From 39f60c308922eb103a0a64c0b0a0288cce74b84f Mon Sep 17 00:00:00 2001 From: Andrew Reida Date: Wed, 7 Aug 2024 13:54:04 -0700 Subject: [PATCH 1/7] Set CA cert authority value for aurora cluster --- db.tf | 1 + rds_cluster/main.tf | 2 ++ rds_cluster/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 4 files changed, 15 insertions(+) diff --git a/db.tf b/db.tf index 16fa682..2ad4dee 100644 --- a/db.tf +++ b/db.tf @@ -8,4 +8,5 @@ module "database" { name = var.service_name vpc_id = var.vpc_id database_name = var.db_name + ca_cert_identifier = var.ca_cert_identifier } diff --git a/rds_cluster/main.tf b/rds_cluster/main.tf index 3a4d854..4e1f17a 100644 --- a/rds_cluster/main.tf +++ b/rds_cluster/main.tf @@ -21,6 +21,7 @@ resource "aws_rds_cluster" "this" { tags = var.tags db_cluster_parameter_group_name = "default.aurora-postgresql14" deletion_protection = true + ca_certificate_identifier = var.ca_cert_identifier } resource "random_password" "password" { @@ -65,6 +66,7 @@ resource "aws_rds_cluster_instance" "this" { instance_class = var.instance_class db_subnet_group_name = aws_db_subnet_group.this.name tags = var.tags + ca_cert_identifier = var.ca_cert_identifier } resource "aws_db_subnet_group" "this" { diff --git a/rds_cluster/variables.tf b/rds_cluster/variables.tf index 9452cdd..8ce56eb 100644 --- a/rds_cluster/variables.tf +++ b/rds_cluster/variables.tf @@ -44,3 +44,9 @@ variable "instance_class" { type = string description = "Instance class" } + +variable "ca_cert_identifier" { + type = string + description = "Identifier of the CA certificate for the DB instance" + default = "rds-ca-rsa2048-g1" +} diff --git a/variables.tf b/variables.tf index bf8fc37..c7faff5 100644 --- a/variables.tf +++ b/variables.tf @@ -140,3 +140,9 @@ variable "assign_public_ip" { description = "Whether or not to assign a public IP to the task" default = false } + +variable "ca_cert_identifier" { + type = string + description = "Identifier of the CA certificate for the DB instance" + default = null +} From 48b4075b18335cd8c271eb9b7e5f8b801f89cf2e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 7 Aug 2024 22:46:13 +0000 Subject: [PATCH 2/7] terraform-docs: automated action --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 846c21e..5e485c1 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,7 @@ You can do this by commenting out the entire module, running a terraform apply, | [alb\_security\_group\_id](#input\_alb\_security\_group\_id) | Security Group ID for the ALB | `string` | n/a | yes | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether or not to assign a public IP to the task | `bool` | `false` | no | | [azs](#input\_azs) | Availability zones | `list(string)` | n/a | yes | +| [ca\_cert\_identifier](#input\_ca\_cert\_identifier) | Identifier of the CA certificate for the DB instance | `string` | `null` | no | | [cluster\_arn](#input\_cluster\_arn) | ECS cluster to deploy into | `string` | n/a | yes | | [command](#input\_command) | Container startup command (Use null if container\_definitions is set) | `list(string)` | n/a | yes | | [container\_definitions](#input\_container\_definitions) | A list of valid container definitions provided as a single valid JSON document. By default, this module will generate a container definition for you. If you need to provide your own or have multiple, you can do so here. | `string` | `null` | no | From f37e2ef13f11b47da75afda06c68ca32788b1d1f Mon Sep 17 00:00:00 2001 From: Andrew Reida Date: Wed, 14 Aug 2024 09:05:16 -0700 Subject: [PATCH 3/7] Quick experiment --- rds_cluster/main.tf | 2 +- rds_cluster/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rds_cluster/main.tf b/rds_cluster/main.tf index 4e1f17a..1ca7959 100644 --- a/rds_cluster/main.tf +++ b/rds_cluster/main.tf @@ -21,7 +21,7 @@ resource "aws_rds_cluster" "this" { tags = var.tags db_cluster_parameter_group_name = "default.aurora-postgresql14" deletion_protection = true - ca_certificate_identifier = var.ca_cert_identifier + ca_certificate_identifier = var.availability_zones.length && var.ca_cert_identifier ? var.ca_cert_identifier : null } resource "random_password" "password" { diff --git a/rds_cluster/variables.tf b/rds_cluster/variables.tf index 8ce56eb..0625a20 100644 --- a/rds_cluster/variables.tf +++ b/rds_cluster/variables.tf @@ -48,5 +48,5 @@ variable "instance_class" { variable "ca_cert_identifier" { type = string description = "Identifier of the CA certificate for the DB instance" - default = "rds-ca-rsa2048-g1" + default = null } From 77b526a0e79b7b4fcee97efb6fbcbdaeded7cf63 Mon Sep 17 00:00:00 2001 From: Andrew Reida Date: Wed, 14 Aug 2024 09:10:18 -0700 Subject: [PATCH 4/7] Our aws tf version must not match the current docs --- rds_cluster/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/rds_cluster/main.tf b/rds_cluster/main.tf index 1ca7959..3467c7b 100644 --- a/rds_cluster/main.tf +++ b/rds_cluster/main.tf @@ -21,7 +21,6 @@ resource "aws_rds_cluster" "this" { tags = var.tags db_cluster_parameter_group_name = "default.aurora-postgresql14" deletion_protection = true - ca_certificate_identifier = var.availability_zones.length && var.ca_cert_identifier ? var.ca_cert_identifier : null } resource "random_password" "password" { From eae70ff4233e640f0eb71ab981ad0afcf506ea87 Mon Sep 17 00:00:00 2001 From: Andrew Reida Date: Wed, 14 Aug 2024 10:39:08 -0700 Subject: [PATCH 5/7] Need this to fix db minor version drift --- db.tf | 1 + rds_cluster/main.tf | 2 +- rds_cluster/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/db.tf b/db.tf index 2ad4dee..aec05cf 100644 --- a/db.tf +++ b/db.tf @@ -9,4 +9,5 @@ module "database" { vpc_id = var.vpc_id database_name = var.db_name ca_cert_identifier = var.ca_cert_identifier + engine_version = var.rds_cluster_engine_version } diff --git a/rds_cluster/main.tf b/rds_cluster/main.tf index 3467c7b..41d63b8 100644 --- a/rds_cluster/main.tf +++ b/rds_cluster/main.tf @@ -6,7 +6,7 @@ resource "random_id" "final_snapshot_suffix" { resource "aws_rds_cluster" "this" { cluster_identifier_prefix = var.name engine = "aurora-postgresql" - engine_version = "14.6" + engine_version = var.engine_version database_name = var.database_name skip_final_snapshot = false final_snapshot_identifier = "${var.name}-final-${random_id.final_snapshot_suffix.hex}" diff --git a/rds_cluster/variables.tf b/rds_cluster/variables.tf index 0625a20..8374c1e 100644 --- a/rds_cluster/variables.tf +++ b/rds_cluster/variables.tf @@ -50,3 +50,9 @@ variable "ca_cert_identifier" { description = "Identifier of the CA certificate for the DB instance" default = null } + +variable "engine_version" { + type = string + description = "Database engine version" + default = "14.6" +} diff --git a/variables.tf b/variables.tf index c7faff5..7ca0f82 100644 --- a/variables.tf +++ b/variables.tf @@ -146,3 +146,9 @@ variable "ca_cert_identifier" { description = "Identifier of the CA certificate for the DB instance" default = null } + +variable "rds_cluster_engine_version" { + type = string + description = "Database engine version" + default = "14.6" +} From c308dbfb7cc09d2de411e896b38e9f3cfeba8c78 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 14 Aug 2024 17:40:02 +0000 Subject: [PATCH 6/7] terraform-docs: automated action --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 5e485c1..34e551f 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,7 @@ You can do this by commenting out the entire module, running a terraform apply, | [hostname](#input\_hostname) | Hostname to use for listener rule | `string` | n/a | yes | | [listener\_arn](#input\_listener\_arn) | ALB listener ARN to add listener rule to | `string` | n/a | yes | | [load\_balancer\_container\_name](#input\_load\_balancer\_container\_name) | Container name to use for load balancer target group forwarder | `string` | `null` | no | +| [rds\_cluster\_engine\_version](#input\_rds\_cluster\_engine\_version) | Database engine version | `string` | `"14.6"` | no | | [service\_name](#input\_service\_name) | Service directory in the application git repo | `string` | n/a | yes | | [subnets](#input\_subnets) | List of subnet names the service will reside on. | `list(string)` | n/a | yes | | [task\_cpu](#input\_task\_cpu) | Task CPU | `number` | `1024` | no | From 6f34327d89b952ff2f163f5393f8cb0500aee259 Mon Sep 17 00:00:00 2001 From: Andrew Reida Date: Wed, 14 Aug 2024 10:43:46 -0700 Subject: [PATCH 7/7] Pass engine version here as well --- rds_cluster/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rds_cluster/main.tf b/rds_cluster/main.tf index 41d63b8..8ba5e2e 100644 --- a/rds_cluster/main.tf +++ b/rds_cluster/main.tf @@ -58,7 +58,7 @@ resource "aws_secretsmanager_secret_version" "connection_string" { resource "aws_rds_cluster_instance" "this" { count = var.instance_count engine = "aurora-postgresql" - engine_version = "14.6" + engine_version = var.engine_version identifier_prefix = "${var.name}-${count.index + 1}" performance_insights_enabled = true cluster_identifier = aws_rds_cluster.this.id