From 3550f1bd9c3780770db2d7dd0eb3d253020637d4 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Sat, 8 May 2021 17:26:51 -0400 Subject: [PATCH] BREAKING CHANGE: add new resource `aws_db_proxy_endpoint` for generating proxy endpoints from a dynamic map of inputs (#5) --- .pre-commit-config.yaml | 2 +- README.md | 29 +++++++++----- examples/mysql_iam_cluster/README.md | 17 +++++---- examples/mysql_iam_cluster/main.tf | 38 +++++++++++++------ examples/mysql_iam_cluster/outputs.tf | 11 +++++- examples/mysql_iam_cluster/versions.tf | 7 +++- examples/mysql_iam_instance/README.md | 19 +++++----- examples/mysql_iam_instance/main.tf | 40 ++++++++++++++------ examples/mysql_iam_instance/outputs.tf | 11 +++++- examples/mysql_iam_instance/versions.tf | 7 +++- examples/postgresql_iam_cluster/README.md | 17 +++++---- examples/postgresql_iam_cluster/main.tf | 38 +++++++++++++------ examples/postgresql_iam_cluster/outputs.tf | 11 +++++- examples/postgresql_iam_cluster/versions.tf | 7 +++- examples/postgresql_iam_instance/README.md | 19 +++++----- examples/postgresql_iam_instance/main.tf | 40 ++++++++++++++------ examples/postgresql_iam_instance/outputs.tf | 11 +++++- examples/postgresql_iam_instance/versions.tf | 7 +++- main.tf | 12 ++++++ outputs.tf | 6 +++ variables.tf | 7 ++++ versions.tf | 7 +++- 22 files changed, 255 insertions(+), 108 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c9cb199..e3e3cbc 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.48.0 + rev: v1.50.0 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/README.md b/README.md index bfe190a..360db7a 100644 --- a/README.md +++ b/README.md @@ -2,12 +2,6 @@ Terraform module which creates an AWS RDS Proxy and its supporting resources. -The following resources are supported: - -- [AWS RDS Proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy) -- [AWS RDS Proxy Default Target Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy_default_target_group) -- [AWS RDS Proxy Target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy_target) - ## Usage See [`examples`](./examples) directory for working examples to reference: @@ -21,6 +15,20 @@ module "rds_proxy" { vpc_subnet_ids = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"] vpc_security_group_ids = ["sg-f1d03a88"] + db_proxy_endpoints = { + read_write = { + name = "read-write-endpoint" + vpc_subnet_ids = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"] + vpc_security_group_ids = ["sg-f1d03a88"] + }, + read_only = { + name = "read-only-endpoint" + vpc_subnet_ids = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"] + vpc_security_group_ids = ["sg-f1d03a88"] + target_role = "READ_ONLY" + } + } + secrets = { "superuser" = { description = "Aurora PostgreSQL superuser password" @@ -58,14 +66,14 @@ Examples codified under the [`examples`](./examples) are intended to give users | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.26 | -| [aws](#requirement\_aws) | >= 3.9 | +| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [aws](#requirement\_aws) | >= 3.38 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.9 | +| [aws](#provider\_aws) | >= 3.38 | ## Modules @@ -78,6 +86,7 @@ No modules. | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_db_proxy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy) | resource | | [aws_db_proxy_default_target_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy_default_target_group) | resource | +| [aws_db_proxy_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy_endpoint) | resource | | [aws_db_proxy_target.db_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy_target) | resource | | [aws_db_proxy_target.db_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy_target) | resource | | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | @@ -100,6 +109,7 @@ No modules. | [db\_host](#input\_db\_host) | The identifier to use for the database endpoint | `string` | `""` | no | | [db\_instance\_identifier](#input\_db\_instance\_identifier) | DB instance identifier | `string` | `""` | no | | [db\_name](#input\_db\_name) | The name of the database | `string` | `""` | no | +| [db\_proxy\_endpoints](#input\_db\_proxy\_endpoints) | Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`) | `any` | `{}` | no | | [debug\_logging](#input\_debug\_logging) | Whether the proxy includes detailed information about SQL statements in its logs | `bool` | `false` | no | | [engine\_family](#input\_engine\_family) | The kind of database engine that the proxy will connect to. Valid values are `MYSQL` or `POSTGRESQL` | `string` | `""` | no | | [iam\_auth](#input\_iam\_auth) | Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. One of `DISABLED`, `REQUIRED` | `string` | `"REQUIRED"` | no | @@ -138,6 +148,7 @@ No modules. | Name | Description | |------|-------------| +| [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created | | [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group | | [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy | | [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group | diff --git a/examples/mysql_iam_cluster/README.md b/examples/mysql_iam_cluster/README.md index 9a8affd..ee85022 100644 --- a/examples/mysql_iam_cluster/README.md +++ b/examples/mysql_iam_cluster/README.md @@ -30,26 +30,26 @@ An EC2 instance configuration has been provided for use in validating the exampl | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.26 | -| [aws](#requirement\_aws) | >= 3.9 | +| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [aws](#requirement\_aws) | >= 3.38 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.9 | +| [aws](#provider\_aws) | >= 3.38 | | [random](#provider\_random) | n/a | ## Modules | Name | Source | Version | |------|--------|---------| -| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | 2.16.0 | -| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | 3.17.0 | -| [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | 3.0.0 | +| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 | +| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | +| [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 4 | | [rds\_proxy](#module\_rds\_proxy) | ../../ | | -| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | 3.17.0 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 2.64.0 | +| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 | ## Resources @@ -80,6 +80,7 @@ No inputs. | Name | Description | |------|-------------| +| [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created | | [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group | | [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy | | [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group | diff --git a/examples/mysql_iam_cluster/main.tf b/examples/mysql_iam_cluster/main.tf index 93bf0d8..e30900b 100644 --- a/examples/mysql_iam_cluster/main.tf +++ b/examples/mysql_iam_cluster/main.tf @@ -38,7 +38,7 @@ resource "random_password" "password" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "2.64.0" + version = "~> 3" name = local.name cidr = "10.0.0.0/18" @@ -57,7 +57,7 @@ module "vpc" { module "rds" { source = "terraform-aws-modules/rds-aurora/aws" - version = "3.0.0" + version = "~> 4" name = local.name database_name = local.db_name @@ -77,7 +77,7 @@ module "rds" { vpc_id = module.vpc.vpc_id subnets = module.vpc.database_subnets - allowed_security_groups = [module.rds_proxy_sg.this_security_group_id] + allowed_security_groups = [module.rds_proxy_sg.security_group_id] db_subnet_group_name = local.name # Created by VPC module db_parameter_group_name = aws_db_parameter_group.aurora_db_mysql57_parameter_group.id @@ -158,7 +158,7 @@ data "aws_ami" "ubuntu" { module "ec2_sg" { source = "terraform-aws-modules/security-group/aws" - version = "3.17.0" + version = "~> 4" name = "ec2" description = "EC2 RDS Proxy example security group" @@ -171,7 +171,7 @@ module "ec2_sg" { module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" - version = "2.16.0" + version = "~> 2" name = local.name instance_count = 1 @@ -190,7 +190,7 @@ module "ec2_instance" { ami = data.aws_ami.ubuntu.id instance_type = "t3.micro" - vpc_security_group_ids = [module.ec2_sg.this_security_group_id] + vpc_security_group_ids = [module.ec2_sg.security_group_id] subnet_ids = module.vpc.private_subnets tags = local.tags @@ -226,7 +226,7 @@ resource "aws_secretsmanager_secret_version" "superuser" { module "rds_proxy_sg" { source = "terraform-aws-modules/security-group/aws" - version = "3.17.0" + version = "~> 4" name = "rds_proxy" description = "PostgreSQL RDS Proxy example security group" @@ -261,7 +261,23 @@ module "rds_proxy" { name = local.name iam_role_name = local.name vpc_subnet_ids = module.vpc.private_subnets - vpc_security_group_ids = [module.rds_proxy_sg.this_security_group_id] + vpc_security_group_ids = [module.rds_proxy_sg.security_group_id] + + db_proxy_endpoints = { + read_write = { + name = "read-write-endpoint" + vpc_subnet_ids = module.vpc.private_subnets + vpc_security_group_ids = [module.rds_proxy_sg.security_group_id] + tags = local.tags + }, + read_only = { + name = "read-only-endpoint" + vpc_subnet_ids = module.vpc.private_subnets + vpc_security_group_ids = [module.rds_proxy_sg.security_group_id] + target_role = "READ_ONLY" + tags = local.tags + } + } secrets = { "${local.db_username}" = { @@ -272,13 +288,13 @@ module "rds_proxy" { } engine_family = "MYSQL" - db_host = module.rds.this_rds_cluster_endpoint - db_name = module.rds.this_rds_cluster_database_name + db_host = module.rds.rds_cluster_endpoint + db_name = module.rds.rds_cluster_database_name debug_logging = true # Target Aurora cluster target_db_cluster = true - db_cluster_identifier = module.rds.this_rds_cluster_id + db_cluster_identifier = module.rds.rds_cluster_id tags = local.tags } diff --git a/examples/mysql_iam_cluster/outputs.tf b/examples/mysql_iam_cluster/outputs.tf index 0fe3749..27b5466 100644 --- a/examples/mysql_iam_cluster/outputs.tf +++ b/examples/mysql_iam_cluster/outputs.tf @@ -66,6 +66,12 @@ output "proxy_target_type" { value = module.rds_proxy.proxy_target_type } +# DB proxy endponts +output "db_proxy_endpoints" { + description = "Array containing the full resource object and attributes for all DB proxy endpoints created" + value = module.rds_proxy.db_proxy_endpoints +} + # CloudWatch logs output "log_group_arn" { description = "The Amazon Resource Name (ARN) of the CloudWatch log group" @@ -75,7 +81,8 @@ output "log_group_arn" { # For aiding in testing & verification output "superuser_db_password_connect" { description = "Connect to database using superuser with username/password directly to database" - value = "mysql --host=${module.rds.this_rds_cluster_endpoint} --user=${local.db_username} --password=${local.db_password} ${module.rds.this_rds_cluster_database_name}" + value = "mysql --host=${module.rds.rds_cluster_endpoint} --user=${local.db_username} --password=${local.db_password} ${module.rds.rds_cluster_database_name}" + sensitive = true } output "superuser_proxy_iam_token" { @@ -85,5 +92,5 @@ output "superuser_proxy_iam_token" { output "superuser_proxy_iam_connect" { description = "Connect to RDS Proxy using IAM auth via token generated" - value = "mysql --host=${module.rds_proxy.proxy_endpoint} --user=${local.db_username} --password=$TOKEN ${module.rds.this_rds_cluster_database_name} --ssl-ca=/home/ssm-user/AmazonRootCA1.pem --enable-cleartext-plugin" + value = "mysql --host=${module.rds_proxy.proxy_endpoint} --user=${local.db_username} --password=$TOKEN ${module.rds.rds_cluster_database_name} --ssl-ca=/home/ssm-user/AmazonRootCA1.pem --enable-cleartext-plugin" } diff --git a/examples/mysql_iam_cluster/versions.tf b/examples/mysql_iam_cluster/versions.tf index ad7239f..7f7a34a 100644 --- a/examples/mysql_iam_cluster/versions.tf +++ b/examples/mysql_iam_cluster/versions.tf @@ -1,7 +1,10 @@ terraform { - required_version = ">= 0.12.26" + required_version = ">= 0.13.1" required_providers { - aws = ">= 3.9" + aws = { + source = "hashicorp/aws" + version = ">= 3.38" + } } } diff --git a/examples/mysql_iam_instance/README.md b/examples/mysql_iam_instance/README.md index 8be448e..845dae1 100644 --- a/examples/mysql_iam_instance/README.md +++ b/examples/mysql_iam_instance/README.md @@ -30,27 +30,27 @@ An EC2 instance configuration has been provided for use in validating the exampl | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.26 | -| [aws](#requirement\_aws) | >= 3.9 | +| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [aws](#requirement\_aws) | >= 3.38 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.9 | +| [aws](#provider\_aws) | >= 3.38 | | [random](#provider\_random) | n/a | ## Modules | Name | Source | Version | |------|--------|---------| -| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | 2.16.0 | -| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | 3.17.0 | -| [rds](#module\_rds) | terraform-aws-modules/rds/aws | 2.20.0 | +| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 | +| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | +| [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3 | | [rds\_proxy](#module\_rds\_proxy) | ../../ | | -| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | 3.17.0 | -| [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | 3.17.0 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 2.64.0 | +| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | +| [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 | ## Resources @@ -79,6 +79,7 @@ No inputs. | Name | Description | |------|-------------| +| [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created | | [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group | | [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy | | [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group | diff --git a/examples/mysql_iam_instance/main.tf b/examples/mysql_iam_instance/main.tf index c266900..8f43934 100644 --- a/examples/mysql_iam_instance/main.tf +++ b/examples/mysql_iam_instance/main.tf @@ -38,7 +38,7 @@ resource "random_password" "password" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "2.64.0" + version = "~> 3" name = local.name cidr = "10.0.0.0/18" @@ -56,7 +56,7 @@ module "vpc" { module "rds_sg" { source = "terraform-aws-modules/security-group/aws" - version = "3.17.0" + version = "~> 4" name = "rds" description = "MySQL RDS example security group" @@ -77,7 +77,7 @@ module "rds_sg" { module "rds" { source = "terraform-aws-modules/rds/aws" - version = "2.20.0" + version = "~> 3" name = local.db_name username = local.db_username @@ -97,7 +97,7 @@ module "rds" { storage_encrypted = false apply_immediately = true - vpc_security_group_ids = [module.rds_sg.this_security_group_id] + vpc_security_group_ids = [module.rds_sg.security_group_id] subnet_ids = module.vpc.database_subnets maintenance_window = "Mon:00:00-Mon:03:00" @@ -168,7 +168,7 @@ data "aws_ami" "ubuntu" { module "ec2_sg" { source = "terraform-aws-modules/security-group/aws" - version = "3.17.0" + version = "~> 4" name = "ec2" description = "EC2 RDS Proxy example security group" @@ -181,7 +181,7 @@ module "ec2_sg" { module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" - version = "2.16.0" + version = "~> 2" name = local.name instance_count = 1 @@ -200,7 +200,7 @@ module "ec2_instance" { ami = data.aws_ami.ubuntu.id instance_type = "t3.micro" - vpc_security_group_ids = [module.ec2_sg.this_security_group_id] + vpc_security_group_ids = [module.ec2_sg.security_group_id] subnet_ids = module.vpc.private_subnets tags = local.tags @@ -236,7 +236,7 @@ resource "aws_secretsmanager_secret_version" "superuser" { module "rds_proxy_sg" { source = "terraform-aws-modules/security-group/aws" - version = "3.17.0" + version = "~> 4" name = "rds_proxy" description = "MySQL RDS Proxy example security group" @@ -271,7 +271,23 @@ module "rds_proxy" { name = local.name iam_role_name = local.name vpc_subnet_ids = module.vpc.private_subnets - vpc_security_group_ids = [module.rds_proxy_sg.this_security_group_id] + vpc_security_group_ids = [module.rds_proxy_sg.security_group_id] + + db_proxy_endpoints = { + read_write = { + name = "read-write-endpoint" + vpc_subnet_ids = module.vpc.private_subnets + vpc_security_group_ids = [module.rds_proxy_sg.security_group_id] + tags = local.tags + }, + read_only = { + name = "read-only-endpoint" + vpc_subnet_ids = module.vpc.private_subnets + vpc_security_group_ids = [module.rds_proxy_sg.security_group_id] + target_role = "READ_ONLY" + tags = local.tags + } + } secrets = { "${local.db_username}" = { @@ -282,13 +298,13 @@ module "rds_proxy" { } engine_family = "MYSQL" - db_host = module.rds.this_db_instance_address - db_name = module.rds.this_db_instance_name + db_host = module.rds.db_instance_address + db_name = module.rds.db_instance_name debug_logging = true # Target RDS instance target_db_instance = true - db_instance_identifier = module.rds.this_db_instance_id + db_instance_identifier = module.rds.db_instance_id tags = local.tags } diff --git a/examples/mysql_iam_instance/outputs.tf b/examples/mysql_iam_instance/outputs.tf index b3c5a35..b553416 100644 --- a/examples/mysql_iam_instance/outputs.tf +++ b/examples/mysql_iam_instance/outputs.tf @@ -66,6 +66,12 @@ output "proxy_target_type" { value = module.rds_proxy.proxy_target_type } +# DB proxy endponts +output "db_proxy_endpoints" { + description = "Array containing the full resource object and attributes for all DB proxy endpoints created" + value = module.rds_proxy.db_proxy_endpoints +} + # CloudWatch logs output "log_group_arn" { description = "The Amazon Resource Name (ARN) of the CloudWatch log group" @@ -75,7 +81,8 @@ output "log_group_arn" { # For aiding in testing & verification output "superuser_db_password_connect" { description = "Connect to database using superuser with username/password directly to database" - value = "mysql --host=${module.rds.this_db_instance_address} --user=${local.db_username} --password=${local.db_password} ${module.rds.this_db_instance_name}" + value = "mysql --host=${module.rds.db_instance_address} --user=${local.db_username} --password=${local.db_password} ${module.rds.db_instance_name}" + sensitive = true } output "superuser_proxy_iam_token" { @@ -85,5 +92,5 @@ output "superuser_proxy_iam_token" { output "superuser_proxy_iam_connect" { description = "Connect to RDS Proxy using IAM auth via token generated" - value = "mysql --host=${module.rds_proxy.proxy_endpoint} --user=${local.db_username} --password=$TOKEN ${module.rds.this_db_instance_name} --ssl-ca=/home/ssm-user/AmazonRootCA1.pem --enable-cleartext-plugin" + value = "mysql --host=${module.rds_proxy.proxy_endpoint} --user=${local.db_username} --password=$TOKEN ${module.rds.db_instance_name} --ssl-ca=/home/ssm-user/AmazonRootCA1.pem --enable-cleartext-plugin" } diff --git a/examples/mysql_iam_instance/versions.tf b/examples/mysql_iam_instance/versions.tf index ad7239f..7f7a34a 100644 --- a/examples/mysql_iam_instance/versions.tf +++ b/examples/mysql_iam_instance/versions.tf @@ -1,7 +1,10 @@ terraform { - required_version = ">= 0.12.26" + required_version = ">= 0.13.1" required_providers { - aws = ">= 3.9" + aws = { + source = "hashicorp/aws" + version = ">= 3.38" + } } } diff --git a/examples/postgresql_iam_cluster/README.md b/examples/postgresql_iam_cluster/README.md index 77d19ce..5dee515 100644 --- a/examples/postgresql_iam_cluster/README.md +++ b/examples/postgresql_iam_cluster/README.md @@ -30,26 +30,26 @@ An EC2 instance configuration has been provided for use in validating the exampl | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.26 | -| [aws](#requirement\_aws) | >= 3.9 | +| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [aws](#requirement\_aws) | >= 3.38 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.9 | +| [aws](#provider\_aws) | >= 3.38 | | [random](#provider\_random) | n/a | ## Modules | Name | Source | Version | |------|--------|---------| -| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | 2.16.0 | -| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | 3.17.0 | -| [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | 3.0.0 | +| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 | +| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | +| [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 5 | | [rds\_proxy](#module\_rds\_proxy) | ../../ | | -| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | 3.17.0 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 2.64.0 | +| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 | ## Resources @@ -80,6 +80,7 @@ No inputs. | Name | Description | |------|-------------| +| [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created | | [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group | | [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy | | [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group | diff --git a/examples/postgresql_iam_cluster/main.tf b/examples/postgresql_iam_cluster/main.tf index 6fff11d..c77a769 100644 --- a/examples/postgresql_iam_cluster/main.tf +++ b/examples/postgresql_iam_cluster/main.tf @@ -38,7 +38,7 @@ resource "random_password" "password" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "2.64.0" + version = "~> 3" name = local.name cidr = "10.0.0.0/18" @@ -57,7 +57,7 @@ module "vpc" { module "rds" { source = "terraform-aws-modules/rds-aurora/aws" - version = "3.0.0" + version = "~> 5" name = local.name database_name = local.db_name @@ -77,7 +77,7 @@ module "rds" { vpc_id = module.vpc.vpc_id subnets = module.vpc.database_subnets - allowed_security_groups = [module.rds_proxy_sg.this_security_group_id] + allowed_security_groups = [module.rds_proxy_sg.security_group_id] db_subnet_group_name = local.name # Created by VPC module db_parameter_group_name = aws_db_parameter_group.aurora_db_postgres11_parameter_group.id @@ -158,7 +158,7 @@ data "aws_ami" "ubuntu" { module "ec2_sg" { source = "terraform-aws-modules/security-group/aws" - version = "3.17.0" + version = "~> 4" name = "ec2" description = "EC2 RDS Proxy example security group" @@ -171,7 +171,7 @@ module "ec2_sg" { module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" - version = "2.16.0" + version = "~> 2" name = local.name instance_count = 1 @@ -190,7 +190,7 @@ module "ec2_instance" { ami = data.aws_ami.ubuntu.id instance_type = "t3.micro" - vpc_security_group_ids = [module.ec2_sg.this_security_group_id] + vpc_security_group_ids = [module.ec2_sg.security_group_id] subnet_ids = module.vpc.private_subnets tags = local.tags @@ -226,7 +226,7 @@ resource "aws_secretsmanager_secret_version" "superuser" { module "rds_proxy_sg" { source = "terraform-aws-modules/security-group/aws" - version = "3.17.0" + version = "~> 4" name = "rds_proxy" description = "PostgreSQL RDS Proxy example security group" @@ -261,7 +261,23 @@ module "rds_proxy" { name = local.name iam_role_name = local.name vpc_subnet_ids = module.vpc.private_subnets - vpc_security_group_ids = [module.rds_proxy_sg.this_security_group_id] + vpc_security_group_ids = [module.rds_proxy_sg.security_group_id] + + db_proxy_endpoints = { + read_write = { + name = "read-write-endpoint" + vpc_subnet_ids = module.vpc.private_subnets + vpc_security_group_ids = [module.rds_proxy_sg.security_group_id] + tags = local.tags + }, + read_only = { + name = "read-only-endpoint" + vpc_subnet_ids = module.vpc.private_subnets + vpc_security_group_ids = [module.rds_proxy_sg.security_group_id] + target_role = "READ_ONLY" + tags = local.tags + } + } secrets = { "${local.db_username}" = { @@ -272,13 +288,13 @@ module "rds_proxy" { } engine_family = "POSTGRESQL" - db_host = module.rds.this_rds_cluster_endpoint - db_name = module.rds.this_rds_cluster_database_name + db_host = module.rds.rds_cluster_endpoint + db_name = module.rds.rds_cluster_database_name debug_logging = true # Target Aurora cluster target_db_cluster = true - db_cluster_identifier = module.rds.this_rds_cluster_id + db_cluster_identifier = module.rds.rds_cluster_id tags = local.tags } diff --git a/examples/postgresql_iam_cluster/outputs.tf b/examples/postgresql_iam_cluster/outputs.tf index 1a3ffbc..53ec99c 100644 --- a/examples/postgresql_iam_cluster/outputs.tf +++ b/examples/postgresql_iam_cluster/outputs.tf @@ -66,6 +66,12 @@ output "proxy_target_type" { value = module.rds_proxy.proxy_target_type } +# DB proxy endponts +output "db_proxy_endpoints" { + description = "Array containing the full resource object and attributes for all DB proxy endpoints created" + value = module.rds_proxy.db_proxy_endpoints +} + # CloudWatch logs output "log_group_arn" { description = "The Amazon Resource Name (ARN) of the CloudWatch log group" @@ -75,7 +81,8 @@ output "log_group_arn" { # For aiding in testing & verification output "superuser_db_password_connect" { description = "Connect to database using superuser with username/password directly to database" - value = "PGPASSWORD=${local.db_password} psql -h ${module.rds.this_rds_cluster_endpoint} -p 5432 -d ${module.rds.this_rds_cluster_database_name} -U ${local.db_username} --set=sslmode=require" + value = "PGPASSWORD=${local.db_password} psql -h ${module.rds.rds_cluster_endpoint} -p 5432 -d ${module.rds.rds_cluster_database_name} -U ${local.db_username} --set=sslmode=require" + sensitive = true } output "superuser_proxy_iam_token" { @@ -85,5 +92,5 @@ output "superuser_proxy_iam_token" { output "superuser_proxy_iam_connect" { description = "Connect to RDS Proxy using IAM auth via token generated" - value = "psql \"host=${module.rds_proxy.proxy_endpoint} port=5432 sslmode=verify-full sslrootcert=/home/ssm-user/AmazonRootCA1.pem dbname=${module.rds.this_rds_cluster_database_name} user=${local.db_username} password=$TOKEN\"" + value = "psql \"host=${module.rds_proxy.proxy_endpoint} port=5432 sslmode=verify-full sslrootcert=/home/ssm-user/AmazonRootCA1.pem dbname=${module.rds.rds_cluster_database_name} user=${local.db_username} password=$TOKEN\"" } diff --git a/examples/postgresql_iam_cluster/versions.tf b/examples/postgresql_iam_cluster/versions.tf index ad7239f..7f7a34a 100644 --- a/examples/postgresql_iam_cluster/versions.tf +++ b/examples/postgresql_iam_cluster/versions.tf @@ -1,7 +1,10 @@ terraform { - required_version = ">= 0.12.26" + required_version = ">= 0.13.1" required_providers { - aws = ">= 3.9" + aws = { + source = "hashicorp/aws" + version = ">= 3.38" + } } } diff --git a/examples/postgresql_iam_instance/README.md b/examples/postgresql_iam_instance/README.md index 9c788cf..2b13080 100644 --- a/examples/postgresql_iam_instance/README.md +++ b/examples/postgresql_iam_instance/README.md @@ -30,27 +30,27 @@ An EC2 instance configuration has been provided for use in validating the exampl | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.26 | -| [aws](#requirement\_aws) | >= 3.9 | +| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [aws](#requirement\_aws) | >= 3.38 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.9 | +| [aws](#provider\_aws) | >= 3.38 | | [random](#provider\_random) | n/a | ## Modules | Name | Source | Version | |------|--------|---------| -| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | 2.16.0 | -| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | 3.17.0 | -| [rds](#module\_rds) | terraform-aws-modules/rds/aws | 2.20.0 | +| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 | +| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | +| [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3 | | [rds\_proxy](#module\_rds\_proxy) | ../../ | | -| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | 3.17.0 | -| [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | 3.17.0 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 2.64.0 | +| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | +| [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 | ## Resources @@ -79,6 +79,7 @@ No inputs. | Name | Description | |------|-------------| +| [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created | | [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group | | [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy | | [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group | diff --git a/examples/postgresql_iam_instance/main.tf b/examples/postgresql_iam_instance/main.tf index 8088ba8..240ecd9 100644 --- a/examples/postgresql_iam_instance/main.tf +++ b/examples/postgresql_iam_instance/main.tf @@ -38,7 +38,7 @@ resource "random_password" "password" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "2.64.0" + version = "~> 3" name = local.name cidr = "10.0.0.0/18" @@ -56,7 +56,7 @@ module "vpc" { module "rds_sg" { source = "terraform-aws-modules/security-group/aws" - version = "3.17.0" + version = "~> 4" name = "rds" description = "PostgreSQL RDS example security group" @@ -77,7 +77,7 @@ module "rds_sg" { module "rds" { source = "terraform-aws-modules/rds/aws" - version = "2.20.0" + version = "~> 3" name = local.db_name username = local.db_username @@ -97,7 +97,7 @@ module "rds" { storage_encrypted = false apply_immediately = true - vpc_security_group_ids = [module.rds_sg.this_security_group_id] + vpc_security_group_ids = [module.rds_sg.security_group_id] subnet_ids = module.vpc.database_subnets maintenance_window = "Mon:00:00-Mon:03:00" @@ -168,7 +168,7 @@ data "aws_ami" "ubuntu" { module "ec2_sg" { source = "terraform-aws-modules/security-group/aws" - version = "3.17.0" + version = "~> 4" name = "ec2" description = "EC2 RDS Proxy example security group" @@ -181,7 +181,7 @@ module "ec2_sg" { module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" - version = "2.16.0" + version = "~> 2" name = local.name instance_count = 1 @@ -200,7 +200,7 @@ module "ec2_instance" { ami = data.aws_ami.ubuntu.id instance_type = "t3.micro" - vpc_security_group_ids = [module.ec2_sg.this_security_group_id] + vpc_security_group_ids = [module.ec2_sg.security_group_id] subnet_ids = module.vpc.private_subnets tags = local.tags @@ -236,7 +236,7 @@ resource "aws_secretsmanager_secret_version" "superuser" { module "rds_proxy_sg" { source = "terraform-aws-modules/security-group/aws" - version = "3.17.0" + version = "~> 4" name = "rds_proxy" description = "PostgreSQL RDS Proxy example security group" @@ -271,7 +271,23 @@ module "rds_proxy" { name = local.name iam_role_name = local.name vpc_subnet_ids = module.vpc.private_subnets - vpc_security_group_ids = [module.rds_proxy_sg.this_security_group_id] + vpc_security_group_ids = [module.rds_proxy_sg.security_group_id] + + db_proxy_endpoints = { + read_write = { + name = "read-write-endpoint" + vpc_subnet_ids = module.vpc.private_subnets + vpc_security_group_ids = [module.rds_proxy_sg.security_group_id] + tags = local.tags + }, + read_only = { + name = "read-only-endpoint" + vpc_subnet_ids = module.vpc.private_subnets + vpc_security_group_ids = [module.rds_proxy_sg.security_group_id] + target_role = "READ_ONLY" + tags = local.tags + } + } secrets = { "${local.db_username}" = { @@ -282,13 +298,13 @@ module "rds_proxy" { } engine_family = "POSTGRESQL" - db_host = module.rds.this_db_instance_address - db_name = module.rds.this_db_instance_name + db_host = module.rds.db_instance_address + db_name = module.rds.db_instance_name debug_logging = true # Target RDS instance target_db_instance = true - db_instance_identifier = module.rds.this_db_instance_id + db_instance_identifier = module.rds.db_instance_id tags = local.tags } diff --git a/examples/postgresql_iam_instance/outputs.tf b/examples/postgresql_iam_instance/outputs.tf index 2a617c3..94db34d 100644 --- a/examples/postgresql_iam_instance/outputs.tf +++ b/examples/postgresql_iam_instance/outputs.tf @@ -66,6 +66,12 @@ output "proxy_target_type" { value = module.rds_proxy.proxy_target_type } +# DB proxy endponts +output "db_proxy_endpoints" { + description = "Array containing the full resource object and attributes for all DB proxy endpoints created" + value = module.rds_proxy.db_proxy_endpoints +} + # CloudWatch logs output "log_group_arn" { description = "The Amazon Resource Name (ARN) of the CloudWatch log group" @@ -75,7 +81,8 @@ output "log_group_arn" { # For aiding in testing & verification output "superuser_db_password_connect" { description = "Connect to database using superuser with username/password directly to database" - value = "PGPASSWORD=${local.db_password} psql -h ${module.rds.this_db_instance_address} -p 5432 -d ${module.rds.this_db_instance_name} -U ${local.db_username} --set=sslmode=require" + value = "PGPASSWORD=${local.db_password} psql -h ${module.rds.db_instance_address} -p 5432 -d ${module.rds.db_instance_name} -U ${local.db_username} --set=sslmode=require" + sensitive = true } output "superuser_proxy_iam_token" { @@ -85,5 +92,5 @@ output "superuser_proxy_iam_token" { output "superuser_proxy_iam_connect" { description = "Connect to RDS Proxy using IAM auth via token generated" - value = "psql \"host=${module.rds_proxy.proxy_endpoint} port=5432 sslmode=verify-full sslrootcert=/home/ssm-user/AmazonRootCA1.pem dbname=${module.rds.this_db_instance_name} user=${local.db_username} password=$TOKEN\"" + value = "psql \"host=${module.rds_proxy.proxy_endpoint} port=5432 sslmode=verify-full sslrootcert=/home/ssm-user/AmazonRootCA1.pem dbname=${module.rds.db_instance_name} user=${local.db_username} password=$TOKEN\"" } diff --git a/examples/postgresql_iam_instance/versions.tf b/examples/postgresql_iam_instance/versions.tf index ad7239f..7f7a34a 100644 --- a/examples/postgresql_iam_instance/versions.tf +++ b/examples/postgresql_iam_instance/versions.tf @@ -1,7 +1,10 @@ terraform { - required_version = ">= 0.12.26" + required_version = ">= 0.13.1" required_providers { - aws = ">= 3.9" + aws = { + source = "hashicorp/aws" + version = ">= 3.38" + } } } diff --git a/main.tf b/main.tf index 32df03c..42e51cc 100644 --- a/main.tf +++ b/main.tf @@ -70,6 +70,18 @@ resource "aws_db_proxy_target" "db_cluster" { db_cluster_identifier = var.db_cluster_identifier } +resource "aws_db_proxy_endpoint" "this" { + for_each = var.db_proxy_endpoints + + db_proxy_name = aws_db_proxy.this[0].name + db_proxy_endpoint_name = each.value.name + vpc_subnet_ids = each.value.vpc_subnet_ids + vpc_security_group_ids = lookup(each.value, "vpc_security_group_ids", null) + target_role = lookup(each.value, "target_role", null) + + tags = lookup(each.value, "tags", var.tags) +} + ################################################################################ # CloudWatch Logs ################################################################################ diff --git a/outputs.tf b/outputs.tf index 3b19d3e..ec26edd 100644 --- a/outputs.tf +++ b/outputs.tf @@ -66,6 +66,12 @@ output "proxy_target_type" { value = element(concat(aws_db_proxy_target.db_instance.*.type, aws_db_proxy_target.db_cluster.*.type, [""]), 0) } +# DB proxy endponts +output "db_proxy_endpoints" { + description = "Array containing the full resource object and attributes for all DB proxy endpoints created" + value = aws_db_proxy_endpoint.this +} + # CloudWatch logs output "log_group_arn" { description = "The Amazon Resource Name (ARN) of the CloudWatch log group" diff --git a/variables.tf b/variables.tf index 9d08e06..1547bfd 100644 --- a/variables.tf +++ b/variables.tf @@ -157,6 +157,13 @@ variable "db_cluster_identifier" { default = "" } +# Proxy endpoints +variable "db_proxy_endpoints" { + description = "Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`)" + type = any + default = {} +} + # CloudWatch Logs variable "manage_log_group" { description = "Determines whether Terraform will create/manage the CloudWatch log group or not. Note - this will fail if set to true after the log group has been created as the resource will already exist" diff --git a/versions.tf b/versions.tf index ad7239f..7f7a34a 100644 --- a/versions.tf +++ b/versions.tf @@ -1,7 +1,10 @@ terraform { - required_version = ">= 0.12.26" + required_version = ">= 0.13.1" required_providers { - aws = ">= 3.9" + aws = { + source = "hashicorp/aws" + version = ">= 3.38" + } } }