Merge pull request #21 from uc-cdis/chore/db-reencryption

chore(db-reencryption): Added tf module to reencrypt aurora rds instances
uc-cdis · Oct 14, 2024 · 8ce282f · 8ce282f
2 parents 2ee97ec + c9dcc74
commit 8ce282f
Show file tree

Hide file tree

Showing 9 changed files with 150 additions and 2 deletions.
diff --git a/tf_files/aws/aurora/root.tf b/tf_files/aws/aurora/root.tf
@@ -27,4 +27,5 @@ module "aurora" {
   backup_retention_period		        = var.backup_retention_period
   preferred_backup_window		        = var.preferred_backup_window
   password_length			              = var.password_length
+  db_kms_key_id			                = var.db_kms_key_id
 }
diff --git a/tf_files/aws/aurora/variables.tf b/tf_files/aws/aurora/variables.tf
@@ -104,3 +104,7 @@ variable "password_length" {
 variable "deploy_aurora" {
   default = true
 }
+
+variable "db_kms_key_id" {
+  default = ""
+}
diff --git a/tf_files/aws/db_reencrypt/data.tf b/tf_files/aws/db_reencrypt/data.tf
@@ -0,0 +1,3 @@
+data "aws_rds_cluster" "source_db_instance" {
+  cluster_identifier = var.db_instance_identifier
+}
diff --git a/tf_files/aws/db_reencrypt/manifest.json b/tf_files/aws/db_reencrypt/manifest.json
@@ -0,0 +1,5 @@
+{
+  "terraform": {
+    "module_version" : "1.2"
+  }
+}
diff --git a/tf_files/aws/db_reencrypt/output.tf b/tf_files/aws/db_reencrypt/output.tf
diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf
@@ -0,0 +1,61 @@
+terraform {
+  backend "s3" {
+    encrypt = "true"
+  }
+}
+
+locals {
+  snapshot_date       = formatdate("MM-DD-YYYY", timestamp())
+  snapshot_identifier = "${var.vpc_name}-${var.cluster_instance_identifier}-reencrypt-${local.snapshot_date}"
+  master_password     = var.master_password != "" ? var.master_password : random_password.password.result
+}
+
+resource "random_password" "password" {
+  length  = var.password_length
+  special = false
+}
+
+# Aurora Cluster
+
+resource "aws_rds_cluster" "postgresql" {
+  cluster_identifier              = "${var.vpc_name}-${var.cluster_identifier}-new"
+  engine                          = data.aws_rds_cluster.source_db_instance.engine
+  engine_version	                = data.aws_rds_cluster.source_db_instance.engine_version
+  db_subnet_group_name	          = data.aws_rds_cluster.source_db_instance.db_subnet_group_name
+  vpc_security_group_ids          = data.aws_rds_cluster.source_db_instance.vpc_security_group_ids[*]
+  master_username                 = var.master_username
+  master_password	                = local.master_password
+  storage_encrypted	              = true
+  apply_immediately               = true
+  engine_mode        	            = var.engine_mode
+  skip_final_snapshot	            = false
+  final_snapshot_identifier       = "${var.vpc_name}-${var.cluster_instance_identifier}-new-snapshot-${local.snapshot_date}"
+  snapshot_identifier             = aws_db_cluster_snapshot.db_snapshot.id
+  backup_retention_period         = data.aws_rds_cluster.source_db_instance.backup_retention_period
+  preferred_backup_window         = data.aws_rds_cluster.source_db_instance.preferred_backup_window
+  db_cluster_parameter_group_name = data.aws_rds_cluster.source_db_instance.db_cluster_parameter_group_name
+  kms_key_id                      = var.db_kms_key_id 
+
+  serverlessv2_scaling_configuration {
+    max_capacity = var.serverlessv2_scaling_max_capacity
+    min_capacity = var.serverlessv2_scaling_min_capacity
+  }
+}
+
+# Aurora Cluster Instance
+
+resource "aws_rds_cluster_instance" "postgresql" {
+  db_subnet_group_name = aws_rds_cluster.postgresql.db_subnet_group_name
+  identifier         	 = "${var.vpc_name}-${var.cluster_instance_identifier}-new"
+  cluster_identifier 	 = aws_rds_cluster.postgresql.cluster_identifier
+  instance_class	     = var.instance_class
+  engine             	 = data.aws_rds_cluster.source_db_instance.engine
+  engine_version     	 = data.aws_rds_cluster.source_db_instance.engine_version
+}
+
+# Create a snapshot of the existing RDS instance
+resource "aws_db_cluster_snapshot" "db_snapshot" {
+  db_cluster_identifier = data.aws_rds_cluster.source_db_instance.id
+  db_cluster_snapshot_identifier = local.snapshot_identifier
+}
+
diff --git a/tf_files/aws/db_reencrypt/variables.tf b/tf_files/aws/db_reencrypt/variables.tf
@@ -0,0 +1,69 @@
+variable "vpc_name" {}
+
+variable "db_instance_identifier" {
+  default = ""
+}
+
+variable "db_kms_key_id" {
+  default = ""
+}
+
+variable "cluster_identifier" {
+  description = "Cluster Identifier"
+  type        = string
+  default     = "aurora-cluster"
+}
+
+variable "cluster_instance_identifier" {
+  description = "Cluster Instance Identifier"
+  type        = string
+  default     = "aurora-cluster-instance"
+}
+
+variable "serverlessv2_scaling_min_capacity" {
+  type        = string
+  description = "Serverless v2 RDS cluster minimum scaling capacity in ACUs"
+  default     = "0.5"
+}
+
+variable "serverlessv2_scaling_max_capacity" {
+  type        = string
+  description = "Serverless v2 RDS cluster maximum scaling capacity in ACUs"
+  default     = "10.0"
+}
+
+variable "master_username" {
+  description = "Master DB username"
+  type        = string
+  default     = "postgres"
+}
+
+variable "master_password" {
+  description = "Master DB password"
+  type        = string
+  default     = ""
+}
+
+variable "storage_encrypted" {
+  description = "Specifies whether storage encryption is enabled"
+  type        = bool
+  default     = true
+}
+
+variable "engine_mode" {
+  type        = string
+  description = "use provisioned for Serverless v2 RDS cluster"
+  default     = "provisioned"
+}
+
+variable "password_length" {
+  type        = number
+  description = "The length of the password string"
+  default     = 12
+}
+
+variable "instance_class" {
+  description = "Cluster Instance Class"
+  type        = string
+  default     = "db.serverless"
+}
diff --git a/tf_files/aws/modules/aurora/main.tf b/tf_files/aws/modules/aurora/main.tf
@@ -28,15 +28,16 @@ resource "aws_rds_cluster" "postgresql" {
   final_snapshot_identifier       = "${var.vpc_name}-${var.final_snapshot_identifier}"
   backup_retention_period         = var.backup_retention_period
   preferred_backup_window         = var.preferred_backup_window
-  db_cluster_parameter_group_name =  aws_rds_cluster_parameter_group.aurora_cdis_pg.name
+  db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.aurora_cdis_pg.name
+  kms_key_id                      = var.db_kms_key_id 
 
   serverlessv2_scaling_configuration {
     max_capacity = var.serverlessv2_scaling_max_capacity
     min_capacity = var.serverlessv2_scaling_min_capacity
   }
 
   lifecycle {
-    ignore_changes = [engine_version]
+    ignore_changes  = [kms_key_id, engine_version]
   }
 }
 

diff --git a/tf_files/aws/modules/aurora/variables.tf b/tf_files/aws/modules/aurora/variables.tf
@@ -102,3 +102,7 @@ variable "password_length" {
   description = "The length of the password string"
   default     = 16
 }
+
+variable "db_kms_key_id" {
+  default = ""
+}