Skip to content

Commit

Permalink
Merge pull request #20 from deliveryhero/feat/store_rds_user_password
Browse files Browse the repository at this point in the history
feat: add support to store master user creds in SSM
  • Loading branch information
msalman899 authored Apr 27, 2022
2 parents d01c657 + 084f264 commit 811eb26
Show file tree
Hide file tree
Showing 6 changed files with 49 additions and 0 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# Local .terraform directories
**/.terraform/*
.terraform.lock*

# .tfstate files
*.tfstate
Expand Down
8 changes: 8 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
- repo: git://github.com/antonbabenko/pre-commit-terraform
rev: v1.44.0
hooks:
- id: terraform_fmt
- id: terraform_docs
- id: terraform_tflint
- id: terraform_validate
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,8 @@ No modules.
| [aws_route53_record.reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_security_group.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group_rule.default_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_ssm_parameter.superuser_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
| [aws_ssm_parameter.superuser_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
| [random_id.master_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [random_id.snapshot_identifier](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [aws_iam_policy_document.monitoring_rds_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
Expand Down Expand Up @@ -146,6 +148,7 @@ No modules.
| <a name="input_preferred_backup_window_instance"></a> [preferred\_backup\_window\_instance](#input\_preferred\_backup\_window\_instance) | When to perform DB backups for instances | `string` | `""` | no |
| <a name="input_preferred_maintenance_window"></a> [preferred\_maintenance\_window](#input\_preferred\_maintenance\_window) | When to perform DB maintenance for the cluster | `string` | `"sun:05:00-sun:06:00"` | no |
| <a name="input_preferred_maintenance_window_instance"></a> [preferred\_maintenance\_window\_instance](#input\_preferred\_maintenance\_window\_instance) | When to perform DB maintenance for instances | `string` | `""` | no |
| <a name="input_prefix_master_creds_ssm"></a> [prefix\_master\_creds\_ssm](#input\_prefix\_master\_creds\_ssm) | SSM parameter prefix for master user credentials | `string` | `"/database-controller"` | no |
| <a name="input_publicly_accessible"></a> [publicly\_accessible](#input\_publicly\_accessible) | Whether the DB should have a public IP address | `bool` | `false` | no |
| <a name="input_reader_endpoint_suffix"></a> [reader\_endpoint\_suffix](#input\_reader\_endpoint\_suffix) | Suffix for the Route53 record pointing to the cluster reader endpoint. Only used if route53\_zone\_id is passed also | `string` | `"-ro"` | no |
| <a name="input_replica_autoscaling"></a> [replica\_autoscaling](#input\_replica\_autoscaling) | Whether to enable autoscaling for RDS Aurora (MySQL) read replicas | `string` | `false` | no |
Expand All @@ -162,6 +165,7 @@ No modules.
| <a name="input_skip_final_snapshot"></a> [skip\_final\_snapshot](#input\_skip\_final\_snapshot) | Should a final snapshot be created on cluster destroy | `bool` | `false` | no |
| <a name="input_snapshot_identifier"></a> [snapshot\_identifier](#input\_snapshot\_identifier) | DB snapshot to create this database from | `string` | `""` | no |
| <a name="input_storage_encrypted"></a> [storage\_encrypted](#input\_storage\_encrypted) | Specifies whether the underlying storage layer should be encrypted | `bool` | `false` | no |
| <a name="input_store_master_creds_ssm"></a> [store\_master\_creds\_ssm](#input\_store\_master\_creds\_ssm) | Whether to store master user and password in SSM | `bool` | `false` | no |
| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | List of subnet IDs to use | `list(string)` | n/a | yes |
| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no |
| <a name="input_update_timeout"></a> [update\_timeout](#input\_update\_timeout) | Timeout used for Cluster modifications | `string` | `"120m"` | no |
Expand Down
16 changes: 16 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,22 @@ resource "random_id" "master_password" {
byte_length = 10
}

resource "aws_ssm_parameter" "superuser_password" {
count = var.create_resources && var.store_master_creds_ssm ? 1 : 0
name = "${var.prefix_master_creds_ssm}/${aws_rds_cluster.main[0].endpoint}/superuser/password"
type = "SecureString"
value = local.master_password
overwrite = true
}

resource "aws_ssm_parameter" "superuser_name" {
count = var.create_resources && var.store_master_creds_ssm ? 1 : 0
name = "${var.prefix_master_creds_ssm}/${aws_rds_cluster.main[0].endpoint}/superuser/name"
type = "SecureString"
value = var.username
overwrite = true
}

resource "aws_db_subnet_group" "main" {
count = var.create_resources ? 1 : 0
name = var.name
Expand Down
12 changes: 12 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,18 @@ variable "password" {
default = ""
}

variable "store_master_creds_ssm" {
description = "Whether to store master user and password in SSM"
default = false
type = bool
}

variable "prefix_master_creds_ssm" {
description = "SSM parameter prefix for master user credentials"
default = "/database-controller"
type = string
}

variable "final_snapshot_identifier_prefix" {
description = "The prefix name to use when creating a final snapshot on cluster destroy, appends a random 8 digits to name to ensure it's unique too."
default = "final-"
Expand Down
8 changes: 8 additions & 0 deletions versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.63.0"
}
}
}

0 comments on commit 811eb26

Please sign in to comment.