129 ++++++---------- proxy.tf | 22 +-- variables.tf | 52 ++----- 42 files changed, 1362 insertions(+), 585 deletions(-) delete mode 100644 docs/example/README.md delete mode 100644 example/.terraform.lock.hcl delete mode 100644 example/README.md delete mode 100644 example/main.tf delete mode 100644 example/variables.tf rename {example => examples/aurora-serverless}/.terraform-version (100%) create mode 100644 examples/aurora-serverless/.terraform.lock.hcl create mode 100644 examples/aurora-serverless/README.md rename {example => examples/aurora-serverless}/data.tf (51%) create mode 100644 examples/aurora-serverless/main.tf create mode 100644 examples/aurora-serverless/output.tf create mode 100644 examples/aurora-serverless/variables.tf create mode 100644 examples/aurora/.terraform-version create mode 100644 examples/aurora/.terraform.lock.hcl create mode 100644 examples/aurora/README.md create mode 100644 examples/aurora/data.tf create mode 100644 examples/aurora/main.tf create mode 100644 examples/aurora/output.tf create mode 100644 examples/aurora/variables.tf create mode 100644 examples/rds-proxy/.terraform-version create mode 100644 examples/rds-proxy/.terraform.lock.hcl create mode 100644 examples/rds-proxy/README.md create mode 100644 examples/rds-proxy/data.tf create mode 100644 examples/rds-proxy/main.tf create mode 100644 examples/rds-proxy/output.tf create mode 100644 examples/rds-proxy/variables.tf create mode 100644 examples/rds/.terraform-version create mode 100644 examples/rds/.terraform.lock.hcl create mode 100644 examples/rds/README.md create mode 100644 examples/rds/data.tf create mode 100644 examples/rds/main.tf create mode 100644 examples/rds/output.tf create mode 100644 examples/rds/variables.tf diff --git a/README.md b/README.md index a774b38..4f5af53 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ ## Overview -The SourceFuse AWS Reference Architecture (ARC) Terraform module offers a comprehensive solution for efficiently managing Aurora and RDS (Relational Database Service) instances within the Amazon Web Services (AWS) environment. This Terraform module is designed to streamline the provisioning, configuration, and management of these database instances, leveraging best practices. +The SourceFuse AWS Reference Architecture (ARC) Terraform module offers a comprehensive solution for efficiently managing Aurora, RDS cluster, RDS proxy and RDS (Relational Database Service) instances within the Amazon Web Services (AWS) environment. This Terraform module is designed to streamline the provisioning, configuration, and management of these database instances, leveraging best practices. For more information about this repository and its usage, please see [Terraform AWS ARC DB Usage Guide](https://github.com/sourcefuse/terraform-aws-arc-db/blob/main/docs/module-usage-guide/README.md). @@ -52,11 +52,12 @@ To see a full example, check out the [main.tf](https://github.com/sourcefuse/ter | [aws_db_proxy_default_target_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy_default_target_group) | resource | | [aws_db_proxy_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy_target) | resource | | [aws_db_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | -| [aws_iam_policy.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.read_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.attach_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | @@ -66,6 +67,7 @@ To see a full example, check out the [main.tf](https://github.com/sourcefuse/ter | [aws_secretsmanager_secret_version.db_secret_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | | [aws_ssm_parameter.database_creds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [random_password.master](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | +| [aws_iam_policy.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | | [aws_kms_alias.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | ## Inputs @@ -83,53 +85,63 @@ To see a full example, check out the [main.tf](https://github.com/sourcefuse/ter | [database\_name](#input\_database\_name) | The name of the database to create when the cluster is created. | `string` | `null` | no | | [db\_cluster\_parameter\_group\_name](#input\_db\_cluster\_parameter\_group\_name) | (optional) A cluster parameter group to associate with the cluster. | `string` | `null` | no | | [db\_instance\_parameter\_group\_name](#input\_db\_instance\_parameter\_group\_name) | (optional) Instance parameter group to associate with all instances of the DB cluster. The db\_instance\_parameter\_group\_name parameter is only valid in combination with the allow\_major\_version\_upgrade parameter. | `string` | `null` | no | +| [db\_server\_class](#input\_db\_server\_class) | Instance class for RDS instance | `string` | `"db.t3.medium"` | no | | [db\_subnet\_group\_data](#input\_db\_subnet\_group\_data) | (optional) DB Subnet Group details | 
object({
    name        = string
    create      = optional(bool, false)
    description = optional(string, null)
    subnet_ids  = optional(list(string), [])
  })
| n/a | yes | | [delete\_automated\_backups](#input\_delete\_automated\_backups) | (optional) Specifies whether to remove automated backups immediately after the DB cluster is deleted. Default is true. | `string` | `true` | no | | [deletion\_protection](#input\_deletion\_protection) | Whether to enable deletion protection for the DB cluster. | `bool` | `false` | no | | [enable\_multi\_az](#input\_enable\_multi\_az) | Whether to enable Multi-AZ deployment for the RDS instance. | `bool` | `false` | no | | [enabled\_cloudwatch\_logs\_exports](#input\_enabled\_cloudwatch\_logs\_exports) | List of log types to export to CloudWatch Logs. Valid values: audit, error, general, slowquery. | `list(string)` | `[]` | no | -| [engine](#input\_engine) | The database engine to use for the RDS cluster (e.g., aurora, aurora-mysql, aurora-postgresql). | `string` | `"aurora-postgresql"` | no | +| [engine](#input\_engine) | The database engine to use for the RDS cluster (e.g., aurora, aurora-mysql, aurora-postgresql). | `string` | n/a | yes | | [engine\_lifecycle\_support](#input\_engine\_lifecycle\_support) | (optional) The life cycle type for this DB instance. This setting is valid for cluster types Aurora DB clusters and Multi-AZ DB clusters. Valid values are open-source-rds-extended-support, open-source-rds-extended-support-disabled. Default value is open-source-rds-extended-support | `string` | `"open-source-rds-extended-support"` | no | | [engine\_mode](#input\_engine\_mode) | (optional) Database engine mode. Valid values: global (only valid for Aurora MySQL 1.21 and earlier), parallelquery, provisioned, serverless. Defaults to: provisioned
Note :- For Serverless V2 , engine\_mode should be "provisioned" but for simplecity "serverless" is expected
Refer : https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#rds-serverless-v2-cluster | `string` | `"provisioned"` | no | -| [engine\_type](#input\_engine\_type) | (optional) Engine type, valid values are 'rds' or 'aurora' | `string` | n/a | yes | +| [engine\_type](#input\_engine\_type) | (optional) Engine type, valid values are 'rds' or 'cluster' | `string` | n/a | yes | | [engine\_version](#input\_engine\_version) | The version of the database engine to use. | `string` | n/a | yes | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | n/a | yes | | [final\_snapshot\_identifier](#input\_final\_snapshot\_identifier) | (optional) Name of your final DB snapshot when this DB cluster is deleted. If omitted, no final snapshot will be made. | `string` | `null` | no | | [iam\_database\_authentication\_enabled](#input\_iam\_database\_authentication\_enabled) | Enable IAM database authentication for the RDS cluster. | `bool` | `false` | no | -| [instance\_class](#input\_instance\_class) | Instance class for RDS instance | `string` | n/a | yes | -| [iops](#input\_iops) | The amount of provisioned IOPS. Required if using io1 storage type. | `number` | `1000` | no | +| [iops](#input\_iops) | The amount of provisioned IOPS. Required if using io1 storage type. | `number` | `0` | no | | [kms\_data](#input\_kms\_data) | Configuration for KMS key settings for RDS encryption and performance insights:
- create: (Optional) If true, a new KMS key is created.
- kms\_key\_id: (Optional) The ID of an existing KMS key for RDS encryption. If null it used AWS managed keys
- performance\_insights\_kms\_key\_id: (Optional) Key ID for Performance Insights. If null it used AWS managed keys
- description: (Optional) description for the KMS key.
- policy: (Optional) Specific policy for the KMS key.
- deletion\_window\_in\_days: (Optional) Number of days before deletion, default is 7.
- enable\_key\_rotation: (Optional) Enables key rotation for security; defaults to true. | 
object({
    create                          = optional(bool, true)
    kms_key_id                      = optional(string, null)
    performance_insights_kms_key_id = optional(string, null)
    name                            = optional(string, null)
    description                     = optional(string, null)
    policy                          = optional(string, null)
    deletion_window_in_days         = optional(number, 7)
    enable_key_rotation             = optional(bool, true)
  })
| 
{
  "create": false
}
| no | | [license\_model](#input\_license\_model) | The license model for the DB instance (e.g., license-included, bring-your-own-license, general-public-license). | `string` | n/a | yes | -| [manage\_user\_password](#input\_manage\_user\_password) | (optional) Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if master\_password is provided. | `bool` | `false` | no | -| [monitoring\_interval](#input\_monitoring\_interval) | The interval, in seconds, between points when Enhanced Monitoring metrics are collected. Valid values are 0, 1, 5, 10, 15, 30, 60. | `number` | `60` | no | +| [manage\_user\_password](#input\_manage\_user\_password) | (optional) Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if master\_password is provided."
null - is equal to 'false', don't set it to false , known bug : https://github.com/hashicorp/terraform-provider-aws/issues/31179 | `bool` | `null` | no | +| [monitoring\_interval](#input\_monitoring\_interval) | The interval, in seconds, between points when Enhanced Monitoring metrics are collected. Valid values are 0, 1, 5, 10, 15, 30, 60. | `number` | `0` | no | | [monitoring\_role\_arn](#input\_monitoring\_role\_arn) | The ARN for the IAM role that allows RDS to send Enhanced Monitoring metrics to CloudWatch Logs. | `string` | `null` | no | | [name](#input\_name) | The identifier for the RDS instance or cluster. | `string` | n/a | yes | | [namespace](#input\_namespace) | Namespace for the resources. | `string` | n/a | yes | | [network\_type](#input\_network\_type) | (optional) Network type of the cluster. Valid values: IPV4, DUAL. | `string` | `"IPV4"` | no | | [option\_group\_config](#input\_option\_group\_config) | Configuration for RDS option group, with attributes to create or specify a group name, engine details, and database options including settings, ports, and versions. | 
object({
    create               = optional(bool, false)
    name                 = optional(string, null)
    engine_name          = optional(string)
    major_engine_version = optional(string)
    description          = optional(string, "Managed by Terraform")
    options = map(object({
      option_name = string
      port        = number
      version     = string
      option_settings = map(object({
        name  = string
        value = string
      }))
    }))
  })
| 
{
  "name": null,
  "options": {}
}
| no | | [parameter\_group\_config](#input\_parameter\_group\_config) | Configuration for RDS parameter group, with options to create or specify a group name, family, and a map of database parameters including settings and apply methods. | 
object({
    create      = optional(bool, false)
    name        = optional(string, null)
    family      = optional(string)
    description = optional(string, "Managed by Terraform")
    parameters = map(object({
      name         = string
      value        = string
      apply_method = optional(string, "immediate") # Options: "immediate" or "pending-reboot"
    }))
  })
| 
{
  "name": null,
  "parameters": {}
}
| no | -| [password](#input\_password) | The master password for the database. | `string` | `null` | no | +| [password](#input\_password) | The password for the database. | `string` | `null` | no | | [performance\_insights\_enabled](#input\_performance\_insights\_enabled) | (optional) Valid only for Non-Aurora Multi-AZ DB Clusters. Enables Performance Insights for the RDS Cluster | `bool` | `false` | no | -| [performance\_insights\_kms\_key\_id](#input\_performance\_insights\_kms\_key\_id) | (optional) Valid only for Non-Aurora Multi-AZ DB Clusters. Specifies the KMS Key ID to encrypt Performance Insights data. If not specified, the default RDS KMS key will be used (aws/rds). | `string` | `"aws/rds"` | no | | [performance\_insights\_retention\_period](#input\_performance\_insights\_retention\_period) | The retention period (in days) for Performance Insights data. Valid values are 7, 731, or any value between 8 and 730. | `number` | `7` | no | | [port](#input\_port) | Port on which the DB accepts connections | `number` | n/a | yes | | [preferred\_backup\_window](#input\_preferred\_backup\_window) | The daily time range during which backups are taken. | `string` | `"07:00-09:00"` | no | | [preferred\_maintenance\_window](#input\_preferred\_maintenance\_window) | The weekly time range during which maintenance can occur. | `string` | `"sun:06:00-sun:07:00"` | no | | [proxy\_config](#input\_proxy\_config) | Configuration object for setting up an AWS RDS Proxy. It includes options for creating the proxy, connection pooling, authentication, and other proxy-specific settings.

- **create** (optional): A boolean that determines whether to create the RDS Proxy resource. Defaults to false.
- **name** (optional): The name of the RDS Proxy. If not specified, Terraform will create a default name.
- **engine\_family**: The database engine family for the proxy (e.g., "MYSQL", "POSTGRESQL").
- **vpc\_subnet\_ids**: List of VPC subnet IDs in which the proxy will be deployed.
- **security\_group\_data**: List of security groups to associate with the RDS Proxy.
- **require\_tls** (optional): Boolean flag to enforce the use of TLS for client connections to the proxy. Defaults to false.
- **debug\_logging** (optional): Boolean flag to enable debug logging for the proxy. Defaults to false.
- **idle\_client\_timeout\_secs** (optional): Number of seconds before the proxy closes idle client connections. The minimum is 60 seconds (1 minute), and the maximum is 28,800 seconds (8 hours). Defaults to 1,800 seconds (30 minutes).
- **role\_arn** (optional): The ARN of the IAM role used by the proxy for accessing database credentials in AWS Secrets Manager. If null, Terraform will create a new IAM role.

Authentication settings:
- **auth.auth\_scheme**: The authentication scheme to use (e.g., "SECRETS").
- **auth.description** (optional): A description of the authentication method. Defaults to null.
- **auth.iam\_auth** (optional): Specifies whether to use IAM authentication for the proxy. Defaults to "DISABLED".
- **auth.secret\_arn**: The ARN of the AWS Secrets Manager secret that contains the database credentials.
- **auth.client\_password\_auth\_type**: Specifies the password authentication type for the database.

Connection pool configuration:
- **connection\_pool\_config.connection\_borrow\_timeout** (optional): The amount of time (in seconds) a client connection can be held open before being returned to the pool. Defaults to 5 seconds.
- **connection\_pool\_config.init\_query** (optional): An optional initialization query executed when a connection is first established. Defaults to null.
- **connection\_pool\_config.max\_connections\_percent** (optional): The maximum percentage of available database connections that the proxy can use. Defaults to 100%.
- **connection\_pool\_config.max\_idle\_connections\_percent** (optional): The maximum percentage of idle database connections that the proxy can keep open. Defaults to 50%.
- **connection\_pool\_config.session\_pinning\_filters** (optional): List of filters for controlling session pinning behavior. Defaults to an empty list. | 
object({
    create                   = optional(bool, false)
    name                     = optional(string, null)
    engine_family            = string
    vpc_subnet_ids           = list(string)
    require_tls              = optional(bool, false)
    debug_logging            = optional(bool, false)
    idle_client_timeout_secs = optional(number, 30 * 60) // in seconds The minimum is 1 minute and the maximum is 8 hours.
    role_arn                 = optional(string, null)    // null value will create new role
    auth = object({
      auth_scheme               = string
      description               = optional(string, null)
      iam_auth                  = optional(string, "DISABLED")
      client_password_auth_type = string
    })
    additional_auth_list = optional(list(object({
      auth_scheme               = string
      secret_arn                = optional(string, null)
      description               = optional(string, null)
      iam_auth                  = optional(string, "DISABLED")
      client_password_auth_type = string
    })), [])
    connection_pool_config = object({
      connection_borrow_timeout    = optional(number, 5)
      init_query                   = optional(string, null)
      max_connections_percent      = optional(number, 100)
      max_idle_connections_percent = optional(number, 50)
      session_pinning_filters      = optional(list(string), [])
    })
    security_group_data = optional(object({
      security_group_ids_to_attach = optional(list(string), [])
      create                       = optional(bool, true)
      description                  = optional(string, null)
      ingress_rules = optional(list(object({
        description              = optional(string, null)
        cidr_block               = optional(string, null)
        source_security_group_id = optional(string, null)
        from_port                = number
        ip_protocol              = string
        to_port                  = string
        self                     = optional(bool, false)
      })), [])
      egress_rules = optional(list(object({
        description                   = optional(string, null)
        cidr_block                    = optional(string, null)
        destination_security_group_id = optional(string, null)
        from_port                     = number
        ip_protocol                   = string
        to_port                       = string
      })), [])
    }))
  })
| 
{
  "auth": null,
  "connection_pool_config": null,
  "create": false,
  "engine_family": "POSTGRESQL",
  "security_group_data": {
    "create": false
  },
  "vpc_subnet_ids": []
}
| no | | [publicly\_accessible](#input\_publicly\_accessible) | Whether the RDS instance should be publicly accessible. | `bool` | `false` | no | -| [rds\_cluster\_instances](#input\_rds\_cluster\_instances) | "(optional) A list of objects defining configurations for RDS Cluster instances. Each object represents a single RDS instance configuration within the cluster, including options for instance class, monitoring, performance insights, maintenance windows, and other instance-specific settings."
name: Optional. Name of the instance (default: null).
instance\_class: The instance class for the RDS instance (e.g., db.r5.large).
availability\_zone: Optional. Specifies the availability zone for the instance (default: null).
publicly\_accessible: Optional. Whether the instance is publicly accessible (default: false).
db\_parameter\_group\_name: Optional. The name of the DB parameter group to associate with the instance (default: null).
apply\_immediately: Optional. Apply modifications immediately or during the next maintenance window (default: false).
preferred\_maintenance\_window: Optional. The weekly maintenance window for the instance (default: null).
auto\_minor\_version\_upgrade: Optional. Automatically apply minor version upgrades (default: true).
ca\_cert\_identifier: Optional. Identifier for the CA certificate for the instance (default: null).
monitoring\_interval: Optional. Monitoring interval for Enhanced Monitoring (default: 0 - disabled).
monitoring\_role\_arn: Optional. The ARN of the IAM role used for Enhanced Monitoring (default: null).
performance\_insights\_enabled: Optional. Whether to enable Performance Insights (default: false).
performance\_insights\_kms\_key\_id: Optional. KMS key ID for Performance Insights encryption (default: null).
performance\_insights\_retention\_period: Optional. Retention period for Performance Insights data (default: 7 days).
promotion\_tier: Optional. Promotion tier for the instance within the cluster (default: 0).
copy\_tags\_to\_snapshot: Optional. Copy tags to snapshots (default: true). | 
list(object({
    name                    = optional(string, null)
    instance_class          = string
    availability_zone       = optional(string, null)
    publicly_accessible     = optional(bool, false)
    db_parameter_group_name = optional(string, null)
    # apply_immediately                     = optional(bool, false)
    # preferred_maintenance_window          = optional(string, null)
    # auto_minor_version_upgrade            = optional(bool, true)
    # ca_cert_identifier                    = optional(string, null)
    # monitoring_interval                   = optional(number, 0) // 0 - disabled
    # monitoring_role_arn                   = optional(string, null)
    # performance_insights_enabled          = optional(bool, false)
    # performance_insights_kms_key_id       = optional(string, null)
    # performance_insights_retention_period = optional(number, 7)
    promotion_tier        = optional(number, 0)
    copy_tags_to_snapshot = optional(bool, true)
  }))
| `[]` | no | +| [rds\_cluster\_instances](#input\_rds\_cluster\_instances) | "(optional) A list of objects defining configurations for RDS Cluster instances. Each object represents a single RDS instance configuration within the cluster, including options for instance class, monitoring, performance insights, maintenance windows, and other instance-specific settings."
name: Optional. Name of the instance (default: null).
instance\_class: The instance class for the RDS instance (e.g., db.r5.large).
availability\_zone: Optional. Specifies the availability zone for the instance (default: null).
publicly\_accessible: Optional. Whether the instance is publicly accessible (default: false).
db\_parameter\_group\_name: Optional. The name of the DB parameter group to associate with the instance (default: null).
apply\_immediately: Optional. Apply modifications immediately or during the next maintenance window (default: false).
preferred\_maintenance\_window: Optional. The weekly maintenance window for the instance (default: null).
auto\_minor\_version\_upgrade: Optional. Automatically apply minor version upgrades (default: true).
ca\_cert\_identifier: Optional. Identifier for the CA certificate for the instance (default: null).
monitoring\_interval: Optional. Monitoring interval for Enhanced Monitoring (default: 0 - disabled).
monitoring\_role\_arn: Optional. The ARN of the IAM role used for Enhanced Monitoring (default: null).
performance\_insights\_enabled: Optional. Whether to enable Performance Insights (default: false).
performance\_insights\_kms\_key\_id: Optional. KMS key ID for Performance Insights encryption (default: null).
performance\_insights\_retention\_period: Optional. Retention period for Performance Insights data (default: 7 days).
promotion\_tier: Optional. Promotion tier for the instance within the cluster (default: 0).
copy\_tags\_to\_snapshot: Optional. Copy tags to snapshots (default: true). | 
list(object({
    name                    = optional(string, null)
    instance_class          = string
    availability_zone       = optional(string, null)
    publicly_accessible     = optional(bool, false)
    db_parameter_group_name = optional(string, null)
    promotion_tier          = optional(number, 0)
    copy_tags_to_snapshot   = optional(bool, true)
  }))
| `[]` | no | | [security\_group\_data](#input\_security\_group\_data) | (optional) Security Group data | 
object({
    security_group_ids_to_attach = optional(list(string), [])
    create                       = optional(bool, true)
    description                  = optional(string, null)
    ingress_rules = optional(list(object({
      description              = optional(string, null)
      cidr_block               = optional(string, null)
      source_security_group_id = optional(string, null)
      from_port                = number
      ip_protocol              = string
      to_port                  = string
    })), [])
    egress_rules = optional(list(object({
      description                   = optional(string, null)
      cidr_block                    = optional(string, null)
      destination_security_group_id = optional(string, null)
      from_port                     = number
      ip_protocol                   = string
      to_port                       = string
    })), [])
  })
| 
{
  "create": false
}
| no | | [serverlessv2\_scaling\_config](#input\_serverlessv2\_scaling\_config) | Configuration for Serverless V2 scaling:
- max\_capacity: (Required) The maximum ACU capacity for scaling (e.g., 256.0).
- min\_capacity: (Required) The minimum ACU capacity for scaling (e.g., 0.5). | 
object({
    max_capacity = number
    min_capacity = number
  })
| 
{
  "max_capacity": 1,
  "min_capacity": 0.5
}
| no | | [skip\_final\_snapshot](#input\_skip\_final\_snapshot) | (optional) Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false. | `string` | `true` | no | | [storage\_encrypted](#input\_storage\_encrypted) | Whether to enable storage encryption. | `bool` | `true` | no | | [storage\_type](#input\_storage\_type) | (optional) Required for Multi-AZ DB cluster) (Forces new for Multi-AZ DB clusters) Specifies the storage type to be associated with the DB cluster. For Aurora DB clusters, storage\_type modifications can be done in-place. For Multi-AZ DB Clusters, the iops argument must also be set. Valid values are: "", aurora-iopt1 (Aurora DB Clusters); io1, io2 (Multi-AZ DB Clusters). Default: "" (Aurora DB Clusters); io1 (Multi-AZ DB Clusters). | `string` | `""` | no | | [tags](#input\_tags) | A map of tags to assign to the DB Cluster. | `map(string)` | `{}` | no | -| [username](#input\_username) | The master username for the database. | `string` | n/a | yes | +| [username](#input\_username) | The username for the database. | `string` | n/a | yes | | [vpc\_id](#input\_vpc\_id) | VPC Id for creating security group | `string` | n/a | yes | ## Outputs -No outputs. +| Name | Description | +|------|-------------| +| [arn](#output\_arn) | Instance or Cluster ARN | +| [database](#output\_database) | database name | +| [endpoint](#output\_endpoint) | Instance or Cluster Endpoint | +| [id](#output\_id) | Instance or Cluster ID | +| [identifier](#output\_identifier) | Instance or Cluster Identifier | +| [kms\_key\_id](#output\_kms\_key\_id) | Instance or Cluster KM Key ID | +| [monitoring\_role\_arn](#output\_monitoring\_role\_arn) | Instance or Cluster Monitoring role arn | +| [performance\_insights\_kms\_key\_id](#output\_performance\_insights\_kms\_key\_id) | Instance or Cluster Performance insight KM Key ID | +| [port](#output\_port) | Dtabase server port | +| [username](#output\_username) | Username for the Database | ## Development diff --git a/aurora-cluster.tf b/aurora-cluster.tf index 226aac5..ec4fe09 100644 --- a/aurora-cluster.tf +++ b/aurora-cluster.tf @@ -1,5 +1,6 @@ resource "random_password" "master" { - count = var.password == null && var.manage_user_password == false ? 1 : 0 + count = var.password == null && var.manage_user_password == null ? 1 : 0 + length = 41 special = true override_special = "!#*^" @@ -20,19 +21,23 @@ resource "random_password" "master" { } resource "aws_rds_cluster" "this" { + count = var.engine_type == "cluster" ? 1 : 0 + cluster_identifier = var.name engine = var.engine engine_version = var.engine_version - engine_mode = var.engine_mode + engine_mode = var.engine_mode == "serverless" ? "provisioned" : var.engine_mode port = var.port master_username = var.username - master_password = var.password == null && var.manage_user_password == false ? random_password.master[0].result : var.password + master_password = var.password == null && var.manage_user_password == null ? random_password.master[0].result : var.password manage_master_user_password = var.manage_user_password database_name = var.database_name + db_cluster_instance_class = strcontains(var.engine, "aurora") ? null : var.db_server_class vpc_security_group_ids = local.security_group_ids_to_attach db_subnet_group_name = var.db_subnet_group_data.name db_cluster_parameter_group_name = var.db_cluster_parameter_group_name db_instance_parameter_group_name = var.db_instance_parameter_group_name + allocated_storage = strcontains(var.engine, "aurora") ? null : var.allocated_storage backup_retention_period = var.backup_retention_period preferred_backup_window = var.preferred_backup_window preferred_maintenance_window = var.preferred_maintenance_window @@ -42,7 +47,7 @@ resource "aws_rds_cluster" "this" { ca_certificate_identifier = var.ca_certificate_identifier kms_key_id = var.kms_data.create ? aws_kms_alias.this[0].target_key_arn : (var.kms_data.kms_key_id == null ? data.aws_kms_alias.rds.target_key_arn : var.kms_data.kms_key_id) performance_insights_enabled = var.performance_insights_enabled - performance_insights_kms_key_id = var.kms_data.create ? aws_kms_alias.this[0].target_key_arn : (var.kms_data.performance_insights_kms_key_id == null ? data.aws_kms_alias.rds.target_key_arn : var.performance_insights_kms_key_id) + performance_insights_kms_key_id = var.kms_data.create ? aws_kms_alias.this[0].target_key_arn : (var.kms_data.performance_insights_kms_key_id == null ? data.aws_kms_alias.rds.target_key_arn : var.kms_data.performance_insights_kms_key_id) deletion_protection = var.deletion_protection delete_automated_backups = var.delete_automated_backups skip_final_snapshot = var.skip_final_snapshot @@ -70,13 +75,13 @@ resource "aws_rds_cluster" "this" { resource "aws_rds_cluster_instance" "this" { for_each = { for idx, instance in var.rds_cluster_instances : idx => instance } - cluster_identifier = aws_rds_cluster.this.id - identifier = each.value.name != null ? each.value.name : "${aws_rds_cluster.this.id}-${each.key + 1}" + cluster_identifier = aws_rds_cluster.this[0].id + identifier = each.value.name != null ? each.value.name : "${aws_rds_cluster.this[0].id}-${each.key + 1}" instance_class = each.value.instance_class - engine = aws_rds_cluster.this.engine - engine_version = aws_rds_cluster.this.engine_version - db_subnet_group_name = aws_rds_cluster.this.db_subnet_group_name + engine = aws_rds_cluster.this[0].engine + engine_version = aws_rds_cluster.this[0].engine_version + db_subnet_group_name = aws_rds_cluster.this[0].db_subnet_group_name availability_zone = each.value.availability_zone publicly_accessible = each.value.publicly_accessible db_parameter_group_name = each.value.db_parameter_group_name @@ -85,9 +90,9 @@ resource "aws_rds_cluster_instance" "this" { auto_minor_version_upgrade = var.auto_minor_version_upgrade ca_cert_identifier = var.ca_cert_identifier monitoring_interval = var.monitoring_interval - monitoring_role_arn = var.monitoring_role_arn + monitoring_role_arn = var.monitoring_interval > 0 ? (var.monitoring_role_arn == null ? aws_iam_role.enhanced_monitoring[0].arn : var.monitoring_role_arn) : null performance_insights_enabled = var.performance_insights_enabled - performance_insights_kms_key_id = var.kms_data.create ? aws_kms_alias.this[0].target_key_arn : (var.kms_data.performance_insights_kms_key_id == null ? data.aws_kms_alias.rds.target_key_arn : var.performance_insights_kms_key_id) + performance_insights_kms_key_id = var.kms_data.create ? aws_kms_alias.this[0].target_key_arn : (var.kms_data.performance_insights_kms_key_id == null ? data.aws_kms_alias.rds.target_key_arn : var.kms_data.performance_insights_kms_key_id) performance_insights_retention_period = var.performance_insights_retention_period promotion_tier = each.value.promotion_tier copy_tags_to_snapshot = each.value.copy_tags_to_snapshot @@ -100,10 +105,10 @@ resource "aws_ssm_parameter" "database_creds" { description = "Database credentials" type = "SecureString" value = jsonencode({ - "username" : aws_rds_cluster.this.master_username - "password" : aws_rds_cluster.this.master_password - "database" : aws_rds_cluster.this.database_name - "port" : aws_rds_cluster.this.port + "username" : local.username + "password" : local.password + "database" : local.database + "port" : local.port }) tags = var.tags diff --git a/common.tf b/common.tf index 6d38af6..74491b7 100644 --- a/common.tf +++ b/common.tf @@ -50,7 +50,7 @@ resource "aws_db_parameter_group" "this" { content { name = parameter.value.name value = parameter.value.value - apply_method = parameter.value + apply_method = parameter.value.apply_method } } @@ -62,7 +62,7 @@ resource "aws_db_parameter_group" "this" { ################################################################################ resource "aws_kms_key" "this" { - count = var.kms_data.create ? 0 : 1 + count = var.kms_data.create ? 1 : 0 description = var.kms_data.description == null ? "RDS KMS key" : var.kms_data.description deletion_window_in_days = var.kms_data.deletion_window_in_days @@ -74,7 +74,7 @@ resource "aws_kms_key" "this" { } resource "aws_kms_alias" "this" { - count = var.kms_data.create ? 0 : 1 + count = var.kms_data.create ? 1 : 0 name = var.kms_data.name == null ? "alias/${local.prefix}-${var.name}-kms-key" : "alias/${var.kms_data.name}" target_key_id = aws_kms_key.this[0].id @@ -103,7 +103,7 @@ resource "aws_iam_role" "enhanced_monitoring" { tags = var.tags } -resource "aws_iam_policy" "enhanced_monitoring" { +resource "aws_iam_policy" "logs" { count = var.monitoring_interval > 0 && var.monitoring_role_arn == null ? 1 : 0 name = "${local.prefix}-${var.name}-policy" @@ -129,5 +129,17 @@ resource "aws_iam_role_policy_attachment" "attach_policy" { count = var.monitoring_interval > 0 && var.monitoring_role_arn == null ? 1 : 0 role = aws_iam_role.enhanced_monitoring[0].name - policy_arn = aws_iam_policy.enhanced_monitoring[0].arn + policy_arn = aws_iam_policy.logs[0].arn +} + +data "aws_iam_policy" "enhanced_monitoring" { + count = var.monitoring_interval > 0 && var.monitoring_role_arn == null ? 1 : 0 + arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole" +} + +resource "aws_iam_role_policy_attachment" "enhanced_monitoring" { + count = var.monitoring_interval > 0 && var.monitoring_role_arn == null ? 1 : 0 + + role = aws_iam_role.enhanced_monitoring[0].name + policy_arn = data.aws_iam_policy.enhanced_monitoring[0].arn } diff --git a/docs/example/README.md b/docs/example/README.md deleted file mode 100644 index 49701be..0000000 --- a/docs/example/README.md +++ /dev/null @@ -1,83 +0,0 @@ - -## Requirements - -| Name | Version | -|------|---------| -| [null](#requirement\_null) | 3.1.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 3.59.0 | -| [random](#provider\_random) | 3.1.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [rds\_cluster\_aurora\_postgres](#module\_rds\_cluster\_aurora\_postgres) | git::https://github.com/cloudposse/terraform-aws-rds-cluster.git | 0.46.2 | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_iam_role.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_kms_alias.aurora_cluster_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | -| [aws_kms_key.aurora_cluster_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_ssm_parameter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | -| [random_password.db_admin_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | -| [aws_iam_policy_document.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [allow\_major\_version\_upgrade](#input\_allow\_major\_version\_upgrade) | Enable to allow major engine version upgrades when changing engine versions. Defaults to false. | `bool` | `false` | no | -| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks allowed to access the cluster | `list(string)` | `[]` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [auto\_minor\_version\_upgrade](#input\_auto\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window | `bool` | `true` | no | -| [cluster\_family](#input\_cluster\_family) | The family of the DB cluster parameter group | `string` | `"aurora-postgresql10"` | no | -| [cluster\_size](#input\_cluster\_size) | Number of DB instances to create in the cluster | `number` | `0` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | -| [db\_admin\_username](#input\_db\_admin\_username) | Name of the default DB admin user role | `string` | n/a | yes | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [engine](#input\_engine) | The name of the database engine to be used for this DB cluster. Valid values: `aurora`, `aurora-mysql`, `aurora-postgresql` | `string` | `"aurora-postgresql"` | no | -| [engine\_mode](#input\_engine\_mode) | The database engine mode. Valid values: `parallelquery`, `provisioned`, `serverless` | `string` | `"serverless"` | no | -| [engine\_version](#input\_engine\_version) | The version of the database engine to use. See `aws rds describe-db-engine-versions` | `string` | `"aurora-postgresql13.3"` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | n/a | yes | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [instance\_type](#input\_instance\_type) | Instance type to use | `string` | `"db.t3.medium"` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | n/a | yes | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS region | `string` | n/a | yes | -| [security\_groups](#input\_security\_groups) | List of security groups to be allowed to connect to the DB instance | `list(string)` | `[]` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [subnets](#input\_subnets) | Subnets for the cluster to run in. | `list(string)` | n/a | yes | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `""` | no | -| [vpc\_id](#input\_vpc\_id) | vpc\_id for the VPC to run the cluster. | `string` | n/a | yes | - -## Outputs - -| Name | Description | -|------|-------------| -| [arn](#output\_arn) | Amazon Resource Name (ARN) of cluster | -| [cluster\_identifier](#output\_cluster\_identifier) | Cluster Identifier | -| [endpoint](#output\_endpoint) | The DNS address of the RDS instance | -| [master\_host](#output\_master\_host) | DB Master hostname | -| [master\_username](#output\_master\_username) | Username for the master DB user | -| [name](#output\_name) | Database name | -| [reader\_endpoint](#output\_reader\_endpoint) | A read-only endpoint for the Aurora cluster, automatically load-balanced across replicas | -| [replicas\_host](#output\_replicas\_host) | Replicas hostname | - diff --git a/docs/module-usage-guide/README.md b/docs/module-usage-guide/README.md index e84dd37..efdb996 100644 --- a/docs/module-usage-guide/README.md +++ b/docs/module-usage-guide/README.md @@ -27,7 +27,7 @@ To use the module in your Terraform configuration, include the following source ```hcl module "aurora" { source = "sourcefuse/arc-db/aws" - version = "3.0.0" + version = "4.0.0" # insert the required variables here } ``` @@ -64,15 +64,33 @@ For a list of outputs, see the README [Outputs](https://github.com/sourcefuse/te ### Basic Usage -For basic usage, see the [example](https://github.com/sourcefuse/terraform-aws-arc-db/tree/main/example) folder. +For basic usage, see the [example](https://github.com/sourcefuse/terraform-aws-arc-db/tree/main/examples/rds) folder. This example will create: -module "aurora": This module is creating an Aurora database cluster.The module is configuring the Aurora cluster with various settings, such as the instance type, the number of instances in the cluster, the subnets and security groups it's associated with, and more. +1. RDS Instance Example +This example demonstrates deploying a single RDS instance using the module, configuring an Amazon RDS database with basic settings like instance class, storage, and connectivity. It showcases options for database engine, encryption, and CloudWatch monitoring for a standalone RDS database. Ideal for simple, production-ready RDS setups. -module "rds_sql_server": This module is creating an Amazon RDS instance for SQL Server.This module is configuring the RDS instance with various settings, such as the database engine and version, the instance class, the allocated storage, the security groups it's associated with, and more. +### RDS Proxy -Both of these modules are using data sources (data.aws_vpc.vpc, data.aws_subnets.private, data.aws_security_groups.db_sg, etc.) to fetch information about the existing AWS infrastructure, such as the VPC, subnets, and security groups, and use that information to configure the databases. +For RDS Proxy, see the [example](https://github.com/sourcefuse/terraform-aws-arc-db/tree/main/examples/rds-proxy) folder. + +2. RDS Proxy Example +This example configures an RDS Proxy for an RDS database, helping manage connection pooling for improved database performance and security. By integrating with RDS Proxy, it reduces connection management overhead and scales automatically with demand, useful for applications with variable database traffic and sensitive to scaling requirements. + +### Aurora Cluster + +For Aurora Cluster, see the [example](https://github.com/sourcefuse/terraform-aws-arc-db/tree/main/examples/aurora) folder. + +3. Aurora Cluster Example +This example provisions an Amazon Aurora cluster, utilizing the module to set up a high-availability, high-performance database solution. The configuration includes multiple instances within a cluster, providing a resilient and cost-effective solution suitable for demanding applications. + +### Aurora Cluster Serverless + +For Aurora Cluster Serverless, see the [example](https://github.com/sourcefuse/terraform-aws-arc-db/tree/main/examples/aurora-serverless) folder. + +4. Aurora Serverless Cluster Example +This example deploys an Aurora Serverless cluster autoscaling, making it ideal for applications with unpredictable or intermittent database usage. The module configures serverless capacity, connectivity, and database settings, automatically adjusting to workload needs without manual intervention. ### Tips and Recommendations diff --git a/example/.terraform.lock.hcl b/example/.terraform.lock.hcl deleted file mode 100644 index 62e6e72..0000000 --- a/example/.terraform.lock.hcl +++ /dev/null @@ -1,89 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.46.0" - constraints = ">= 2.0.0, >= 3.0.0, >= 4.0.0, >= 4.9.0, >= 4.23.0, >= 5.0.0, < 6.0.0" - hashes = [ - "h1:bGEG0vS4seLpWWXVPnOqjhD1s6hkZB7etQIwOSSd00U=", - "h1:d0Mf33mbbQujZ/JaYkqmH5gZGvP+iEIWf9yBSiOwimE=", - "zh:05ae6180a7f23071435f6e5e59c19af0b6c5da42ee600c6c1568c8660214d548", - "zh:0d878d1565d5e57ce6b34ec5f04b28662044a50c999ec5770c374aa1f1020de2", - "zh:25ef1467af2514d8011c44759307445f7057836ff87dfe4503c3e1c9776d5c1a", - "zh:26c006df6200f0063b827aab05bec94f9f3f77848e82ed72e48a51d1170d1961", - "zh:37cdf4292649a10f12858622826925e18ad4eca354c31f61d02c66895eb91274", - "zh:4315b0433c2fc512666c74e989e2d95240934ef370bea1c690d36cb02d30c4ce", - "zh:75df0b3f631b78aeff1832cc77d99b527c2a5e79d40f7aac40bdc4a66124dac2", - "zh:90693d936c9a556d2bf945de4920ff82052002eb73139bd7164fafd02920f0ef", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:c9177ad09804c60fd2ed25950570407b6bdcdf0fcc309e1673b584f06a827fae", - "zh:ca8e8db24a4d62d92afd8d3d383b81a08693acac191a2e0a110fb46deeff56a3", - "zh:d5fa3a36e13957d63bfe9bbd6df0426a2422214403aac9f20b60c36f8d9ebec6", - "zh:e4ede44a112296c9cc77b15e439e41ee15c0e8b3a0dec94ae34df5ebba840e8b", - "zh:f2d4de8d8cde69caffede1544ebea74e69fcc4552e1b79ae053519a05c060706", - "zh:fc19e9266b1841d4a3aeefa8a5b5ad6988baed6540f85a373b6c2d0dc1ca5830", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.2" - constraints = ">= 2.0.0, >= 3.1.1" - hashes = [ - "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=", - "h1:m467k2tZ9cdFFgHW7LPBK2GLPH43LC6wc3ppxr8yvoE=", - "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", - "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", - "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", - "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", - "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", - "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", - "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", - "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", - "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", - "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.6.1" - constraints = ">= 3.4.0" - hashes = [ - "h1:Xx3UvdKXObNTjfd4yYHDcFalYZujg7NBY/VpZISiTb4=", - "h1:a+Goawwh6Qtg4/bRWzfDtIdrEFfPlnVy0y4LdUQY3nI=", - "zh:2a0ec154e39911f19c8214acd6241e469157489fc56b6c739f45fbed5896a176", - "zh:57f4e553224a5e849c99131f5e5294be3a7adcabe2d867d8a4fef8d0976e0e52", - "zh:58f09948c608e601bd9d0a9e47dcb78e2b2c13b4bda4d8f097d09152ea9e91c5", - "zh:5c2a297146ed6fb3fe934c800e78380f700f49ff24dbb5fb5463134948e3a65f", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7ce41e26f0603e31cdac849085fc99e5cd5b3b73414c6c6d955c0ceb249b593f", - "zh:8c9e8d30c4ef08ee8bcc4294dbf3c2115cd7d9049c6ba21422bd3471d92faf8a", - "zh:93e91be717a7ffbd6410120eb925ebb8658cc8f563de35a8b53804d33c51c8b0", - "zh:982542e921970d727ce10ed64795bf36c4dec77a5db0741d4665230d12250a0d", - "zh:b9d1873f14d6033e216510ef541c891f44d249464f13cc07d3f782d09c7d18de", - "zh:cfe27faa0bc9556391c8803ade135a5856c34a3fe85b9ae3bdd515013c0c87c1", - "zh:e4aabf3184bbb556b89e4b195eab1514c86a2914dd01c23ad9813ec17e863a8a", - ] -} - -provider "registry.terraform.io/hashicorp/time" { - version = "0.11.1" - constraints = ">= 0.7.0" - hashes = [ - "h1:bf7JCfBV8KHOJ0iicZ705maRJTeme0Br4QdBYnu1gMw=", - "h1:pQGSL9mdgw4qsLndFYsEF93mbsIxyxNoAyIbBqhS3Xo=", - "zh:19a393db736ec4fd024d098d55aefaef07056c37a448ece3b55b3f5f4c2c7e4a", - "zh:227fa1e221de2907f37be78d40c06ca6a6f7b243a1ec33ade014dfaf6d92cd9c", - "zh:29970fecbf4a3ca23bacbb05d6b90cdd33dd379f90059fe39e08289951502d9f", - "zh:65024596f22f10e7dcb5e0e4a75277f275b529daa0bc0daf34ca7901c678ab88", - "zh:694d080cb5e3bf5ef08c7409208d061c135a4f5f4cdc93ea8607860995264b2e", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:b29d15d13e1b3412e6a4e1627d378dbd102659132f7488f64017dd6b6d5216d3", - "zh:bb79f4cae9f8c17c73998edc54aa16c2130a03227f7f4e71fc6ac87e230575ec", - "zh:ceccf80e95929d97f62dcf1bb3c7c7553d5757b2d9e7d222518722fc934f7ad5", - "zh:f40e638336527490e294d9c938ae55919069e6987e85a80506784ba90348792a", - "zh:f99ef33b1629a3b2278201142a3011a8489e66d92da832a5b99e442204de18fb", - "zh:fded14754ea46fdecc62a52cd970126420d4cd190e598cb61190b4724a727edb", - ] -} diff --git a/example/README.md b/example/README.md deleted file mode 100644 index 72ce14e..0000000 --- a/example/README.md +++ /dev/null @@ -1,47 +0,0 @@ - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | ~> 1.3, < 2.0.0 | -| [aws](#requirement\_aws) | >= 4.0, < 6.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 5.46.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [aurora](#module\_aurora) | ../ | n/a | -| [rds\_postgresql](#module\_rds\_postgresql) | ../ | n/a | -| [rds\_sql\_server](#module\_rds\_sql\_server) | ../ | n/a | - -## Resources - -| Name | Type | -|------|------| -| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_kms_alias.aurora_cluster_kms_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | -| [aws_security_groups.db_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_groups) | data source | -| [aws_subnets.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | -| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_ingress\_rules\_aurora](#input\_additional\_ingress\_rules\_aurora) | Additional ingress rules for Aurora | 
list(object({
    name        = string
    description = string
    type        = string
    from_port   = number
    to_port     = number
    protocol    = string
    cidr_blocks = list(string)
  }))
| `[]` | no | -| [additional\_ingress\_rules\_rds](#input\_additional\_ingress\_rules\_rds) | Additional ingress rules for RDS | 
list(object({
    name        = string
    description = string
    type        = string
    from_port   = number
    to_port     = number
    protocol    = string
    cidr_blocks = list(string)
  }))
| `[]` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `"poc"` | no | -| [kms\_alias\_name](#input\_kms\_alias\_name) | Name of the KMS alias | `string` | `"alias/arc-poc-aurora-cluster-kms-key"` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `"arc"` | no | -| [region](#input\_region) | AWS region | `string` | `"us-east-1"` | no | - -## Outputs - -No outputs. - diff --git a/example/main.tf b/example/main.tf deleted file mode 100644 index 7671db7..0000000 --- a/example/main.tf +++ /dev/null @@ -1,125 +0,0 @@ -################################################################################ -## defaults -################################################################################ -terraform { - required_version = "~> 1.3, < 2.0.0" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.0, < 6.0" - } - } -} - -provider "aws" { - region = var.region -} - -################################################################################ -## lookups -################################################################################ -data "aws_caller_identity" "this" {} - -################################################################################ -## db -################################################################################ -## aurora cluster -module "aurora" { - source = "../" - - environment = var.environment - namespace = var.namespace - region = var.region - vpc_id = data.aws_vpc.vpc.id - - aurora_cluster_enabled = true - aurora_cluster_name = "aurora-example" - enhanced_monitoring_name = "aurora-example-enhanced-monitoring" - aurora_db_admin_username = "example_db_admin" - aurora_db_name = "example" - aurora_allow_major_version_upgrade = true - aurora_auto_minor_version_upgrade = true - aurora_cluster_size = 1 - aurora_instance_type = "db.t3.medium" - aurora_subnets = data.aws_subnets.private.ids - aurora_security_groups = data.aws_security_groups.db_sg.ids - aurora_allowed_cidr_blocks = [data.aws_vpc.vpc.cidr_block] - performance_insights_enabled = true - performance_insights_retention_period = 7 - performance_insights_kms_key_id = data.aws_kms_alias.aurora_cluster_kms_arn.target_key_arn - kms_key_arn = data.aws_kms_alias.aurora_cluster_kms_arn.target_key_arn - iam_database_authentication_enabled = true - additional_ingress_rules_aurora = var.additional_ingress_rules_aurora -} - -## sql server rds instance -module "rds_sql_server" { - source = "../" - - environment = var.environment - namespace = var.namespace - region = var.region - vpc_id = data.aws_vpc.vpc.id - - account_id = data.aws_caller_identity.this.id - rds_instance_enabled = true - rds_instance_name = "sql-server-example" - enhanced_monitoring_name = "sql-server-example-enhanced-monitoring" - rds_instance_dns_zone_id = "" - rds_instance_host_name = "" - rds_instance_database_name = null // sql server database name must be null - rds_instance_database_user = "example_db_admin" - rds_instance_database_port = 1433 - rds_instance_engine = "sqlserver-ex" // express edition. - rds_instance_engine_version = "16.00.4105.2.v1" - rds_instance_major_engine_version = "16.00" - rds_instance_db_parameter_group = "sqlserver-ex-16.0" - rds_instance_db_parameter = [] - rds_instance_db_options = [] - rds_enable_custom_option_group = true - rds_instance_ca_cert_identifier = "rds-ca-2019" - rds_instance_publicly_accessible = false - rds_instance_multi_az = false - rds_instance_storage_type = "gp3" - rds_instance_instance_class = "db.t3.small" - rds_instance_allocated_storage = 400 - rds_instance_storage_encrypted = false // sql server express doesn't support encryption at rest - rds_instance_snapshot_identifier = null - rds_instance_auto_minor_version_upgrade = true - rds_instance_allow_major_version_upgrade = true - rds_instance_apply_immediately = true - rds_instance_maintenance_window = "Mon:00:00-Mon:02:00" - rds_instance_skip_final_snapshot = true - rds_instance_copy_tags_to_snapshot = true - rds_instance_backup_retention_period = 3 - rds_instance_backup_window = "22:00-23:59" - rds_instance_security_group_ids = data.aws_security_groups.db_sg.ids - rds_instance_allowed_cidr_blocks = [data.aws_vpc.vpc.cidr_block] - rds_instance_subnet_ids = data.aws_subnets.private.ids - additional_ingress_rules_rds = var.additional_ingress_rules_rds -} - -## postgresql rds instance -module "rds_postgresql" { - source = "../" - - environment = var.environment - namespace = var.namespace - region = var.region - vpc_id = data.aws_vpc.vpc.id - - account_id = data.aws_caller_identity.this.id - rds_instance_enabled = true - rds_instance_name = "postgresql-example" - performance_insights_enabled = true - enhanced_monitoring_name = "postgresql-example-enhanced-monitoring" - enhanced_monitoring_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole" - rds_instance_database_name = "arc" - rds_instance_database_user = "example_db_admin" - - rds_instance_security_group_ids = data.aws_security_groups.db_sg.ids - rds_instance_allowed_cidr_blocks = [data.aws_vpc.vpc.cidr_block] - rds_instance_subnet_ids = data.aws_subnets.private.ids - additional_ingress_rules_rds = var.additional_ingress_rules_rds -} diff --git a/example/variables.tf b/example/variables.tf deleted file mode 100644 index a76895f..0000000 --- a/example/variables.tf +++ /dev/null @@ -1,54 +0,0 @@ -################################################################################ -## shared -################################################################################ -variable "region" { - type = string - default = "us-east-1" - description = "AWS region" -} - -variable "environment" { - type = string - default = "poc" - description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'" -} - -variable "namespace" { - type = string - default = "arc" - description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique" -} - -variable "kms_alias_name" { - type = string - description = "Name of the KMS alias" - default = "alias/arc-poc-aurora-cluster-kms-key" -} - -variable "additional_ingress_rules_aurora" { - description = "Additional ingress rules for Aurora" - type = list(object({ - name = string - description = string - type = string - from_port = number - to_port = number - protocol = string - cidr_blocks = list(string) - })) - default = [] -} - -variable "additional_ingress_rules_rds" { - description = "Additional ingress rules for RDS" - type = list(object({ - name = string - description = string - type = string - from_port = number - to_port = number - protocol = string - cidr_blocks = list(string) - })) - default = [] -} diff --git a/example/.terraform-version b/examples/aurora-serverless/.terraform-version similarity index 100% rename from example/.terraform-version rename to examples/aurora-serverless/.terraform-version diff --git a/examples/aurora-serverless/.terraform.lock.hcl b/examples/aurora-serverless/.terraform.lock.hcl new file mode 100644 index 0000000..30c9869 --- /dev/null +++ b/examples/aurora-serverless/.terraform.lock.hcl @@ -0,0 +1,65 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.74.0" + constraints = ">= 4.0.0, ~> 5.0, < 6.0.0" + hashes = [ + "h1:0Iq3x8RSdWedvATBO1RZbCQqRCHPNsdhkYVrRs9crEE=", + "zh:1e2d65add4d63af5b396ae33d55c48303eca6c86bd1be0f6fae13267a9b47bc4", + "zh:20ddec3dac3d06a188f12e58b6428854949b1295e937c5d4dca4866dc1c937af", + "zh:35b72de4e6a3e3d69efc07184fb413406262fe447b2d82d57eaf8c787a068a06", + "zh:44eada24a50cd869aadc4b29f9e791fdf262d7f426921e9ac2893bbb86013176", + "zh:455e666e3a9a2312b3b9f434b87a404b6515d64a8853751e20566a6548f9df9e", + "zh:58b3ae74abfca7b9b61f42f0c8b10d97f9b01aff18bd1d4ab091129c9d203707", + "zh:840a8a32d5923f9e7422f9c80d165c3f89bb6ea370b8283095081e39050a8ea8", + "zh:87cb6dbbdbc1b73bdde4b8b5d6d780914a3e8f1df0385da4ea7323dc1a68468f", + "zh:8b8953e39b0e6e6156c5570d1ca653450bfa0d9b280e2475f01ee5c51a6554db", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9bd750262e2fb0187a8420a561e55b0a1da738f690f53f5c7df170cb1f380459", + "zh:9d2474c1432dfa5e1db197e2dd6cd61a6a15452e0bc7acd09ca86b3cdb228871", + "zh:b763ecaf471c7737a5c6e4cf257b5318e922a6610fd83b36ed8eb68582a8642e", + "zh:c1344cd8fe03ff7433a19b14b14a1898c2ca5ba22a468fb8e1687f0a7f564d52", + "zh:dc0e0abf3be7402d0d022ced82816884356115ed27646df9c7222609e96840e6", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + constraints = ">= 3.1.0" + hashes = [ + "h1:I0Um8UkrMUb81Fxq/dxbr3HLP2cecTH2WMJiwKSrwQY=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.6.3" + constraints = ">= 3.4.0" + hashes = [ + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", + ] +} diff --git a/examples/aurora-serverless/README.md b/examples/aurora-serverless/README.md new file mode 100644 index 0000000..67f97d8 --- /dev/null +++ b/examples/aurora-serverless/README.md @@ -0,0 +1,50 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.3, < 2.0.0 | +| [aws](#requirement\_aws) | >= 4.0, < 6.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.74.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora](#module\_aurora) | ../../ | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_subnets.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | +| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `"poc"` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `"arc"` | no | +| [region](#input\_region) | AWS region | `string` | `"us-east-1"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [arn](#output\_arn) | Instance or Cluster ARN | +| [database](#output\_database) | Database name | +| [endpoint](#output\_endpoint) | Instance or Cluster Endpoint | +| [id](#output\_id) | Instance or Cluster ID | +| [identifier](#output\_identifier) | Instance or Cluster Identifier | +| [kms\_key\_id](#output\_kms\_key\_id) | Instance or Cluster KMS Key ID | +| [monitoring\_role\_arn](#output\_monitoring\_role\_arn) | Instance or Cluster Monitoring Role ARN | +| [performance\_insights\_kms\_key\_id](#output\_performance\_insights\_kms\_key\_id) | Instance or Cluster Performance Insights KMS Key ID | +| [port](#output\_port) | Database server port | +| [username](#output\_username) | Username for the Database | + diff --git a/example/data.tf b/examples/aurora-serverless/data.tf similarity index 51% rename from example/data.tf rename to examples/aurora-serverless/data.tf index 7e5ae7c..4fca06e 100644 --- a/example/data.tf +++ b/examples/aurora-serverless/data.tf @@ -11,28 +11,14 @@ data "aws_vpc" "vpc" { ## network data "aws_subnets" "private" { + filter { + name = "vpc-id" + values = [data.aws_vpc.vpc.id] + } filter { name = "tag:Name" values = [ - "${var.namespace}-${var.environment}-private-subnet-private-${var.region}a", - "${var.namespace}-${var.environment}-private-subnet-private-${var.region}b" + "*private*" ] } } - -## security -data "aws_security_groups" "db_sg" { - filter { - name = "group-name" - values = ["example-${var.environment}-db-sg"] - } - - filter { - name = "vpc-id" - values = [data.aws_vpc.vpc.id] - } -} - -data "aws_kms_alias" "aurora_cluster_kms_arn" { - name = var.kms_alias_name -} diff --git a/examples/aurora-serverless/main.tf b/examples/aurora-serverless/main.tf new file mode 100644 index 0000000..b6f17db --- /dev/null +++ b/examples/aurora-serverless/main.tf @@ -0,0 +1,93 @@ +################################################################################ +## defaults +################################################################################ +terraform { + required_version = "~> 1.3, < 2.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0, < 6.0" + } + } +} + +provider "aws" { + region = var.region +} + +locals { + rds_security_group_data = { + create = true + description = "Security Group for RDS Cluster" + + ingress_rules = [ + { + description = "Allow traffic from local network" + cidr_block = data.aws_vpc.vpc.cidr_block + from_port = 5432 + ip_protocol = "tcp" + to_port = 5432 + } + ] + + egress_rules = [ + { + description = "Allow all outbound traffic" + cidr_block = "0.0.0.0/0" + from_port = -1 + ip_protocol = "-1" + to_port = -1 + } + ] + } + +} + +module "aurora" { + source = "../../" + + environment = var.environment + namespace = var.namespace + vpc_id = data.aws_vpc.vpc.id + + name = "${var.namespace}-${var.environment}-aurora-serverless" + engine_type = "cluster" + port = 5432 + username = "postgres" + engine = "aurora-postgresql" + engine_version = "16.2" + engine_mode = "serverless" + + license_model = "postgresql-license" + rds_cluster_instances = [ + { + instance_class = "db.serverless" + db_parameter_group_name = "default.aurora-postgresql16" + apply_immediately = true + promotion_tier = 1 + } + ] + + serverlessv2_scaling_config = { + max_capacity = 1.0 + min_capacity = 0.5 + } + + db_subnet_group_data = { + name = "${var.namespace}-${var.environment}-subnet-group" + create = true + description = "Subnet group for rds instance" + subnet_ids = data.aws_subnets.private.ids + } + + performance_insights_enabled = true + + kms_data = { + create = true + description = "KMS for Performance insight and storage" + deletion_window_in_days = 7 + enable_key_rotation = true + } + security_group_data = local.rds_security_group_data +} diff --git a/examples/aurora-serverless/output.tf b/examples/aurora-serverless/output.tf new file mode 100644 index 0000000..3e50a17 --- /dev/null +++ b/examples/aurora-serverless/output.tf @@ -0,0 +1,49 @@ +output "id" { + value = module.aurora.id + description = "Instance or Cluster ID" +} + +output "identifier" { + value = module.aurora.identifier + description = "Instance or Cluster Identifier" +} + +output "arn" { + value = module.aurora.arn + description = "Instance or Cluster ARN" +} + +output "username" { + value = module.aurora.username + description = "Username for the Database" +} + +output "database" { + value = module.aurora.database + description = "Database name" +} + +output "port" { + value = module.aurora.port + description = "Database server port" +} + +output "endpoint" { + value = module.aurora.endpoint + description = "Instance or Cluster Endpoint" +} + +output "kms_key_id" { + value = module.aurora.kms_key_id + description = "Instance or Cluster KMS Key ID" +} + +output "performance_insights_kms_key_id" { + value = module.aurora.performance_insights_kms_key_id + description = "Instance or Cluster Performance Insights KMS Key ID" +} + +output "monitoring_role_arn" { + value = module.aurora.monitoring_role_arn + description = "Instance or Cluster Monitoring Role ARN" +} diff --git a/examples/aurora-serverless/variables.tf b/examples/aurora-serverless/variables.tf new file mode 100644 index 0000000..8e65782 --- /dev/null +++ b/examples/aurora-serverless/variables.tf @@ -0,0 +1,20 @@ +################################################################################ +## shared +################################################################################ +variable "region" { + type = string + default = "us-east-1" + description = "AWS region" +} + +variable "environment" { + type = string + default = "poc" + description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'" +} + +variable "namespace" { + type = string + default = "arc" + description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique" +} diff --git a/examples/aurora/.terraform-version b/examples/aurora/.terraform-version new file mode 100644 index 0000000..7324740 --- /dev/null +++ b/examples/aurora/.terraform-version @@ -0,0 +1 @@ +latest:^1.7 diff --git a/examples/aurora/.terraform.lock.hcl b/examples/aurora/.terraform.lock.hcl new file mode 100644 index 0000000..30c9869 --- /dev/null +++ b/examples/aurora/.terraform.lock.hcl @@ -0,0 +1,65 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.74.0" + constraints = ">= 4.0.0, ~> 5.0, < 6.0.0" + hashes = [ + "h1:0Iq3x8RSdWedvATBO1RZbCQqRCHPNsdhkYVrRs9crEE=", + "zh:1e2d65add4d63af5b396ae33d55c48303eca6c86bd1be0f6fae13267a9b47bc4", + "zh:20ddec3dac3d06a188f12e58b6428854949b1295e937c5d4dca4866dc1c937af", + "zh:35b72de4e6a3e3d69efc07184fb413406262fe447b2d82d57eaf8c787a068a06", + "zh:44eada24a50cd869aadc4b29f9e791fdf262d7f426921e9ac2893bbb86013176", + "zh:455e666e3a9a2312b3b9f434b87a404b6515d64a8853751e20566a6548f9df9e", + "zh:58b3ae74abfca7b9b61f42f0c8b10d97f9b01aff18bd1d4ab091129c9d203707", + "zh:840a8a32d5923f9e7422f9c80d165c3f89bb6ea370b8283095081e39050a8ea8", + "zh:87cb6dbbdbc1b73bdde4b8b5d6d780914a3e8f1df0385da4ea7323dc1a68468f", + "zh:8b8953e39b0e6e6156c5570d1ca653450bfa0d9b280e2475f01ee5c51a6554db", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9bd750262e2fb0187a8420a561e55b0a1da738f690f53f5c7df170cb1f380459", + "zh:9d2474c1432dfa5e1db197e2dd6cd61a6a15452e0bc7acd09ca86b3cdb228871", + "zh:b763ecaf471c7737a5c6e4cf257b5318e922a6610fd83b36ed8eb68582a8642e", + "zh:c1344cd8fe03ff7433a19b14b14a1898c2ca5ba22a468fb8e1687f0a7f564d52", + "zh:dc0e0abf3be7402d0d022ced82816884356115ed27646df9c7222609e96840e6", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + constraints = ">= 3.1.0" + hashes = [ + "h1:I0Um8UkrMUb81Fxq/dxbr3HLP2cecTH2WMJiwKSrwQY=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.6.3" + constraints = ">= 3.4.0" + hashes = [ + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", + ] +} diff --git a/examples/aurora/README.md b/examples/aurora/README.md new file mode 100644 index 0000000..67f97d8 --- /dev/null +++ b/examples/aurora/README.md @@ -0,0 +1,50 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.3, < 2.0.0 | +| [aws](#requirement\_aws) | >= 4.0, < 6.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.74.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora](#module\_aurora) | ../../ | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_subnets.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | +| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `"poc"` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `"arc"` | no | +| [region](#input\_region) | AWS region | `string` | `"us-east-1"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [arn](#output\_arn) | Instance or Cluster ARN | +| [database](#output\_database) | Database name | +| [endpoint](#output\_endpoint) | Instance or Cluster Endpoint | +| [id](#output\_id) | Instance or Cluster ID | +| [identifier](#output\_identifier) | Instance or Cluster Identifier | +| [kms\_key\_id](#output\_kms\_key\_id) | Instance or Cluster KMS Key ID | +| [monitoring\_role\_arn](#output\_monitoring\_role\_arn) | Instance or Cluster Monitoring Role ARN | +| [performance\_insights\_kms\_key\_id](#output\_performance\_insights\_kms\_key\_id) | Instance or Cluster Performance Insights KMS Key ID | +| [port](#output\_port) | Database server port | +| [username](#output\_username) | Username for the Database | + diff --git a/examples/aurora/data.tf b/examples/aurora/data.tf new file mode 100644 index 0000000..4fca06e --- /dev/null +++ b/examples/aurora/data.tf @@ -0,0 +1,24 @@ +################################################ +## imports +################################################ +## vpc +data "aws_vpc" "vpc" { + filter { + name = "tag:Name" + values = ["${var.namespace}-${var.environment}-vpc"] + } +} + +## network +data "aws_subnets" "private" { + filter { + name = "vpc-id" + values = [data.aws_vpc.vpc.id] + } + filter { + name = "tag:Name" + values = [ + "*private*" + ] + } +} diff --git a/examples/aurora/main.tf b/examples/aurora/main.tf new file mode 100644 index 0000000..d8cabfc --- /dev/null +++ b/examples/aurora/main.tf @@ -0,0 +1,58 @@ +################################################################################ +## defaults +################################################################################ +terraform { + required_version = "~> 1.3, < 2.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0, < 6.0" + } + } +} + +provider "aws" { + region = var.region +} + +module "aurora" { + source = "../../" + + environment = var.environment + namespace = var.namespace + vpc_id = data.aws_vpc.vpc.id + + name = "${var.namespace}-${var.environment}-test" + engine_type = "cluster" + port = 5432 + username = "postgres" + engine = "aurora-postgresql" + engine_version = "16.2" + + license_model = "postgresql-license" + rds_cluster_instances = [ + { + instance_class = "db.t3.medium" + db_parameter_group_name = "default.aurora-postgresql16" + apply_immediately = true + promotion_tier = 1 + } + ] + + db_subnet_group_data = { + name = "${var.namespace}-${var.environment}-subnet-group" + create = true + description = "Subnet group for rds instance" + subnet_ids = data.aws_subnets.private.ids + } + + performance_insights_enabled = true + + kms_data = { + create = true + description = "KMS for Performance insight and storage" + deletion_window_in_days = 7 + enable_key_rotation = true + } +} diff --git a/examples/aurora/output.tf b/examples/aurora/output.tf new file mode 100644 index 0000000..3e50a17 --- /dev/null +++ b/examples/aurora/output.tf @@ -0,0 +1,49 @@ +output "id" { + value = module.aurora.id + description = "Instance or Cluster ID" +} + +output "identifier" { + value = module.aurora.identifier + description = "Instance or Cluster Identifier" +} + +output "arn" { + value = module.aurora.arn + description = "Instance or Cluster ARN" +} + +output "username" { + value = module.aurora.username + description = "Username for the Database" +} + +output "database" { + value = module.aurora.database + description = "Database name" +} + +output "port" { + value = module.aurora.port + description = "Database server port" +} + +output "endpoint" { + value = module.aurora.endpoint + description = "Instance or Cluster Endpoint" +} + +output "kms_key_id" { + value = module.aurora.kms_key_id + description = "Instance or Cluster KMS Key ID" +} + +output "performance_insights_kms_key_id" { + value = module.aurora.performance_insights_kms_key_id + description = "Instance or Cluster Performance Insights KMS Key ID" +} + +output "monitoring_role_arn" { + value = module.aurora.monitoring_role_arn + description = "Instance or Cluster Monitoring Role ARN" +} diff --git a/examples/aurora/variables.tf b/examples/aurora/variables.tf new file mode 100644 index 0000000..8e65782 --- /dev/null +++ b/examples/aurora/variables.tf @@ -0,0 +1,20 @@ +################################################################################ +## shared +################################################################################ +variable "region" { + type = string + default = "us-east-1" + description = "AWS region" +} + +variable "environment" { + type = string + default = "poc" + description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'" +} + +variable "namespace" { + type = string + default = "arc" + description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique" +} diff --git a/examples/rds-proxy/.terraform-version b/examples/rds-proxy/.terraform-version new file mode 100644 index 0000000..7324740 --- /dev/null +++ b/examples/rds-proxy/.terraform-version @@ -0,0 +1 @@ +latest:^1.7 diff --git a/examples/rds-proxy/.terraform.lock.hcl b/examples/rds-proxy/.terraform.lock.hcl new file mode 100644 index 0000000..30c9869 --- /dev/null +++ b/examples/rds-proxy/.terraform.lock.hcl @@ -0,0 +1,65 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.74.0" + constraints = ">= 4.0.0, ~> 5.0, < 6.0.0" + hashes = [ + "h1:0Iq3x8RSdWedvATBO1RZbCQqRCHPNsdhkYVrRs9crEE=", + "zh:1e2d65add4d63af5b396ae33d55c48303eca6c86bd1be0f6fae13267a9b47bc4", + "zh:20ddec3dac3d06a188f12e58b6428854949b1295e937c5d4dca4866dc1c937af", + "zh:35b72de4e6a3e3d69efc07184fb413406262fe447b2d82d57eaf8c787a068a06", + "zh:44eada24a50cd869aadc4b29f9e791fdf262d7f426921e9ac2893bbb86013176", + "zh:455e666e3a9a2312b3b9f434b87a404b6515d64a8853751e20566a6548f9df9e", + "zh:58b3ae74abfca7b9b61f42f0c8b10d97f9b01aff18bd1d4ab091129c9d203707", + "zh:840a8a32d5923f9e7422f9c80d165c3f89bb6ea370b8283095081e39050a8ea8", + "zh:87cb6dbbdbc1b73bdde4b8b5d6d780914a3e8f1df0385da4ea7323dc1a68468f", + "zh:8b8953e39b0e6e6156c5570d1ca653450bfa0d9b280e2475f01ee5c51a6554db", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9bd750262e2fb0187a8420a561e55b0a1da738f690f53f5c7df170cb1f380459", + "zh:9d2474c1432dfa5e1db197e2dd6cd61a6a15452e0bc7acd09ca86b3cdb228871", + "zh:b763ecaf471c7737a5c6e4cf257b5318e922a6610fd83b36ed8eb68582a8642e", + "zh:c1344cd8fe03ff7433a19b14b14a1898c2ca5ba22a468fb8e1687f0a7f564d52", + "zh:dc0e0abf3be7402d0d022ced82816884356115ed27646df9c7222609e96840e6", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + constraints = ">= 3.1.0" + hashes = [ + "h1:I0Um8UkrMUb81Fxq/dxbr3HLP2cecTH2WMJiwKSrwQY=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.6.3" + constraints = ">= 3.4.0" + hashes = [ + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", + ] +} diff --git a/examples/rds-proxy/README.md b/examples/rds-proxy/README.md new file mode 100644 index 0000000..6cf2958 --- /dev/null +++ b/examples/rds-proxy/README.md @@ -0,0 +1,50 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.3, < 2.0.0 | +| [aws](#requirement\_aws) | >= 4.0, < 6.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.74.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [rds](#module\_rds) | ../../ | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_subnets.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | +| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `"poc"` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `"arc"` | no | +| [region](#input\_region) | AWS region | `string` | `"us-east-1"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [arn](#output\_arn) | Instance or Cluster ARN | +| [database](#output\_database) | Database name | +| [endpoint](#output\_endpoint) | Instance or Cluster Endpoint | +| [id](#output\_id) | Instance or Cluster ID | +| [identifier](#output\_identifier) | Instance or Cluster Identifier | +| [kms\_key\_id](#output\_kms\_key\_id) | Instance or Cluster KMS Key ID | +| [monitoring\_role\_arn](#output\_monitoring\_role\_arn) | Instance or Cluster Monitoring Role ARN | +| [performance\_insights\_kms\_key\_id](#output\_performance\_insights\_kms\_key\_id) | Instance or Cluster Performance Insights KMS Key ID | +| [port](#output\_port) | Database server port | +| [username](#output\_username) | Username for the Database | + diff --git a/examples/rds-proxy/data.tf b/examples/rds-proxy/data.tf new file mode 100644 index 0000000..4fca06e --- /dev/null +++ b/examples/rds-proxy/data.tf @@ -0,0 +1,24 @@ +################################################ +## imports +################################################ +## vpc +data "aws_vpc" "vpc" { + filter { + name = "tag:Name" + values = ["${var.namespace}-${var.environment}-vpc"] + } +} + +## network +data "aws_subnets" "private" { + filter { + name = "vpc-id" + values = [data.aws_vpc.vpc.id] + } + filter { + name = "tag:Name" + values = [ + "*private*" + ] + } +} diff --git a/examples/rds-proxy/main.tf b/examples/rds-proxy/main.tf new file mode 100644 index 0000000..591b08c --- /dev/null +++ b/examples/rds-proxy/main.tf @@ -0,0 +1,142 @@ +################################################################################ +## defaults +################################################################################ +terraform { + required_version = "~> 1.3, < 2.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0, < 6.0" + } + } +} + +provider "aws" { + region = var.region +} + +locals { + rds_security_group_data = { + create = true + description = "Security Group for RDS instance" + + ingress_rules = [ + { + description = "Allow traffic from local network" + cidr_block = data.aws_vpc.vpc.cidr_block + from_port = 5432 + ip_protocol = "tcp" + to_port = 5432 + } + ] + + egress_rules = [ + { + description = "Allow all outbound traffic" + cidr_block = "0.0.0.0/0" + from_port = -1 + ip_protocol = "-1" + to_port = -1 + } + ] + } + + proxy_security_group_data = { + create = true + description = "Security Group for RDS Proxy" + + ingress_rules = [ + { + description = "Allow traffic from local network" + cidr_block = data.aws_vpc.vpc.cidr_block + from_port = 5432 + ip_protocol = "tcp" + to_port = 5432 + } + ] + + egress_rules = [ + { + description = "Allow all outbound traffic" + cidr_block = "0.0.0.0/0" + from_port = -1 + ip_protocol = "-1" + to_port = -1 + } + ] + } + + + parameter_group_config = { + create = true + family = "postgres16" + parameters = { + "paramter-1" = { + name = "log_connections" + value = "1" + } } + } + +} + +module "rds" { + source = "../../" + + environment = var.environment + namespace = var.namespace + vpc_id = data.aws_vpc.vpc.id + + name = "${var.namespace}-${var.environment}-test-proxy-1" + engine_type = "rds" + db_server_class = "db.t3.small" + port = 5432 + username = "postgres" + engine = "postgres" + engine_version = "16.3" + + monitoring_interval = 60 + license_model = "postgresql-license" + db_subnet_group_data = { + name = "${var.namespace}-${var.environment}-subnet-group-proxy" + create = true + description = "Subnet group for rds instance" + subnet_ids = data.aws_subnets.private.ids + } + + performance_insights_enabled = true + + kms_data = { + create = true + description = "KMS for Performance insight and storage" + deletion_window_in_days = 7 + enable_key_rotation = true + } + + parameter_group_config = local.parameter_group_config + security_group_data = local.rds_security_group_data + + proxy_config = { + create = true + engine_family = "POSTGRESQL" + vpc_subnet_ids = data.aws_subnets.private.ids + security_group_data = local.proxy_security_group_data + require_tls = true + debug_logging = true + idle_client_timeout_secs = 3600 # 1 hour + + auth = { + auth_scheme = "SECRETS" + description = "Authentication for RDS Proxy" + iam_auth = "DISABLED" // REQUIRED + client_password_auth_type = "POSTGRES_SCRAM_SHA_256" + } + + additional_auth_list = [] + + connection_pool_config = { + max_connections_percent = 100 + max_idle_connections_percent = 50 + } + } +} diff --git a/examples/rds-proxy/output.tf b/examples/rds-proxy/output.tf new file mode 100644 index 0000000..3b64723 --- /dev/null +++ b/examples/rds-proxy/output.tf @@ -0,0 +1,49 @@ +output "id" { + value = module.rds.id + description = "Instance or Cluster ID" +} + +output "identifier" { + value = module.rds.identifier + description = "Instance or Cluster Identifier" +} + +output "arn" { + value = module.rds.arn + description = "Instance or Cluster ARN" +} + +output "username" { + value = module.rds.username + description = "Username for the Database" +} + +output "database" { + value = module.rds.database + description = "Database name" +} + +output "port" { + value = module.rds.port + description = "Database server port" +} + +output "endpoint" { + value = module.rds.endpoint + description = "Instance or Cluster Endpoint" +} + +output "kms_key_id" { + value = module.rds.kms_key_id + description = "Instance or Cluster KMS Key ID" +} + +output "performance_insights_kms_key_id" { + value = module.rds.performance_insights_kms_key_id + description = "Instance or Cluster Performance Insights KMS Key ID" +} + +output "monitoring_role_arn" { + value = module.rds.monitoring_role_arn + description = "Instance or Cluster Monitoring Role ARN" +} diff --git a/examples/rds-proxy/variables.tf b/examples/rds-proxy/variables.tf new file mode 100644 index 0000000..8e65782 --- /dev/null +++ b/examples/rds-proxy/variables.tf @@ -0,0 +1,20 @@ +################################################################################ +## shared +################################################################################ +variable "region" { + type = string + default = "us-east-1" + description = "AWS region" +} + +variable "environment" { + type = string + default = "poc" + description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'" +} + +variable "namespace" { + type = string + default = "arc" + description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique" +} diff --git a/examples/rds/.terraform-version b/examples/rds/.terraform-version new file mode 100644 index 0000000..7324740 --- /dev/null +++ b/examples/rds/.terraform-version @@ -0,0 +1 @@ +latest:^1.7 diff --git a/examples/rds/.terraform.lock.hcl b/examples/rds/.terraform.lock.hcl new file mode 100644 index 0000000..30c9869 --- /dev/null +++ b/examples/rds/.terraform.lock.hcl @@ -0,0 +1,65 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.74.0" + constraints = ">= 4.0.0, ~> 5.0, < 6.0.0" + hashes = [ + "h1:0Iq3x8RSdWedvATBO1RZbCQqRCHPNsdhkYVrRs9crEE=", + "zh:1e2d65add4d63af5b396ae33d55c48303eca6c86bd1be0f6fae13267a9b47bc4", + "zh:20ddec3dac3d06a188f12e58b6428854949b1295e937c5d4dca4866dc1c937af", + "zh:35b72de4e6a3e3d69efc07184fb413406262fe447b2d82d57eaf8c787a068a06", + "zh:44eada24a50cd869aadc4b29f9e791fdf262d7f426921e9ac2893bbb86013176", + "zh:455e666e3a9a2312b3b9f434b87a404b6515d64a8853751e20566a6548f9df9e", + "zh:58b3ae74abfca7b9b61f42f0c8b10d97f9b01aff18bd1d4ab091129c9d203707", + "zh:840a8a32d5923f9e7422f9c80d165c3f89bb6ea370b8283095081e39050a8ea8", + "zh:87cb6dbbdbc1b73bdde4b8b5d6d780914a3e8f1df0385da4ea7323dc1a68468f", + "zh:8b8953e39b0e6e6156c5570d1ca653450bfa0d9b280e2475f01ee5c51a6554db", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9bd750262e2fb0187a8420a561e55b0a1da738f690f53f5c7df170cb1f380459", + "zh:9d2474c1432dfa5e1db197e2dd6cd61a6a15452e0bc7acd09ca86b3cdb228871", + "zh:b763ecaf471c7737a5c6e4cf257b5318e922a6610fd83b36ed8eb68582a8642e", + "zh:c1344cd8fe03ff7433a19b14b14a1898c2ca5ba22a468fb8e1687f0a7f564d52", + "zh:dc0e0abf3be7402d0d022ced82816884356115ed27646df9c7222609e96840e6", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + constraints = ">= 3.1.0" + hashes = [ + "h1:I0Um8UkrMUb81Fxq/dxbr3HLP2cecTH2WMJiwKSrwQY=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.6.3" + constraints = ">= 3.4.0" + hashes = [ + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", + ] +} diff --git a/examples/rds/README.md b/examples/rds/README.md new file mode 100644 index 0000000..6cf2958 --- /dev/null +++ b/examples/rds/README.md @@ -0,0 +1,50 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.3, < 2.0.0 | +| [aws](#requirement\_aws) | >= 4.0, < 6.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.74.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [rds](#module\_rds) | ../../ | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_subnets.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | +| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `"poc"` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `"arc"` | no | +| [region](#input\_region) | AWS region | `string` | `"us-east-1"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [arn](#output\_arn) | Instance or Cluster ARN | +| [database](#output\_database) | Database name | +| [endpoint](#output\_endpoint) | Instance or Cluster Endpoint | +| [id](#output\_id) | Instance or Cluster ID | +| [identifier](#output\_identifier) | Instance or Cluster Identifier | +| [kms\_key\_id](#output\_kms\_key\_id) | Instance or Cluster KMS Key ID | +| [monitoring\_role\_arn](#output\_monitoring\_role\_arn) | Instance or Cluster Monitoring Role ARN | +| [performance\_insights\_kms\_key\_id](#output\_performance\_insights\_kms\_key\_id) | Instance or Cluster Performance Insights KMS Key ID | +| [port](#output\_port) | Database server port | +| [username](#output\_username) | Username for the Database | + diff --git a/examples/rds/data.tf b/examples/rds/data.tf new file mode 100644 index 0000000..c24a28d --- /dev/null +++ b/examples/rds/data.tf @@ -0,0 +1,20 @@ +################################################ +## imports +################################################ +## vpc +data "aws_vpc" "vpc" { + filter { + name = "tag:Name" + values = ["${var.namespace}-${var.environment}-vpc"] + } +} + +## network +data "aws_subnets" "private" { + filter { + name = "tag:Name" + values = [ + "*private*" + ] + } +} diff --git a/examples/rds/main.tf b/examples/rds/main.tf new file mode 100644 index 0000000..798f15a --- /dev/null +++ b/examples/rds/main.tf @@ -0,0 +1,79 @@ +################################################################################ +## defaults +################################################################################ +terraform { + required_version = "~> 1.3, < 2.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0, < 6.0" + } + } +} + +provider "aws" { + region = var.region +} + +locals { + rds_security_group_data = { + create = true + description = "Security Group for RDS instance" + + ingress_rules = [ + { + description = "Allow traffic from local network" + cidr_block = data.aws_vpc.vpc.cidr_block + from_port = 5432 + ip_protocol = "tcp" + to_port = 5432 + } + ] + + egress_rules = [ + { + description = "Allow all outbound traffic" + cidr_block = "0.0.0.0/0" + from_port = -1 + ip_protocol = "-1" + to_port = -1 + } + ] + } +} + +module "rds" { + source = "../../" + + environment = var.environment + namespace = var.namespace + vpc_id = data.aws_vpc.vpc.id + + name = "${var.namespace}-${var.environment}-test" + engine_type = "rds" + db_server_class = "db.t3.small" + port = 5432 + username = "postgres" + manage_user_password = true + engine = "postgres" + engine_version = "16.3" + + license_model = "postgresql-license" + db_subnet_group_data = { + name = "${var.namespace}-${var.environment}-subnet-group" + create = true + description = "Subnet group for rds instance" + subnet_ids = data.aws_subnets.private.ids + } + + security_group_data = local.rds_security_group_data + performance_insights_enabled = true + + kms_data = { + create = true + description = "KMS for Performance insight and storage" + deletion_window_in_days = 7 + enable_key_rotation = true + } +} diff --git a/examples/rds/output.tf b/examples/rds/output.tf new file mode 100644 index 0000000..3b64723 --- /dev/null +++ b/examples/rds/output.tf @@ -0,0 +1,49 @@ +output "id" { + value = module.rds.id + description = "Instance or Cluster ID" +} + +output "identifier" { + value = module.rds.identifier + description = "Instance or Cluster Identifier" +} + +output "arn" { + value = module.rds.arn + description = "Instance or Cluster ARN" +} + +output "username" { + value = module.rds.username + description = "Username for the Database" +} + +output "database" { + value = module.rds.database + description = "Database name" +} + +output "port" { + value = module.rds.port + description = "Database server port" +} + +output "endpoint" { + value = module.rds.endpoint + description = "Instance or Cluster Endpoint" +} + +output "kms_key_id" { + value = module.rds.kms_key_id + description = "Instance or Cluster KMS Key ID" +} + +output "performance_insights_kms_key_id" { + value = module.rds.performance_insights_kms_key_id + description = "Instance or Cluster Performance Insights KMS Key ID" +} + +output "monitoring_role_arn" { + value = module.rds.monitoring_role_arn + description = "Instance or Cluster Monitoring Role ARN" +} diff --git a/examples/rds/variables.tf b/examples/rds/variables.tf new file mode 100644 index 0000000..8e65782 --- /dev/null +++ b/examples/rds/variables.tf @@ -0,0 +1,20 @@ +################################################################################ +## shared +################################################################################ +variable "region" { + type = string + default = "us-east-1" + description = "AWS region" +} + +variable "environment" { + type = string + default = "poc" + description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'" +} + +variable "namespace" { + type = string + default = "arc" + description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique" +} diff --git a/locals.tf b/locals.tf index d00a712..d8c60eb 100644 --- a/locals.tf +++ b/locals.tf @@ -2,7 +2,7 @@ locals { prefix = "${var.namespace}-${var.environment}" security_group_ids_to_attach = var.security_group_data.create ? concat(var.security_group_data.security_group_ids_to_attach, [module.security_group[0].id]) : var.security_group_data.security_group_ids_to_attach proxy_security_group_ids_to_attach = var.proxy_config.security_group_data.create ? concat(var.proxy_config.security_group_data.security_group_ids_to_attach, [module.proxy_security_group[0].id]) : var.proxy_config.security_group_data.security_group_ids_to_attach - secret_arn = var.manage_user_password ? aws_rds_cluster.this.master_user_secret[0].secret_arn : (var.proxy_config.create ? aws_secretsmanager_secret.this[0].arn : null) + secret_arn = var.manage_user_password == true ? (var.engine_type == "rds" ? aws_db_instance.this[0].master_user_secret[0].secret_arn : aws_rds_cluster.this[0].master_user_secret[0].secret_arn) : (var.proxy_config.create ? aws_secretsmanager_secret.this[0].arn : null) additional_secret_arn_list = [for auth in var.proxy_config.additional_auth_list : auth.secret_arn if auth.secret_arn != null] @@ -20,4 +20,14 @@ locals { } ] ) : var.security_group_data.ingress_rules + + + username = var.engine_type == "rds" ? aws_db_instance.this[0].username : aws_rds_cluster.this[0].master_username + password = var.engine_type == "rds" ? aws_db_instance.this[0].password : aws_rds_cluster.this[0].master_password + database = var.engine_type == "rds" ? aws_db_instance.this[0].db_name : aws_rds_cluster.this[0].database_name + port = var.engine_type == "rds" ? aws_db_instance.this[0].port : aws_rds_cluster.this[0].port + + kms_key_id = var.kms_data.create ? aws_kms_alias.this[0].target_key_arn : (var.kms_data.kms_key_id == null ? data.aws_kms_alias.rds.target_key_arn : var.kms_data.kms_key_id) + performance_insights_kms_key_id = var.kms_data.create ? aws_kms_alias.this[0].target_key_arn : (var.kms_data.performance_insights_kms_key_id == null ? data.aws_kms_alias.rds.target_key_arn : var.kms_data.performance_insights_kms_key_id) + monitoring_role_arn = var.monitoring_interval > 0 ? (var.monitoring_role_arn == null ? aws_iam_role.enhanced_monitoring[0].arn : var.monitoring_role_arn) : null } diff --git a/main.tf b/main.tf index bda6a76..e85e6fc 100644 --- a/main.tf +++ b/main.tf @@ -2,6 +2,8 @@ ## RDS instance ################################################################################ resource "aws_db_instance" "this" { + count = var.engine_type == "rds" ? 1 : 0 + identifier = var.name db_name = var.database_name allocated_storage = var.allocated_storage @@ -9,11 +11,11 @@ resource "aws_db_instance" "this" { engine_version = var.engine_version engine_lifecycle_support = var.engine_lifecycle_support port = var.port - instance_class = var.instance_class + instance_class = var.db_server_class username = var.username - password = var.password == null && var.manage_user_password == false ? random_password.master[0].result : var.password + password = var.password == null && var.manage_user_password == null ? random_password.master[0].result : var.password manage_master_user_password = var.manage_user_password iops = var.iops @@ -40,7 +42,7 @@ resource "aws_db_instance" "this" { storage_encrypted = var.storage_encrypted kms_key_id = var.kms_data.create ? aws_kms_alias.this[0].target_key_arn : (var.kms_data.kms_key_id == null ? data.aws_kms_alias.rds.target_key_arn : var.kms_data.kms_key_id) performance_insights_enabled = var.performance_insights_enabled - performance_insights_kms_key_id = var.kms_data.create ? aws_kms_alias.this[0].target_key_arn : (var.kms_data.performance_insights_kms_key_id == null ? data.aws_kms_alias.rds.target_key_arn : var.performance_insights_kms_key_id) + performance_insights_kms_key_id = var.kms_data.create ? aws_kms_alias.this[0].target_key_arn : (var.kms_data.performance_insights_kms_key_id == null ? data.aws_kms_alias.rds.target_key_arn : var.kms_data.performance_insights_kms_key_id) performance_insights_retention_period = var.performance_insights_retention_period enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports monitoring_interval = var.monitoring_interval diff --git a/outputs.tf b/outputs.tf index 7071393..06ac2d1 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,80 +1,49 @@ -# ################################################################################ -# ## aurora -# ################################################################################ -# output "aurora_name" { -# value = try(module.aurora_cluster[0].database_name, null) -# description = "Database name" -# } - -# output "aurora_master_username" { -# value = try(module.aurora_cluster[0].master_username, null) -# description = "Username for the master DB user" -# } - -# output "aurora_cluster_identifier" { -# value = try(module.aurora_cluster[0].cluster_identifier, null) -# description = "Cluster Identifier" -# } - -# output "aurora_arn" { -# value = try(module.aurora_cluster[0].arn, null) -# description = "Amazon Resource Name (ARN) of cluster" -# } - -# output "aurora_endpoint" { -# value = try(module.aurora_cluster[0].endpoint, null) -# description = "The DNS address of the RDS instance" -# } - -# output "aurora_reader_endpoint" { -# value = try(module.aurora_cluster[0].reader_endpoint, null) -# description = "A read-only endpoint for the Aurora cluster, automatically load-balanced across replicas" -# } - -# output "aurora_master_host" { -# value = try(module.aurora_cluster[0].master_host, null) -# description = "DB Master hostname" -# } - -# output "aurora_replicas_host" { -# value = try(module.aurora_cluster[0].replicas_host, null) -# description = "Replicas hostname" -# } - -# ################################################################################ -# ## rds -# ################################################################################ -# output "rds_instance_arn" { -# value = try(module.rds_instance[0].instance_arn, null) -# description = "The RDS Instance AWS ARN." -# } - -# output "rds_instance_endpoint" { -# value = try(module.rds_instance[0].instance_endpoint, null) -# description = "The DNS address to the RDS Instance." -# } - -# output "rds_instance_hostname" { -# value = try(module.rds_instance[0].hostname, null) -# description = "Hostname of the RDS Instance." -# } - -# output "rds_instance_id" { -# value = try(module.rds_instance[0].instance_id, null) -# description = "The RDS Instance AWS ID." -# } - -# output "rds_instance_resource_id" { -# value = try(module.rds_instance[0].resource_id, null) -# description = "The RDS Instance AWS resource ID." -# } - -# output "rds_instance_kms_arn" { -# value = var.rds_kms_key_arn_override != "" ? var.rds_kms_key_arn_override : try(aws_kms_key.rds_db_kms_key[0].arn, null) -# description = "RDS KMS Key ARN" -# } - -# output "rds_instance_kms_id" { -# value = var.rds_kms_key_id_override != "" ? var.rds_kms_key_id_override : try(aws_kms_key.rds_db_kms_key[0].key_id, null) -# description = "Output RDS KMS Key ID if the var.rds_kms_key_arn_override is \"\"" -# } +output "id" { + value = var.engine_type == "rds" ? aws_db_instance.this[0].id : aws_rds_cluster.this[0].id + description = "Instance or Cluster ID" +} + +output "identifier" { + value = var.engine_type == "rds" ? aws_db_instance.this[0].id : aws_rds_cluster.this[0].id + description = "Instance or Cluster Identifier " +} + +output "arn" { + value = var.engine_type == "rds" ? aws_db_instance.this[0].arn : aws_rds_cluster.this[0].arn + description = "Instance or Cluster ARN" +} + +output "username" { + value = local.username + description = "Username for the Database" +} + +output "database" { + value = local.database + description = "database name" +} + +output "port" { + value = local.port + description = "Dtabase server port" +} + +output "endpoint" { + value = var.engine_type == "rds" ? aws_db_instance.this[0].endpoint : aws_rds_cluster.this[0].endpoint + description = "Instance or Cluster Endpoint" +} + +output "kms_key_id" { + value = local.kms_key_id + description = "Instance or Cluster KM Key ID" +} + +output "performance_insights_kms_key_id" { + value = local.performance_insights_kms_key_id + description = "Instance or Cluster Performance insight KM Key ID" +} + +output "monitoring_role_arn" { + value = local.monitoring_role_arn + description = "Instance or Cluster Monitoring role arn" +} diff --git a/proxy.tf b/proxy.tf index 6a8a295..13c9ff8 100644 --- a/proxy.tf +++ b/proxy.tf @@ -1,17 +1,17 @@ resource "aws_secretsmanager_secret" "this" { - count = var.manage_user_password == false && var.proxy_config.create ? 1 : 0 + count = var.manage_user_password == null && var.proxy_config.create ? 1 : 0 name = "${local.prefix}-${var.name}-secret" description = "Credentials for RDS Proxy" } resource "aws_secretsmanager_secret_version" "db_secret_version" { - count = var.manage_user_password == false && var.proxy_config.create ? 1 : 0 + count = var.manage_user_password == null && var.proxy_config.create ? 1 : 0 secret_id = aws_secretsmanager_secret.this[0].id secret_string = jsonencode({ - username = aws_rds_cluster.this.master_username, - password = aws_rds_cluster.this.master_password + username = var.engine_type == "rds" ? aws_db_instance.this[0].username : aws_rds_cluster.this[0].master_username, + password = var.engine_type == "rds" ? aws_db_instance.this[0].password : aws_rds_cluster.this[0].master_password }) } @@ -32,8 +32,8 @@ resource "aws_db_proxy" "this" { auth_scheme = var.proxy_config.auth.auth_scheme description = var.proxy_config.auth.description == null ? "Auth for RDS Proxy" : var.proxy_config.auth.description iam_auth = var.proxy_config.auth.iam_auth - secret_arn = var.manage_user_password ? aws_rds_cluster.this.master_user_secret[0].secret_arn : aws_secretsmanager_secret.this[0].arn - username = var.proxy_config.auth.auth_scheme == "SECRETS" ? null : aws_rds_cluster.this.master_username + secret_arn = var.manage_user_password == true ? (var.engine_type == "rds" ? aws_db_instance.this[0].master_user_secret[0].secret_arn : aws_rds_cluster.this[0].master_user_secret[0].secret_arn) : aws_secretsmanager_secret.this[0].arn + username = var.proxy_config.auth.auth_scheme == "SECRETS" ? null : (var.engine_type == "rds" ? aws_db_instance.this[0].username : aws_rds_cluster.this[0].master_username) client_password_auth_type = var.proxy_config.auth.client_password_auth_type } @@ -68,9 +68,11 @@ resource "aws_db_proxy_default_target_group" "this" { resource "aws_db_proxy_target" "this" { count = var.proxy_config.create ? 1 : 0 - db_proxy_name = aws_db_proxy.this[0].name - target_group_name = aws_db_proxy_default_target_group.this[0].name - db_cluster_identifier = aws_rds_cluster.this.cluster_identifier + db_proxy_name = aws_db_proxy.this[0].name + target_group_name = aws_db_proxy_default_target_group.this[0].name + db_cluster_identifier = var.engine_type == "cluster" ? aws_rds_cluster.this[0].cluster_identifier : null + db_instance_identifier = var.engine_type == "rds" ? aws_db_instance.this[0].identifier : null + depends_on = [aws_db_instance.this, aws_rds_cluster.this] } @@ -111,7 +113,7 @@ resource "aws_iam_policy" "read_secrets" { ] }) - depends_on = [aws_rds_cluster.this, aws_secretsmanager_secret.this] + depends_on = [aws_rds_cluster.this, aws_db_instance.this, aws_secretsmanager_secret.this] } diff --git a/variables.tf b/variables.tf index 6a17d88..38f3ec8 100644 --- a/variables.tf +++ b/variables.tf @@ -37,19 +37,17 @@ EOT variable "engine_type" { type = string - description = "(optional) Engine type, valid values are 'rds' or 'aurora'" + description = "(optional) Engine type, valid values are 'rds' or 'cluster'" validation { - condition = contains(["rds", "aurora"], var.engine_type) - error_message = "The engine_type variable must be either 'rds' or 'aurora'." + condition = contains(["rds", "cluster"], var.engine_type) + error_message = "The engine_type variable must be either 'rds' or 'cluster'." } } -# Engine type (Aurora, Aurora MySQL, or Aurora PostgreSQL) variable "engine" { description = "The database engine to use for the RDS cluster (e.g., aurora, aurora-mysql, aurora-postgresql)." type = string - default = "aurora-postgresql" } # Engine version @@ -99,13 +97,13 @@ variable "port" { # Master username variable "username" { - description = "The master username for the database." + description = "The username for the database." type = string } # Master password variable "password" { - description = "The master password for the database." + description = "The password for the database." type = string sensitive = true default = null @@ -113,8 +111,11 @@ variable "password" { variable "manage_user_password" { type = bool - description = "(optional) Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if master_password is provided." - default = false + description = <<-EOT + (optional) Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if master_password is provided." + null - is equal to 'false', don't set it to false , known bug : https://github.com/hashicorp/terraform-provider-aws/issues/31179 + EOT + default = null } # Database name @@ -163,13 +164,6 @@ variable "storage_encrypted" { default = true } -# # KMS key identifier -# variable "kms_key_id" { -# description = "The ARN of the KMS key to use for encryption." -# type = string -# default = "aws/rds" -# } - # Enable IAM database authentication variable "iam_database_authentication_enabled" { description = "Enable IAM database authentication for the RDS cluster." @@ -190,12 +184,6 @@ variable "performance_insights_enabled" { default = false } -variable "performance_insights_kms_key_id" { - type = string - description = "(optional) Valid only for Non-Aurora Multi-AZ DB Clusters. Specifies the KMS Key ID to encrypt Performance Insights data. If not specified, the default RDS KMS key will be used (aws/rds)." - default = "aws/rds" -} - variable "network_type" { type = string description = "(optional) Network type of the cluster. Valid values: IPV4, DUAL." @@ -240,17 +228,8 @@ variable "rds_cluster_instances" { availability_zone = optional(string, null) publicly_accessible = optional(bool, false) db_parameter_group_name = optional(string, null) - # apply_immediately = optional(bool, false) - # preferred_maintenance_window = optional(string, null) - # auto_minor_version_upgrade = optional(bool, true) - # ca_cert_identifier = optional(string, null) - # monitoring_interval = optional(number, 0) // 0 - disabled - # monitoring_role_arn = optional(string, null) - # performance_insights_enabled = optional(bool, false) - # performance_insights_kms_key_id = optional(string, null) - # performance_insights_retention_period = optional(number, 7) - promotion_tier = optional(number, 0) - copy_tags_to_snapshot = optional(bool, true) + promotion_tier = optional(number, 0) + copy_tags_to_snapshot = optional(bool, true) })) description = <<-EOT "(optional) A list of objects defining configurations for RDS Cluster instances. Each object represents a single RDS instance configuration within the cluster, including options for instance class, monitoring, performance insights, maintenance windows, and other instance-specific settings." @@ -443,7 +422,7 @@ variable "apply_immediately" { variable "monitoring_interval" { description = "The interval, in seconds, between points when Enhanced Monitoring metrics are collected. Valid values are 0, 1, 5, 10, 15, 30, 60." type = number - default = 60 + default = 0 } variable "enabled_cloudwatch_logs_exports" { @@ -455,7 +434,7 @@ variable "enabled_cloudwatch_logs_exports" { variable "iops" { description = "The amount of provisioned IOPS. Required if using io1 storage type." type = number - default = 1000 + default = 0 } variable "enable_multi_az" { @@ -488,9 +467,10 @@ variable "ca_cert_identifier" { default = null } -variable "instance_class" { +variable "db_server_class" { type = string description = "Instance class for RDS instance" + default = "db.t3.medium" } variable "allocated_storage" {