From e44b2ea6d08129f97948df0e12fed682dc3e395d Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 8 Jul 2024 08:07:45 -0500 Subject: [PATCH 01/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/aurora/root.tf | 1 + tf_files/aws/aurora/variables.tf | 4 ++ tf_files/aws/db_reencrypt/data.tf | 3 + tf_files/aws/db_reencrypt/manifest.json | 5 ++ tf_files/aws/db_reencrypt/output.tf | 0 tf_files/aws/db_reencrypt/root.tf | 70 ++++++++++++++++++++++++ tf_files/aws/db_reencrypt/variables.tf | 67 +++++++++++++++++++++++ tf_files/aws/modules/aurora/main.tf | 12 +++- tf_files/aws/modules/aurora/variables.tf | 4 ++ 9 files changed, 165 insertions(+), 1 deletion(-) create mode 100644 tf_files/aws/db_reencrypt/data.tf create mode 100644 tf_files/aws/db_reencrypt/manifest.json create mode 100644 tf_files/aws/db_reencrypt/output.tf create mode 100644 tf_files/aws/db_reencrypt/root.tf create mode 100644 tf_files/aws/db_reencrypt/variables.tf diff --git a/tf_files/aws/aurora/root.tf b/tf_files/aws/aurora/root.tf index b5233687..0ed9bd62 100644 --- a/tf_files/aws/aurora/root.tf +++ b/tf_files/aws/aurora/root.tf @@ -27,4 +27,5 @@ module "aurora" { backup_retention_period = var.backup_retention_period preferred_backup_window = var.preferred_backup_window password_length = var.password_length + db_kms_key_id = var.db_kms_key_id } diff --git a/tf_files/aws/aurora/variables.tf b/tf_files/aws/aurora/variables.tf index 33e7d757..3df24559 100644 --- a/tf_files/aws/aurora/variables.tf +++ b/tf_files/aws/aurora/variables.tf @@ -104,3 +104,7 @@ variable "password_length" { variable "deploy_aurora" { default = true } + +variable "db_kms_key_id" { + default = "" +} \ No newline at end of file diff --git a/tf_files/aws/db_reencrypt/data.tf b/tf_files/aws/db_reencrypt/data.tf new file mode 100644 index 00000000..9509c078 --- /dev/null +++ b/tf_files/aws/db_reencrypt/data.tf @@ -0,0 +1,3 @@ +data "aws_db_instance" "source_db_instance" { + db_instance_identifier = var.db_instance_identifier +} \ No newline at end of file diff --git a/tf_files/aws/db_reencrypt/manifest.json b/tf_files/aws/db_reencrypt/manifest.json new file mode 100644 index 00000000..1d45a094 --- /dev/null +++ b/tf_files/aws/db_reencrypt/manifest.json @@ -0,0 +1,5 @@ +{ + "terraform": { + "module_version" : "1.2" + } +} \ No newline at end of file diff --git a/tf_files/aws/db_reencrypt/output.tf b/tf_files/aws/db_reencrypt/output.tf new file mode 100644 index 00000000..e69de29b diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf new file mode 100644 index 00000000..55ddd004 --- /dev/null +++ b/tf_files/aws/db_reencrypt/root.tf @@ -0,0 +1,70 @@ +terraform { + backend "s3" { + encrypt = "true" + } +} + +provider "aws" {} + + +locals { + snapshot_date = formatdate("MM-DD-YYYY", timestamp()) + snapshot_identifier = "reencrypt-${local.snapshot_date}" +} + +resource "random_password" "password" { + length = var.password_length + special = false +} + +# Aurora Cluster + +resource "aws_rds_cluster" "postgresql" { + cluster_identifier = "${var.vpc_name}-${var.cluster_identifier}-new" + engine = data.aws_db_instance.source_db_instance.engine + engine_version = data.aws_db_instance.source_db_instance.engine_version + db_subnet_group_name = data.aws_db_instance.source_db_instance.db_subnet_group_name + vpc_security_group_ids = [data.aws_security_group.private.id] + master_username = var.master_username + master_password = random_password.password.result + storage_encrypted = true + apply_immediately = true + engine_mode = var.engine_mode + skip_final_snapshot = false + final_snapshot_identifier = "${var.vpc_name}-new-snapshot" + backup_retention_period = data.aws_db_instance.source_db_instance.backup_retention_period + preferred_backup_window = data.aws_db_instance.source_db_instance.preferred_backup_window + db_cluster_parameter_group_name = data.aws_db_instance.source_db_instance.parameter_group_name + kms_key_id = var.db_kms_key_id + + serverlessv2_scaling_configuration { + max_capacity = var.serverlessv2_scaling_max_capacity + min_capacity = var.serverlessv2_scaling_min_capacity + } +} + +# Aurora Cluster Instance + +resource "aws_rds_cluster_instance" "postgresql" { + db_subnet_group_name = aws_rds_cluster.postgresql.db_subnet_group_name + identifier = "${var.vpc_name}-${var.cluster_instance_identifier}-new" + cluster_identifier = aws_rds_cluster.postgresql.id + instance_class = data.aws_db_instance.source_db_instance.instance_class + engine = data.aws_db_instance.source_db_instance.engine + engine_version = data.aws_db_instance.source_db_instance.engine_version + kms_key_id = var.db_kms_key_id +} + +# Create a snapshot of the existing RDS instance +resource "aws_db_snapshot" "db_snapshot" { + db_instance_identifier = var.db_instance_identifier + db_snapshot_identifier = local.snapshot_identifier +} + +# Copy the snapshot and re-encrypt with the new KMS key +resource "aws_db_snapshot_copy" "db_snapshot_copy" { + depends_on = [aws_db_snapshot.db_snapshot] + source_db_snapshot_identifier = aws_db_snapshot.db_snapshot.id + target_db_snapshot_identifier = "${local.snapshot_identifier}-copy" + kms_key_id = var.db_kms_key_id +} diff --git a/tf_files/aws/db_reencrypt/variables.tf b/tf_files/aws/db_reencrypt/variables.tf new file mode 100644 index 00000000..bd5e83ab --- /dev/null +++ b/tf_files/aws/db_reencrypt/variables.tf @@ -0,0 +1,67 @@ +variable "vpc_name" {} + +variable "db_instance_identifier" { + default = "" +} + +variable "db_kms_key_id" { + default = "" +} + +variable "engine_mode" { + type = string + description = "use provisioned for Serverless v2 RDS cluster" + default = "provisioned" +} + +variable "cluster_identifier" { + description = "Cluster Identifier" + type = string + default = "aurora-cluster" +} + +variable "cluster_instance_identifier" { + description = "Cluster Instance Identifier" + type = string + default = "aurora-cluster-instance" +} + +variable "serverlessv2_scaling_min_capacity" { + type = string + description = "Serverless v2 RDS cluster minimum scaling capacity in ACUs" + default = "0.5" +} + +variable "serverlessv2_scaling_max_capacity" { + type = string + description = "Serverless v2 RDS cluster maximum scaling capacity in ACUs" + default = "10.0" +} + +variable "master_username" { + description = "Master DB username" + type = string + default = "postgres" +} + +variable "storage_encrypted" { + description = "Specifies whether storage encryption is enabled" + type = bool + default = true +} + +variable "engine_mode" { + type = string + description = "use provisioned for Serverless v2 RDS cluster" + default = "provisioned" +} + +variable "password_length" { + type = number + description = "The length of the password string" + default = 12 +} + +variable "db_kms_key_id" { + default = "" +} \ No newline at end of file diff --git a/tf_files/aws/modules/aurora/main.tf b/tf_files/aws/modules/aurora/main.tf index f1dc7074..860c6c95 100644 --- a/tf_files/aws/modules/aurora/main.tf +++ b/tf_files/aws/modules/aurora/main.tf @@ -28,12 +28,17 @@ resource "aws_rds_cluster" "postgresql" { final_snapshot_identifier = "${var.vpc_name}-${var.final_snapshot_identifier}" backup_retention_period = var.backup_retention_period preferred_backup_window = var.preferred_backup_window - db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.aurora_cdis_pg.name + db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.aurora_cdis_pg.name + kms_key_id = var.db_kms_key_id serverlessv2_scaling_configuration { max_capacity = var.serverlessv2_scaling_max_capacity min_capacity = var.serverlessv2_scaling_min_capacity } + + lifecycle { + ignore_changes = [kms_key_id] + } } # Aurora Cluster Instance @@ -45,6 +50,11 @@ resource "aws_rds_cluster_instance" "postgresql" { instance_class = var.cluster_instance_class engine = aws_rds_cluster.postgresql.engine engine_version = aws_rds_cluster.postgresql.engine_version + kms_key_id = var.db_kms_key_id + + lifecycle { + ignore_changes = [kms_key_id] + } } diff --git a/tf_files/aws/modules/aurora/variables.tf b/tf_files/aws/modules/aurora/variables.tf index 1f793cc5..ac7458b5 100644 --- a/tf_files/aws/modules/aurora/variables.tf +++ b/tf_files/aws/modules/aurora/variables.tf @@ -102,3 +102,7 @@ variable "password_length" { description = "The length of the password string" default = 16 } + +variable "db_kms_key_id" { + default = "" +} \ No newline at end of file From f97066c23a8c6878a23d91e949019274bfdf02c4 Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 8 Jul 2024 09:14:18 -0500 Subject: [PATCH 02/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/variables.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tf_files/aws/db_reencrypt/variables.tf b/tf_files/aws/db_reencrypt/variables.tf index bd5e83ab..71ca5b00 100644 --- a/tf_files/aws/db_reencrypt/variables.tf +++ b/tf_files/aws/db_reencrypt/variables.tf @@ -61,7 +61,3 @@ variable "password_length" { description = "The length of the password string" default = 12 } - -variable "db_kms_key_id" { - default = "" -} \ No newline at end of file From 1368ef82d4df1a8fb05e7ab4f381de6d10fd9f66 Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 8 Jul 2024 09:16:29 -0500 Subject: [PATCH 03/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/modules/aurora/main.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tf_files/aws/modules/aurora/main.tf b/tf_files/aws/modules/aurora/main.tf index 860c6c95..daf4150b 100644 --- a/tf_files/aws/modules/aurora/main.tf +++ b/tf_files/aws/modules/aurora/main.tf @@ -50,11 +50,6 @@ resource "aws_rds_cluster_instance" "postgresql" { instance_class = var.cluster_instance_class engine = aws_rds_cluster.postgresql.engine engine_version = aws_rds_cluster.postgresql.engine_version - kms_key_id = var.db_kms_key_id - - lifecycle { - ignore_changes = [kms_key_id] - } } From 2ff213f2d8e85647726210630ffba6c7d0d8edc6 Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 8 Jul 2024 09:27:30 -0500 Subject: [PATCH 04/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/root.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index 55ddd004..fd9574e6 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -4,9 +4,6 @@ terraform { } } -provider "aws" {} - - locals { snapshot_date = formatdate("MM-DD-YYYY", timestamp()) snapshot_identifier = "reencrypt-${local.snapshot_date}" From 7d7977aa70f129d289dbcfad01cc3487aed77b68 Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 8 Jul 2024 09:29:05 -0500 Subject: [PATCH 05/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/variables.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tf_files/aws/db_reencrypt/variables.tf b/tf_files/aws/db_reencrypt/variables.tf index 71ca5b00..af34906c 100644 --- a/tf_files/aws/db_reencrypt/variables.tf +++ b/tf_files/aws/db_reencrypt/variables.tf @@ -8,12 +8,6 @@ variable "db_kms_key_id" { default = "" } -variable "engine_mode" { - type = string - description = "use provisioned for Serverless v2 RDS cluster" - default = "provisioned" -} - variable "cluster_identifier" { description = "Cluster Identifier" type = string From 355a7eb3e07697185f35d15685769c0c118d7108 Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 8 Jul 2024 09:35:44 -0500 Subject: [PATCH 06/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/data.tf | 4 ++-- tf_files/aws/db_reencrypt/root.tf | 18 +++++++++--------- tf_files/aws/db_reencrypt/variables.tf | 6 ++++++ 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/tf_files/aws/db_reencrypt/data.tf b/tf_files/aws/db_reencrypt/data.tf index 9509c078..fbd38864 100644 --- a/tf_files/aws/db_reencrypt/data.tf +++ b/tf_files/aws/db_reencrypt/data.tf @@ -1,3 +1,3 @@ -data "aws_db_instance" "source_db_instance" { - db_instance_identifier = var.db_instance_identifier +data "aws_rds_cluster" "source_db_instance" { + cluster_identifier = var.db_instance_identifier } \ No newline at end of file diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index fd9574e6..06ab98b3 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -18,9 +18,9 @@ resource "random_password" "password" { resource "aws_rds_cluster" "postgresql" { cluster_identifier = "${var.vpc_name}-${var.cluster_identifier}-new" - engine = data.aws_db_instance.source_db_instance.engine - engine_version = data.aws_db_instance.source_db_instance.engine_version - db_subnet_group_name = data.aws_db_instance.source_db_instance.db_subnet_group_name + engine = data.aws_rds_cluster.source_db_instance.engine + engine_version = data.aws_rds_cluster.source_db_instance.engine_version + db_subnet_group_name = data.aws_rds_cluster.source_db_instance.db_subnet_group_name vpc_security_group_ids = [data.aws_security_group.private.id] master_username = var.master_username master_password = random_password.password.result @@ -29,9 +29,9 @@ resource "aws_rds_cluster" "postgresql" { engine_mode = var.engine_mode skip_final_snapshot = false final_snapshot_identifier = "${var.vpc_name}-new-snapshot" - backup_retention_period = data.aws_db_instance.source_db_instance.backup_retention_period - preferred_backup_window = data.aws_db_instance.source_db_instance.preferred_backup_window - db_cluster_parameter_group_name = data.aws_db_instance.source_db_instance.parameter_group_name + backup_retention_period = data.aws_rds_cluster.source_db_instance.backup_retention_period + preferred_backup_window = data.aws_rds_cluster.source_db_instance.preferred_backup_window + db_cluster_parameter_group_name = data.aws_rds_cluster.source_db_instance.parameter_group_name kms_key_id = var.db_kms_key_id serverlessv2_scaling_configuration { @@ -46,9 +46,9 @@ resource "aws_rds_cluster_instance" "postgresql" { db_subnet_group_name = aws_rds_cluster.postgresql.db_subnet_group_name identifier = "${var.vpc_name}-${var.cluster_instance_identifier}-new" cluster_identifier = aws_rds_cluster.postgresql.id - instance_class = data.aws_db_instance.source_db_instance.instance_class - engine = data.aws_db_instance.source_db_instance.engine - engine_version = data.aws_db_instance.source_db_instance.engine_version + instance_class = data.aws_rds_cluster.source_db_instance.instance_class + engine = data.aws_rds_cluster.source_db_instance.engine + engine_version = data.aws_rds_cluster.source_db_instance.engine_version kms_key_id = var.db_kms_key_id } diff --git a/tf_files/aws/db_reencrypt/variables.tf b/tf_files/aws/db_reencrypt/variables.tf index af34906c..aa84a6e0 100644 --- a/tf_files/aws/db_reencrypt/variables.tf +++ b/tf_files/aws/db_reencrypt/variables.tf @@ -55,3 +55,9 @@ variable "password_length" { description = "The length of the password string" default = 12 } + +variable "cluster_instance_class" { + description = "Cluster Instance Class" + type = string + default = "db.serverless" +} \ No newline at end of file From acc384530f43988f2346d314c6b5af3c2faeaa89 Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 8 Jul 2024 09:39:50 -0500 Subject: [PATCH 07/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/root.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index 06ab98b3..cdb5fbb3 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -21,7 +21,7 @@ resource "aws_rds_cluster" "postgresql" { engine = data.aws_rds_cluster.source_db_instance.engine engine_version = data.aws_rds_cluster.source_db_instance.engine_version db_subnet_group_name = data.aws_rds_cluster.source_db_instance.db_subnet_group_name - vpc_security_group_ids = [data.aws_security_group.private.id] + vpc_security_group_ids = [data.aws_rds_cluster.source_db_instance.vpc_security_group_ids] master_username = var.master_username master_password = random_password.password.result storage_encrypted = true @@ -31,7 +31,7 @@ resource "aws_rds_cluster" "postgresql" { final_snapshot_identifier = "${var.vpc_name}-new-snapshot" backup_retention_period = data.aws_rds_cluster.source_db_instance.backup_retention_period preferred_backup_window = data.aws_rds_cluster.source_db_instance.preferred_backup_window - db_cluster_parameter_group_name = data.aws_rds_cluster.source_db_instance.parameter_group_name + db_cluster_parameter_group_name = data.aws_rds_cluster.source_db_instance.db_cluster_parameter_group_name kms_key_id = var.db_kms_key_id serverlessv2_scaling_configuration { From 30c1910c5eb458d052b204281787ce960dda1e09 Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 8 Jul 2024 09:41:50 -0500 Subject: [PATCH 08/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/root.tf | 2 +- tf_files/aws/db_reencrypt/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index cdb5fbb3..639f9ac1 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -46,7 +46,7 @@ resource "aws_rds_cluster_instance" "postgresql" { db_subnet_group_name = aws_rds_cluster.postgresql.db_subnet_group_name identifier = "${var.vpc_name}-${var.cluster_instance_identifier}-new" cluster_identifier = aws_rds_cluster.postgresql.id - instance_class = data.aws_rds_cluster.source_db_instance.instance_class + instance_class = var.instance_class engine = data.aws_rds_cluster.source_db_instance.engine engine_version = data.aws_rds_cluster.source_db_instance.engine_version kms_key_id = var.db_kms_key_id diff --git a/tf_files/aws/db_reencrypt/variables.tf b/tf_files/aws/db_reencrypt/variables.tf index aa84a6e0..f778e0c7 100644 --- a/tf_files/aws/db_reencrypt/variables.tf +++ b/tf_files/aws/db_reencrypt/variables.tf @@ -56,7 +56,7 @@ variable "password_length" { default = 12 } -variable "cluster_instance_class" { +variable "instance_class" { description = "Cluster Instance Class" type = string default = "db.serverless" From 5c0f1549c87e136da873ba58693b8c4cd00e1b4b Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 8 Jul 2024 09:44:23 -0500 Subject: [PATCH 09/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/root.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index 639f9ac1..e000c4c9 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -49,7 +49,6 @@ resource "aws_rds_cluster_instance" "postgresql" { instance_class = var.instance_class engine = data.aws_rds_cluster.source_db_instance.engine engine_version = data.aws_rds_cluster.source_db_instance.engine_version - kms_key_id = var.db_kms_key_id } # Create a snapshot of the existing RDS instance From ed6b9fec08af72ca298c8387cc920eba680324cf Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 8 Jul 2024 09:48:55 -0500 Subject: [PATCH 10/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/root.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index e000c4c9..f7b061d5 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -21,7 +21,7 @@ resource "aws_rds_cluster" "postgresql" { engine = data.aws_rds_cluster.source_db_instance.engine engine_version = data.aws_rds_cluster.source_db_instance.engine_version db_subnet_group_name = data.aws_rds_cluster.source_db_instance.db_subnet_group_name - vpc_security_group_ids = [data.aws_rds_cluster.source_db_instance.vpc_security_group_ids] + vpc_security_group_ids = data.aws_rds_cluster.source_db_instance.vpc_security_group_ids[*] master_username = var.master_username master_password = random_password.password.result storage_encrypted = true From a05e26058537c63ce63d28639066fbc180b38bda Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 8 Jul 2024 10:06:23 -0500 Subject: [PATCH 11/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/root.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index f7b061d5..6fd2d699 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -53,7 +53,7 @@ resource "aws_rds_cluster_instance" "postgresql" { # Create a snapshot of the existing RDS instance resource "aws_db_snapshot" "db_snapshot" { - db_instance_identifier = var.db_instance_identifier + db_instance_identifier = data.aws_rds_cluster.source_db_instance.id db_snapshot_identifier = local.snapshot_identifier } From b908bf436de5a7d864cef6cd1d37be882d19813c Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 8 Jul 2024 10:13:05 -0500 Subject: [PATCH 12/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/root.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index 6fd2d699..2643ee72 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -45,7 +45,7 @@ resource "aws_rds_cluster" "postgresql" { resource "aws_rds_cluster_instance" "postgresql" { db_subnet_group_name = aws_rds_cluster.postgresql.db_subnet_group_name identifier = "${var.vpc_name}-${var.cluster_instance_identifier}-new" - cluster_identifier = aws_rds_cluster.postgresql.id + cluster_identifier = aws_rds_cluster.postgresql.cluster_identifier instance_class = var.instance_class engine = data.aws_rds_cluster.source_db_instance.engine engine_version = data.aws_rds_cluster.source_db_instance.engine_version From 43d139e6a7e970d5267c1249657bd2b3a9ce31c2 Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 8 Jul 2024 11:10:41 -0500 Subject: [PATCH 13/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/root.tf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index 2643ee72..8ec30475 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -29,6 +29,7 @@ resource "aws_rds_cluster" "postgresql" { engine_mode = var.engine_mode skip_final_snapshot = false final_snapshot_identifier = "${var.vpc_name}-new-snapshot" + snapshot_identifier = aws_db_cluster_snapshot.db_snapshot.id backup_retention_period = data.aws_rds_cluster.source_db_instance.backup_retention_period preferred_backup_window = data.aws_rds_cluster.source_db_instance.preferred_backup_window db_cluster_parameter_group_name = data.aws_rds_cluster.source_db_instance.db_cluster_parameter_group_name @@ -52,9 +53,9 @@ resource "aws_rds_cluster_instance" "postgresql" { } # Create a snapshot of the existing RDS instance -resource "aws_db_snapshot" "db_snapshot" { - db_instance_identifier = data.aws_rds_cluster.source_db_instance.id - db_snapshot_identifier = local.snapshot_identifier +resource "aws_db_cluster_snapshot" "db_snapshot" { + db_cluster_identifier = data.aws_rds_cluster.source_db_instance.id + db_cluster_snapshot_identifier = local.snapshot_identifier } # Copy the snapshot and re-encrypt with the new KMS key From 240c76cd72f07aad77ca0fed422d00b8e8709f0a Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 8 Jul 2024 11:13:25 -0500 Subject: [PATCH 14/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/root.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index 8ec30475..dd9d3694 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -60,8 +60,8 @@ resource "aws_db_cluster_snapshot" "db_snapshot" { # Copy the snapshot and re-encrypt with the new KMS key resource "aws_db_snapshot_copy" "db_snapshot_copy" { - depends_on = [aws_db_snapshot.db_snapshot] - source_db_snapshot_identifier = aws_db_snapshot.db_snapshot.id + depends_on = [aws_db_cluster_snapshot.db_snapshot] + source_db_snapshot_identifier = aws_db_cluster_snapshot.db_snapshot.id target_db_snapshot_identifier = "${local.snapshot_identifier}-copy" kms_key_id = var.db_kms_key_id } From 5ed0c1d0ec530354b9f75ebe02db87a6a57485fb Mon Sep 17 00:00:00 2001 From: Ed Date: Fri, 4 Oct 2024 09:40:40 -0500 Subject: [PATCH 15/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/root.tf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index dd9d3694..f8a279ab 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -58,10 +58,3 @@ resource "aws_db_cluster_snapshot" "db_snapshot" { db_cluster_snapshot_identifier = local.snapshot_identifier } -# Copy the snapshot and re-encrypt with the new KMS key -resource "aws_db_snapshot_copy" "db_snapshot_copy" { - depends_on = [aws_db_cluster_snapshot.db_snapshot] - source_db_snapshot_identifier = aws_db_cluster_snapshot.db_snapshot.id - target_db_snapshot_identifier = "${local.snapshot_identifier}-copy" - kms_key_id = var.db_kms_key_id -} From 0c445e9ee82000acf69c9da5e99a3b8d436e2011 Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 7 Oct 2024 07:03:19 -0500 Subject: [PATCH 16/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/root.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index f8a279ab..f5141fd4 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -6,7 +6,7 @@ terraform { locals { snapshot_date = formatdate("MM-DD-YYYY", timestamp()) - snapshot_identifier = "reencrypt-${local.snapshot_date}" + snapshot_identifier = "${var.vpc_name}-${var.cluster_instance_identifier-reencrypt-${local.snapshot_date}" } resource "random_password" "password" { From 13a9ed1af8fdaaa06993ce05b3bb1d044ee030f6 Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 7 Oct 2024 07:10:06 -0500 Subject: [PATCH 17/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/root.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index f5141fd4..32d8046a 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -6,7 +6,7 @@ terraform { locals { snapshot_date = formatdate("MM-DD-YYYY", timestamp()) - snapshot_identifier = "${var.vpc_name}-${var.cluster_instance_identifier-reencrypt-${local.snapshot_date}" + snapshot_identifier = "${var.vpc_name}-${var.cluster_instance_identifier}-reencrypt-${local.snapshot_date}" } resource "random_password" "password" { From 2eddc200bdbd0318976c8d9c5540c57b15b7a37f Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 7 Oct 2024 07:28:03 -0500 Subject: [PATCH 18/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/root.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index 32d8046a..cb01d52b 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -28,8 +28,8 @@ resource "aws_rds_cluster" "postgresql" { apply_immediately = true engine_mode = var.engine_mode skip_final_snapshot = false - final_snapshot_identifier = "${var.vpc_name}-new-snapshot" - snapshot_identifier = aws_db_cluster_snapshot.db_snapshot.id + final_snapshot_identifier = "${var.vpc_name}-${var.cluster_instance_identifier}-new-snapshot-${local.snapshot_date}" + snapshot_identifier = aws_db_cluster_snapshot.db_snapshot.id backup_retention_period = data.aws_rds_cluster.source_db_instance.backup_retention_period preferred_backup_window = data.aws_rds_cluster.source_db_instance.preferred_backup_window db_cluster_parameter_group_name = data.aws_rds_cluster.source_db_instance.db_cluster_parameter_group_name From f839ed32a439bb531faa7a29204704e40bcc039c Mon Sep 17 00:00:00 2001 From: Ed Date: Tue, 8 Oct 2024 11:07:20 -0500 Subject: [PATCH 19/19] chore(db-reencryption): Added tf module to reencrypt aurora rds instances --- tf_files/aws/db_reencrypt/root.tf | 3 ++- tf_files/aws/db_reencrypt/variables.tf | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/tf_files/aws/db_reencrypt/root.tf b/tf_files/aws/db_reencrypt/root.tf index cb01d52b..31a9e1f6 100644 --- a/tf_files/aws/db_reencrypt/root.tf +++ b/tf_files/aws/db_reencrypt/root.tf @@ -7,6 +7,7 @@ terraform { locals { snapshot_date = formatdate("MM-DD-YYYY", timestamp()) snapshot_identifier = "${var.vpc_name}-${var.cluster_instance_identifier}-reencrypt-${local.snapshot_date}" + master_password = var.master_password != "" ? var.master_password : random_password.password.result } resource "random_password" "password" { @@ -23,7 +24,7 @@ resource "aws_rds_cluster" "postgresql" { db_subnet_group_name = data.aws_rds_cluster.source_db_instance.db_subnet_group_name vpc_security_group_ids = data.aws_rds_cluster.source_db_instance.vpc_security_group_ids[*] master_username = var.master_username - master_password = random_password.password.result + master_password = local.master_password storage_encrypted = true apply_immediately = true engine_mode = var.engine_mode diff --git a/tf_files/aws/db_reencrypt/variables.tf b/tf_files/aws/db_reencrypt/variables.tf index f778e0c7..b89272cf 100644 --- a/tf_files/aws/db_reencrypt/variables.tf +++ b/tf_files/aws/db_reencrypt/variables.tf @@ -38,6 +38,12 @@ variable "master_username" { default = "postgres" } +variable "master_password" { + description = "Master DB password" + type = string + default = "" +} + variable "storage_encrypted" { description = "Specifies whether storage encryption is enabled" type = bool