Skip to content

Commit

Permalink
rds-custom resources added to rds aurora module
Browse files Browse the repository at this point in the history
  • Loading branch information
Halil Bozan authored and Halil Bozan committed Oct 30, 2023
1 parent a5c331a commit 1b43cdc
Show file tree
Hide file tree
Showing 2 changed files with 270 additions and 8 deletions.
260 changes: 252 additions & 8 deletions aws-rds-aurora/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
data "aws_partition" "current" {}

data "aws_region" "current" {}

data "aws_caller_identity" "current" {}

locals {
create_cluster = var.create_cluster

Expand All @@ -11,7 +15,7 @@ locals {
cluster_parameter_group_name = try(coalesce(var.db_cluster_parameter_group_name, var.name), null)
db_parameter_group_name = try(coalesce(var.db_parameter_group_name, var.name), null)

master_password = local.create_cluster && var.create_random_password ? random_password.master_password[0].result : var.master_password
master_password = local.create_cluster && var.create_random_password && var.rds_custom ? random_password.master_password[0].result : var.master_password
backtrack_window = (var.engine == "aurora-mysql" || var.engine == "aurora") && var.engine_mode != "serverless" ? var.backtrack_window : 0

is_serverless = var.engine_mode == "serverless"
Expand Down Expand Up @@ -68,7 +72,7 @@ resource "aws_db_subnet_group" "this" {
################################################################################

resource "aws_rds_cluster" "this" {
count = local.create_cluster ? 1 : 0
count = local.create_cluster && var.rds_custom ? 1 : 0

allocated_storage = var.allocated_storage
allow_major_version_upgrade = var.allow_major_version_upgrade
Expand Down Expand Up @@ -260,7 +264,7 @@ data "aws_iam_policy_document" "monitoring_rds_assume_role" {
}

resource "aws_iam_role" "rds_enhanced_monitoring" {
count = local.create_cluster && var.create_monitoring_role && var.monitoring_interval > 0 ? 1 : 0
count = local.create_cluster && var.create_monitoring_role && var.monitoring_interval && var.rds_custom > 0 ? 1 : 0

name = var.iam_role_use_name_prefix ? null : var.iam_role_name
name_prefix = var.iam_role_use_name_prefix ? "${var.iam_role_name}-" : null
Expand All @@ -277,7 +281,7 @@ resource "aws_iam_role" "rds_enhanced_monitoring" {
}

resource "aws_iam_role_policy_attachment" "rds_enhanced_monitoring" {
count = local.create_cluster && var.create_monitoring_role && var.monitoring_interval > 0 ? 1 : 0
count = local.create_cluster && var.create_monitoring_role && var.monitoring_interval && var.rds_custom > 0 ? 1 : 0

role = aws_iam_role.rds_enhanced_monitoring[0].name
policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
Expand Down Expand Up @@ -326,7 +330,7 @@ resource "aws_appautoscaling_policy" "this" {
################################################################################

resource "aws_security_group" "this" {
count = local.create_cluster && var.create_security_group ? 1 : 0
count = local.create_cluster && var.create_security_group && var.rds_custom ? 1 : 0

name = var.security_group_use_name_prefix ? null : var.name
name_prefix = var.security_group_use_name_prefix ? "${var.name}-" : null
Expand All @@ -342,7 +346,7 @@ resource "aws_security_group" "this" {

# TODO - change to map of ingress rules under one resource at next breaking change
resource "aws_security_group_rule" "default_ingress" {
count = local.create_cluster && var.create_security_group ? length(var.allowed_security_groups) : 0
count = local.create_cluster && var.create_security_group && var.rds_custom ? length(var.allowed_security_groups) : 0

description = "From allowed SGs"

Expand All @@ -356,7 +360,7 @@ resource "aws_security_group_rule" "default_ingress" {

# TODO - change to map of ingress rules under one resource at next breaking change
resource "aws_security_group_rule" "cidr_ingress" {
count = local.create_cluster && var.create_security_group && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
count = local.create_cluster && var.create_security_group && length(var.allowed_cidr_blocks) && var.rds_custom > 0 ? 1 : 0

description = "From allowed CIDRs"

Expand Down Expand Up @@ -416,7 +420,7 @@ resource "aws_rds_cluster_parameter_group" "this" {
################################################################################

resource "aws_db_parameter_group" "this" {
count = local.create_cluster && var.create_db_parameter_group ? 1 : 0
count = local.create_cluster && var.create_db_parameter_group && var.rds_custom ? 1 : 0

name = var.db_parameter_group_use_name_prefix ? null : local.db_parameter_group_name
name_prefix = var.db_parameter_group_use_name_prefix ? "${local.db_parameter_group_name}-" : null
Expand Down Expand Up @@ -478,3 +482,243 @@ resource "aws_kms_key" "kms" {
multi_region = var.kms_multi_region
}


#############################
# Amazon RDS for SQL Server #
#############################
resource "aws_db_instance" "rds_sql_server" {

count = var.rds_custom ? 1 : 0

engine = var.engine
engine_version = var.engine_version
port = 1433

allow_major_version_upgrade = var.allow_major_version_upgrade
auto_minor_version_upgrade = var.auto_minor_version_upgrade # Custom for SQL Server does not support minor version upgrades
apply_immediately = var.apply_immediately

custom_iam_instance_profile = var.custom_iam_instance_profile # Instance profile is required for Custom for SQL Server

backup_window = var.backup_windows_retention_maintenance[0]
backup_retention_period = var.backup_windows_retention_maintenance[1]
maintenance_window = var.backup_windows_retention_maintenance[2]
skip_final_snapshot = var.skip_final_snapshot
deletion_protection = var.deletion_protection

db_subnet_group_name = local.db_subnet_group_name
instance_class = var.db_cluster_instance_class
kms_key_id = var.kms_key_id

allocated_storage = var.allocated_storage
storage_type = var.storage_type
storage_encrypted = var.storage_encrypted

username = var.master_username
password = local.master_password

multi_az = var.multi_az # Custom RDS does support multi AZ
vpc_security_group_ids = var.vpc_security_group_ids
}

resource "aws_iam_instance_profile" "rds_custom_profile" {
name = "AWSRDSCustomSQLServerInstanceProfile"
role = aws_iam_role.role.name
}

data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"

principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}

actions = ["sts:AssumeRole"]
}
}

resource "aws_iam_policy" "policy" {
name = "AWSRDSCustomSQLServerIamRolePolicy"
path = "/"
description = "AWS RDS Custom SQL Server Policy"

# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ssm:ListInstanceAssociations",
"ssm:PutComplianceItems",
"ssm:UpdateAssociationStatus",
"ssm:DescribeAssociation",
"ssm:UpdateInstanceAssociationStatus"
]
Effect = "Allow"
Resource = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:instance/*",
Condition = {
"StringEquals" = {
"aws:ResourceTag/AWSRDSCustom" = "${aws_db_instance.rds_sql_server.db_name}"
}
}
},
{
Action = [
"ssm:UpdateAssociationStatus",
"ssm:DescribeAssociation",
"ssm:GetDocument",
"ssm:DescribeDocument"
]
Effect = "Allow"
Resource = "arn:aws:ssm:*:*:document/*"
},
{
Action = [
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:ListAssociations",
"ssm:PutInventory",
"ssm:PutConfigurePackageResult",
"ssm:UpdateInstanceInformation",
"ssm:GetManifest",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
]
Effect = "Allow"
Resource = "*"
},
{
Action = [
"ssm:GetParameters",
"ssm:GetParameter"
]
Effect = "Allow"
Resource = "arn:aws:ssm:*:*:parameter/*"
},
{
Action = [
"ssm:UpdateInstanceAssociationStatus",
"ssm:DescribeAssociation"
]
Effect = "Allow"
Resource = "arn:aws:ssm:*:*:association/*"
},
{
Action = "ec2:CreateSnapshot"
Effect = "Allow"
Resource = [
"arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:volume/*",
"arn:aws:ec2:${data.aws_region.current.name}::snapshot/*",

]
Condition = {
"StringEquals" = {
"aws:ResourceTag/AWSRDSCustom" = "${aws_db_instance.rds_sql_server.db_name}"
}
}
},
{
Action = [
"ec2:CreateTags"
]
Effect = "Allow"
Resource = "*"
Condition = {
"StringEquals" = {
"aws:ResourceTag/AWSRDSCustom" = "${aws_db_instance.rds_sql_server.db_name}",
"ec2:CreateAction" = "CreateSnapshot"
}
}
},
{
Action = [
"s3:putObject",
"s3:getObject",
"s3:getObjectVersion",
"s3:AbortMultipartUpload"
]
Effect = "Allow"
Resource = "arn:aws:s3:::do-not-delete-rds-custom-*/*"
},
{
Action = [
"kms:Decrypt",
"kms:GenerateDataKey*"
]
Effect = "Allow"
Resource = "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/${var.kms_key_id}"
},
{
Action = [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
]
Effect = "Allow"
Resource = "arn:aws:secretmanager:${REGION}:${data.aws_caller_identity.current.account_id}:secret:do-not-delete-rds-custom-*"
Condition = {
"StringEquals" = {
"aws:ResourceTag/AWSRDSCustom" = "${aws_db_instance.rds_sql_server.db_name}"
}
}
},
{
Action = "cloudwatch:PutMetricData"
Effect = "Allow"
Resource = "*"
Condition = {
"StringEquals" = {
"cloudwatch:namespace" = "rdscustom/rds-custom-sqlserver-agent"
}
}
},
{
Action = "putEventsToEventBus"
Effect = "Allow"
Resource = "arn:aws:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:event-bus/default"
},
{
Action = [
"logs:PutRetentionPolicy",
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:CreateLogStream",
"logs:CreateLogGroup"
]
Effect = "Allow"
Resource = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:rds-custom-instance-*"
Condition = {
"StringEquals" = {
"aws:ResourceTag/AWSRDSCustom" = "${aws_db_instance.rds_sql_server.db_name}"
}
}
},
{
Action = [
"SQS:SendMessage",
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueUrl"
]
Effect = "Allow"
Resource = "arn:aws:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:do-not-delete-rds-custom-*"
}
]
})
}


resource "aws_iam_role" "rds_custom_role" {
name = "AWSRDSCustomSQLServerInstanceRole"
path = "/"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
18 changes: 18 additions & 0 deletions aws-rds-aurora/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -483,6 +483,24 @@ variable "iam_role_max_session_duration" {
default = null
}

#############################
# Amazon RDS for SQL Server #
#############################
variable "rds_custom" {
type = bool
description = "this is value to enable RDS custom"
}

variable "custom_iam_instance_profile" {
type = string
description = "Instance profile is required for Custom for SQL Server"
}

variable "multi_az" {
type = bool
default = false
description = "Multi Availibity Zone"
}
################################################################################
# Autoscaling
################################################################################
Expand Down

0 comments on commit 1b43cdc

Please sign in to comment.