From 55f67c4d23c608903ab2be39bac6232085281f46 Mon Sep 17 00:00:00 2001 From: Muhammad Salman Date: Mon, 25 Apr 2022 16:30:32 +0200 Subject: [PATCH 1/5] feat: add support to store master user creds in SSM --- main.tf | 16 ++++++++++++++++ variables.tf | 12 ++++++++++++ 2 files changed, 28 insertions(+) diff --git a/main.tf b/main.tf index ddc567a..208a8cb 100644 --- a/main.tf +++ b/main.tf @@ -10,6 +10,22 @@ resource "random_id" "master_password" { byte_length = 10 } +resource "aws_ssm_parameter" "superuser_password" { + count = var.store_master_creds_ssm ? 1 : 0 + name = "${var.prefix_master_creds_ssm}/${aws_rds_cluster.main.endpoint}/superuser/password" + type = "SecureString" + value = local.master_password + overwrite = true +} + +resource "aws_ssm_parameter" "superuser_name" { + count = var.store_master_creds_ssm ? 1 : 0 + name = "${var.prefix_master_creds_ssm}/${aws_rds_cluster.main.endpoint}/superuser/name" + type = "SecureString" + value = var.username + overwrite = true +} + resource "aws_db_subnet_group" "main" { count = var.create_resources ? 1 : 0 name = var.name diff --git a/variables.tf b/variables.tf index de39af8..dab594d 100644 --- a/variables.tf +++ b/variables.tf @@ -79,6 +79,18 @@ variable "password" { default = "" } +variable "store_master_creds_ssm" { + description = "Whether to store master user and password in SSM" + default = false + type = bool +} + +variable "prefix_master_creds_ssm" { + description = "SSM parameter prefix for master user credentials" + default = "/database-controller" + type = string +} + variable "final_snapshot_identifier_prefix" { description = "The prefix name to use when creating a final snapshot on cluster destroy, appends a random 8 digits to name to ensure it's unique too." default = "final-" From 8fc10c96c1d3221b36b29242a436641e4abb1d71 Mon Sep 17 00:00:00 2001 From: Muhammad Salman Date: Mon, 25 Apr 2022 16:52:00 +0200 Subject: [PATCH 2/5] fix: update README --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index c755eeb..590d047 100644 --- a/README.md +++ b/README.md @@ -98,6 +98,8 @@ No modules. | [aws_route53_record.reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | | [aws_security_group.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.default_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_ssm_parameter.superuser_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_ssm_parameter.superuser_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [random_id.master_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [random_id.snapshot_identifier](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [aws_iam_policy_document.monitoring_rds_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -146,6 +148,7 @@ No modules. | [preferred\_backup\_window\_instance](#input\_preferred\_backup\_window\_instance) | When to perform DB backups for instances | `string` | `""` | no | | [preferred\_maintenance\_window](#input\_preferred\_maintenance\_window) | When to perform DB maintenance for the cluster | `string` | `"sun:05:00-sun:06:00"` | no | | [preferred\_maintenance\_window\_instance](#input\_preferred\_maintenance\_window\_instance) | When to perform DB maintenance for instances | `string` | `""` | no | +| [prefix\_master\_creds\_ssm](#input\_prefix\_master\_creds\_ssm) | SSM parameter prefix for master user credentials | `string` | `"/database-controller"` | no | | [publicly\_accessible](#input\_publicly\_accessible) | Whether the DB should have a public IP address | `bool` | `false` | no | | [reader\_endpoint\_suffix](#input\_reader\_endpoint\_suffix) | Suffix for the Route53 record pointing to the cluster reader endpoint. Only used if route53\_zone\_id is passed also | `string` | `"-ro"` | no | | [replica\_autoscaling](#input\_replica\_autoscaling) | Whether to enable autoscaling for RDS Aurora (MySQL) read replicas | `string` | `false` | no | @@ -162,6 +165,7 @@ No modules. | [skip\_final\_snapshot](#input\_skip\_final\_snapshot) | Should a final snapshot be created on cluster destroy | `bool` | `false` | no | | [snapshot\_identifier](#input\_snapshot\_identifier) | DB snapshot to create this database from | `string` | `""` | no | | [storage\_encrypted](#input\_storage\_encrypted) | Specifies whether the underlying storage layer should be encrypted | `bool` | `false` | no | +| [store\_master\_creds\_ssm](#input\_store\_master\_creds\_ssm) | Whether to store master user and password in SSM | `bool` | `false` | no | | [subnet\_ids](#input\_subnet\_ids) | List of subnet IDs to use | `list(string)` | n/a | yes | | [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | | [update\_timeout](#input\_update\_timeout) | Timeout used for Cluster modifications | `string` | `"120m"` | no | From a6cfb33f346cd987abedbbd6e19b52b992df1632 Mon Sep 17 00:00:00 2001 From: Muhammad Salman Date: Tue, 26 Apr 2022 13:18:44 +0200 Subject: [PATCH 3/5] fix: add aws_rds_cluster resource index --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 208a8cb..1e9d282 100644 --- a/main.tf +++ b/main.tf @@ -12,7 +12,7 @@ resource "random_id" "master_password" { resource "aws_ssm_parameter" "superuser_password" { count = var.store_master_creds_ssm ? 1 : 0 - name = "${var.prefix_master_creds_ssm}/${aws_rds_cluster.main.endpoint}/superuser/password" + name = "${var.prefix_master_creds_ssm}/${aws_rds_cluster.main[0].endpoint}/superuser/password" type = "SecureString" value = local.master_password overwrite = true @@ -20,7 +20,7 @@ resource "aws_ssm_parameter" "superuser_password" { resource "aws_ssm_parameter" "superuser_name" { count = var.store_master_creds_ssm ? 1 : 0 - name = "${var.prefix_master_creds_ssm}/${aws_rds_cluster.main.endpoint}/superuser/name" + name = "${var.prefix_master_creds_ssm}/${aws_rds_cluster.main[0].endpoint}/superuser/name" type = "SecureString" value = var.username overwrite = true From f2eac2c641ee10fd5a3c366b164bf99dd3c0ac89 Mon Sep 17 00:00:00 2001 From: Muhammad Salman Date: Tue, 26 Apr 2022 13:19:25 +0200 Subject: [PATCH 4/5] BREAKING CHANGE: min aws provider version 3.63.0 --- versions.tf | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 versions.tf diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..851b378 --- /dev/null +++ b/versions.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.63.0" + } + } +} From 084f2647bef77d61cafcbd88df8100876d960206 Mon Sep 17 00:00:00 2001 From: Muhammad Salman Date: Tue, 26 Apr 2022 19:03:10 +0200 Subject: [PATCH 5/5] fix: add ssm resource to global create condition and add pre commit config --- .gitignore | 1 + .pre-commit-config.yaml | 8 ++++++++ main.tf | 4 ++-- 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 .pre-commit-config.yaml diff --git a/.gitignore b/.gitignore index 1fef4ab..8f21985 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ # Local .terraform directories **/.terraform/* +.terraform.lock* # .tfstate files *.tfstate diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..0b342d4 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,8 @@ +--- +- repo: git://github.com/antonbabenko/pre-commit-terraform + rev: v1.44.0 + hooks: + - id: terraform_fmt + - id: terraform_docs + - id: terraform_tflint + - id: terraform_validate diff --git a/main.tf b/main.tf index 1e9d282..16b3f40 100644 --- a/main.tf +++ b/main.tf @@ -11,7 +11,7 @@ resource "random_id" "master_password" { } resource "aws_ssm_parameter" "superuser_password" { - count = var.store_master_creds_ssm ? 1 : 0 + count = var.create_resources && var.store_master_creds_ssm ? 1 : 0 name = "${var.prefix_master_creds_ssm}/${aws_rds_cluster.main[0].endpoint}/superuser/password" type = "SecureString" value = local.master_password @@ -19,7 +19,7 @@ resource "aws_ssm_parameter" "superuser_password" { } resource "aws_ssm_parameter" "superuser_name" { - count = var.store_master_creds_ssm ? 1 : 0 + count = var.create_resources && var.store_master_creds_ssm ? 1 : 0 name = "${var.prefix_master_creds_ssm}/${aws_rds_cluster.main[0].endpoint}/superuser/name" type = "SecureString" value = var.username