Skip to content

Commit

Permalink
Merge pull request #107 from kloia/rds-custom
Browse files Browse the repository at this point in the history 
rds-custom resources added to rds aurora module
  • Loading branch information
@ahmetayd
ahmetayd authored Nov 15, 2023
2 parents 88a2f36 + 4c67cd7 commit 0860fde
Show file tree
Hide file tree
Showing 2 changed files with 302 additions and 10 deletions.
292 changes: 282 additions & 10 deletions aws-rds-aurora/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
data "aws_partition" "current" {}

data "aws_region" "current" {}

locals {
create_cluster = var.create_cluster

Expand All @@ -11,7 +13,7 @@ locals {
cluster_parameter_group_name = try(coalesce(var.db_cluster_parameter_group_name, var.name), null)
db_parameter_group_name = try(coalesce(var.db_parameter_group_name, var.name), null)

master_password = local.create_cluster && var.create_random_password ? random_password.master_password[0].result : var.master_password
master_password = var.create_random_password && var.rds_custom ? random_password.master_password[0].result : var.master_password
backtrack_window = (var.engine == "aurora-mysql" || var.engine == "aurora") && var.engine_mode != "serverless" ? var.backtrack_window : 0

is_serverless = var.engine_mode == "serverless"
Expand All @@ -22,12 +24,18 @@ locals {
################################################################################

resource "random_password" "master_password" {
count = local.create_cluster && var.create_random_password ? 1 : 0
count = var.create_random_password ? 1 : 0

length = var.random_password_length
special = false
}

resource "aws_ssm_parameter" "master_password" {
name = "${var.name}-password"
type = "SecureString"
value = random_password.master_password[0].result
}

resource "random_id" "snapshot_identifier" {
count = local.create_cluster ? 1 : 0

Expand All @@ -54,7 +62,7 @@ data "aws_subnets" "private_subnets_with_database_tag" {
}

resource "aws_db_subnet_group" "this" {
count = local.create_cluster && var.create_db_subnet_group ? 1 : 0
count = var.create_db_subnet_group ? 1 : 0

name = local.internal_db_subnet_group_name
description = "For Aurora cluster ${var.name}"
Expand Down Expand Up @@ -260,7 +268,7 @@ data "aws_iam_policy_document" "monitoring_rds_assume_role" {
}

resource "aws_iam_role" "rds_enhanced_monitoring" {
count = local.create_cluster && var.create_monitoring_role && var.monitoring_interval > 0 ? 1 : 0
count = var.create_monitoring_role && var.monitoring_interval > 0 ? 1 : 0

name = var.iam_role_use_name_prefix ? null : var.iam_role_name
name_prefix = var.iam_role_use_name_prefix ? "${var.iam_role_name}-" : null
Expand All @@ -277,7 +285,7 @@ resource "aws_iam_role" "rds_enhanced_monitoring" {
}

resource "aws_iam_role_policy_attachment" "rds_enhanced_monitoring" {
count = local.create_cluster && var.create_monitoring_role && var.monitoring_interval > 0 ? 1 : 0
count = var.create_monitoring_role && var.monitoring_interval > 0 ? 1 : 0

role = aws_iam_role.rds_enhanced_monitoring[0].name
policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
Expand Down Expand Up @@ -326,7 +334,7 @@ resource "aws_appautoscaling_policy" "this" {
################################################################################

resource "aws_security_group" "this" {
count = local.create_cluster && var.create_security_group ? 1 : 0
count = var.create_security_group ? 1 : 0

name = var.security_group_use_name_prefix ? null : var.name
name_prefix = var.security_group_use_name_prefix ? "${var.name}-" : null
Expand All @@ -342,7 +350,7 @@ resource "aws_security_group" "this" {

# TODO - change to map of ingress rules under one resource at next breaking change
resource "aws_security_group_rule" "default_ingress" {
count = local.create_cluster && var.create_security_group ? length(var.allowed_security_groups) : 0
count = var.create_security_group ? length(var.allowed_security_groups) : 0

description = "From allowed SGs"

Expand All @@ -356,7 +364,7 @@ resource "aws_security_group_rule" "default_ingress" {

# TODO - change to map of ingress rules under one resource at next breaking change
resource "aws_security_group_rule" "cidr_ingress" {
count = local.create_cluster && var.create_security_group && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
count = var.create_security_group && length(var.allowed_cidr_blocks) > 0 ? 1 : 0

description = "From allowed CIDRs"

Expand All @@ -369,7 +377,7 @@ resource "aws_security_group_rule" "cidr_ingress" {
}

resource "aws_security_group_rule" "egress" {
for_each = local.create_cluster && var.create_security_group ? var.security_group_egress_rules : {}
for_each = var.create_security_group ? var.security_group_egress_rules : {}

# required
type = "egress"
Expand Down Expand Up @@ -416,7 +424,7 @@ resource "aws_rds_cluster_parameter_group" "this" {
################################################################################

resource "aws_db_parameter_group" "this" {
count = local.create_cluster && var.create_db_parameter_group ? 1 : 0
count = local.create_cluster && var.create_db_parameter_group && var.rds_custom ? 1 : 0

name = var.db_parameter_group_use_name_prefix ? null : local.db_parameter_group_name
name_prefix = var.db_parameter_group_use_name_prefix ? "${local.db_parameter_group_name}-" : null
Expand Down Expand Up @@ -478,3 +486,267 @@ resource "aws_kms_key" "kms" {
multi_region = var.kms_multi_region
}


#############################
# Amazon RDS for SQL Server #
#############################

resource "aws_iam_policy" "policy" {
name = "AWSRDSCustomSQLServerIamRolePolicy"
path = "/"
description = "AWS RDS Custom SQL Server Policy"

# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ssmAgent1",
"Effect": "Allow",
"Action": [
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:ListAssociations",
"ssm:PutInventory",
"ssm:PutConfigurePackageResult",
"ssm:UpdateInstanceInformation",
"ssm:GetManifest"
],
"Resource": "*"
},
{
"Sid": "ssmAgent2",
"Effect": "Allow",
"Action": [
"ssm:ListInstanceAssociations",
"ssm:PutComplianceItems",
"ssm:UpdateAssociationStatus",
"ssm:DescribeAssociation",
"ssm:UpdateInstanceAssociationStatus"
],
"Resource": "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:instance/*"
},
{
"Sid": "ssmAgent3",
"Effect": "Allow",
"Action": [
"ssm:UpdateAssociationStatus",
"ssm:DescribeAssociation",
"ssm:GetDocument",
"ssm:DescribeDocument"
],
"Resource": "arn:aws:ssm:*:*:document/*"
},
{
"Sid": "ssmAgent4",
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Sid": "ssmAgent5",
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
},
{
"Sid": "ssmAgent6",
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:*:*:parameter/*"
},
{
"Sid": "ssmAgent7",
"Effect": "Allow",
"Action": [
"ssm:UpdateInstanceAssociationStatus",
"ssm:DescribeAssociation"
],
"Resource": "arn:aws:ssm:*:*:association/*"
},
{
"Sid": "eccSnapshot1",
"Effect": "Allow",
"Action": "ec2:CreateSnapshot",
"Resource": [
"arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:volume/*"
],
},
{
"Sid": "eccSnapshot2",
"Effect": "Allow",
"Action": "ec2:CreateSnapshot",
"Resource": [
"arn:aws:ec2:${data.aws_region.current.name}::snapshot/*"
]
},
{
"Sid": "eccCreateTag",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "*",
},
{
"Sid": "s3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:putObject",
"s3:getObject",
"s3:getObjectVersion",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::do-not-delete-rds-custom-*/*"
]
},
{
"Sid": "customerKMSEncryption",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": [
"${var.kms_key_id}"
]
},
{
"Sid": "readSecretsFromCP",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": [
"arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:do-not-delete-rds-custom-*"
]
},
{
"Sid": "publishCWMetrics",
"Effect": "Allow",
"Action": "cloudwatch:PutMetricData",
"Resource": "*"
},
{
"Sid": "putEventsToEventBus",
"Effect": "Allow",
"Action": "events:PutEvents",
"Resource": "arn:aws:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:event-bus/default"
},
{
"Sid": "cwlOperations1",
"Effect": "Allow",
"Action": [
"logs:PutRetentionPolicy",
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:rds-custom-instance-*"
},
{
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueUrl"
],
"Resource": [
"arn:aws:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:do-not-delete-rds-custom-*"
],
"Effect": "Allow",
"Sid": "SendMessageToSQSQueue"
}
]
})
}


resource "aws_iam_role" "rds_custom_role" {
name = "AWSRDSCustomSQLServerInstanceRole"
path = "/"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}

resource "aws_iam_policy_attachment" "custom_attach" {
name = "rds-custom-attachment"
roles = [aws_iam_role.rds_custom_role.name]
policy_arn = aws_iam_policy.policy.arn

}

resource "aws_iam_instance_profile" "rds_custom_profile" {
name = "AWSRDSCustomSQLServerInstanceProfile"
role = aws_iam_role.rds_custom_role.name

}

data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"

principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}

actions = ["sts:AssumeRole"]
}
}

resource "aws_db_instance" "rds_sql_server" {

count = var.rds_custom ? 1 : 0

engine = var.engine
engine_version = var.engine_version
port = 1433

identifier = var.instances_use_identifier_prefix ? null : var.name

allow_major_version_upgrade = var.allow_major_version_upgrade
auto_minor_version_upgrade = var.auto_minor_version_upgrade # Custom for SQL Server does not support minor version upgrades
apply_immediately = var.apply_immediately

custom_iam_instance_profile = aws_iam_instance_profile.rds_custom_profile.name # Instance profile is required for Custom for SQL Server

backup_window = var.preferred_backup_window
backup_retention_period = var.backup_retention_period
maintenance_window = var.preferred_maintenance_window
skip_final_snapshot = var.skip_final_snapshot
deletion_protection = var.deletion_protection

db_subnet_group_name = local.db_subnet_group_name
instance_class = var.instance_class
kms_key_id = var.kms_key_id
parameter_group_name = var.custom_db_paramater_group_name

allocated_storage = var.allocated_storage
storage_type = var.storage_type
storage_encrypted = var.storage_encrypted

username = var.master_username
password = local.master_password

multi_az = var.multi_az # Custom RDS does support multi AZ
vpc_security_group_ids = var.allowed_security_groups

depends_on = [ aws_iam_policy_attachment.custom_attach ]

}
Loading

0 comments on commit 0860fde

Please sign in to comment.