From 528dd562aff269af2ae997e7a667401d77e4f8aa Mon Sep 17 00:00:00 2001
From: poornima-moj <poornima.krishnasamy@digital.justice.gov.uk>
Date: Thu, 11 Jun 2020 16:24:02 +0100
Subject: [PATCH 1/2] Adding replicate_source_db variable to support
 read_replica databases

db_parameter group is required
---
 main.tf      | 28 ++++++++++++++++++----------
 output.tf    | 12 +++++++++---
 variables.tf | 30 ++++++++++++++++--------------
 3 files changed, 43 insertions(+), 27 deletions(-)

diff --git a/main.tf b/main.tf
index 7d52ec0..04cb95d 100644
--- a/main.tf
+++ b/main.tf
@@ -32,6 +32,7 @@ resource "random_password" "password" {
 }
 
 resource "aws_kms_key" "kms" {
+  count = var.replicate_source_db != "" ? 0 : 1
   description = local.identifier
 
   tags = {
@@ -45,11 +46,13 @@ resource "aws_kms_key" "kms" {
 }
 
 resource "aws_kms_alias" "alias" {
+  count = var.replicate_source_db != "" ? 0 : 1
   name          = "alias/${local.identifier}"
-  target_key_id = aws_kms_key.kms.key_id
+  target_key_id = aws_kms_key.kms[0].key_id 
 }
 
 resource "aws_db_subnet_group" "db_subnet" {
+  count = var.replicate_source_db != "" ? 0 : 1
   name       = local.identifier
   subnet_ids = data.terraform_remote_state.cluster.outputs.internal_subnets_ids
 
@@ -89,29 +92,31 @@ resource "aws_security_group" "rds-sg" {
 
 resource "aws_db_instance" "rds" {
   identifier                   = var.rds_name != "" ? var.rds_name : local.identifier
-  final_snapshot_identifier    = "${local.identifier}-finalsnapshot"
+  final_snapshot_identifier    = var.replicate_source_db != "" ? null : "${local.identifier}-finalsnapshot"
   allocated_storage            = var.db_allocated_storage
   apply_immediately            = true
   engine                       = var.db_engine
   engine_version               = var.db_engine_version
   instance_class               = var.db_instance_class
   name                         = local.db_name
-  username                     = "cp${random_string.username.result}"
-  password                     = random_password.password.result
+  username                     = var.replicate_source_db != "" ? null : "cp${random_string.username.result}"
+  password                     = var.replicate_source_db != "" ? null : random_password.password.result
   backup_retention_period      = var.db_backup_retention_period
   storage_type                 = var.db_iops == 0 ? "gp2" : "io1"
   iops                         = var.db_iops
   storage_encrypted            = true
-  db_subnet_group_name         = aws_db_subnet_group.db_subnet.name
+  db_subnet_group_name         = var.replicate_source_db != "" ? null : aws_db_subnet_group.db_subnet[0].name
   vpc_security_group_ids       = [aws_security_group.rds-sg.id]
-  kms_key_id                   = aws_kms_key.kms.arn
+  kms_key_id                   = var.replicate_source_db != "" ? null : aws_kms_key.kms[0].arn
   multi_az                     = true
   copy_tags_to_snapshot        = true
   snapshot_identifier          = var.snapshot_identifier
+  replicate_source_db          = var.replicate_source_db
   allow_major_version_upgrade  = var.allow_major_version_upgrade
   parameter_group_name         = aws_db_parameter_group.custom_parameters.name
-  ca_cert_identifier           = var.ca_cert_identifier
+  ca_cert_identifier           = var.replicate_source_db != "" ? null : var.ca_cert_identifier
   performance_insights_enabled = var.performance_insights_enabled
+  skip_final_snapshot          = var.skip_final_snapshot
 
   tags = {
     business-unit          = var.business-unit
@@ -135,16 +140,18 @@ resource "aws_db_parameter_group" "custom_parameters" {
       value        = parameter.value.value
     }
   }
-  
+
 }
 
 resource "aws_iam_user" "user" {
+  count = var.replicate_source_db != "" ? 0 : 1
   name = "rds-snapshots-user-${random_id.id.hex}"
   path = "/system/rds-snapshots-user/"
 }
 
 resource "aws_iam_access_key" "user" {
-  user = aws_iam_user.user.name
+  count = var.replicate_source_db != "" ? 0 : 1
+  user = aws_iam_user.user[0].name
 }
 
 data "aws_iam_policy_document" "policy" {
@@ -168,7 +175,8 @@ data "aws_iam_policy_document" "policy" {
 }
 
 resource "aws_iam_user_policy" "policy" {
+  count = var.replicate_source_db != "" ? 0 : 1
   name   = "rds-snapshots-read-write"
   policy = data.aws_iam_policy_document.policy.json
-  user   = aws_iam_user.user.name
+  user   = aws_iam_user.user[0].name
 }
diff --git a/output.tf b/output.tf
index c2b7ae8..45a0b43 100644
--- a/output.tf
+++ b/output.tf
@@ -30,10 +30,16 @@ output "database_password" {
 
 output "access_key_id" {
   description = "Access key id for RDS IAM user"
-  value       = aws_iam_access_key.user.id
+  value       = join("", aws_iam_access_key.user.*.id)
+
 }
 
 output "secret_access_key" {
   description = "Secret key for RDS IAM user"
-  value       = aws_iam_access_key.user.secret
-}
\ No newline at end of file
+  value       = join("", aws_iam_access_key.user.*.secret)
+}
+
+output "db_identifier" {
+  description = "The RDS DB Indentifer"
+  value       = aws_db_instance.rds.identifier
+}
diff --git a/variables.tf b/variables.tf
index f47a8c4..6272dce 100644
--- a/variables.tf
+++ b/variables.tf
@@ -25,9 +25,9 @@ variable "infrastructure-support" {
   description = "The team responsible for managing the infrastructure. Should be of the form <team-name> (<team-email>)"
 }
 
-variable "rds_name"{
+variable "rds_name" {
   description = "Optional name of the RDS cluster. Changing the name will re-create the RDS"
-  default = ""
+  default     = ""
 }
 
 variable "snapshot_identifier" {
@@ -76,21 +76,11 @@ variable "allow_major_version_upgrade" {
   default     = "false"
 }
 
-variable "force_ssl" {
-  description = "Enforce SSL connections, set to true to enable"
-  default     = "true"
-}
-
 variable "rds_family" {
   description = "Maps the postgres version with the rds family, a family often covers several versions"
   default     = "postgres10"
 }
 
-variable "apply_method" {
-  description = "Indicates when to apply parameter updates, some engines can't apply some parameters without a reboot, so set to pending-reboot"
-  default     = "immediate"
-}
-
 variable "ca_cert_identifier" {
   description = "Specifies the identifier of the CA certificate for the DB instance"
   default     = "rds-ca-2019"
@@ -111,9 +101,21 @@ variable "db_parameter" {
   default = [
     {
       name         = "rds.force_ssl"
-      value        = "true"
+      value        = "1"
       apply_method = "immediate"
     }
   ]
   description = "A list of DB parameters to apply. Note that parameters may differ from a DB family to another"
-}
\ No newline at end of file
+}
+
+variable "replicate_source_db" {
+  description = "Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate."
+  type        = string
+  default     = ""
+}
+
+variable "skip_final_snapshot" {
+  type        = string
+  description = "If false(default) all DB are taken a final snapshot unless the db instance is created from snapshot itself or a read replica."
+  default     = "false"
+}

From 1cce0902daa92767fa6b21832b9fdfb979a7f1c2 Mon Sep 17 00:00:00 2001
From: poornima-moj <poornima.krishnasamy@digital.justice.gov.uk>
Date: Wed, 17 Jun 2020 18:47:52 +0100
Subject: [PATCH 2/2] Update readme to describe input variables, release number

---
 README.md      |  7 ++++---
 example/rds.tf | 13 ++++++++++++-
 variables.tf   |  4 ++--
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index b3adecb..4db34a9 100644
--- a/README.md
+++ b/README.md
@@ -32,17 +32,18 @@ See [this example](example/rds.tf)
 | db_engine | Database engine used | string | `postgres` | no |
 | db_engine_version | The engine version to use | string | `10.4` | no |
 | db_instance_class | The instance type of the RDS instance | string | `db.t2.small` | no |
-| db_backup_retention_period | The days to retain backups. Must be 1 or greater to be a source for a Read Replica | string | `7` | yes
+| db_backup_retention_period | The days to retain backups. Must be 1 or greater to be a source for a Read Replica. Must be 0 for read replica db | string | `7` | yes
 | db_iops | The amount of provisioned IOPS. Setting this implies a storage_type of io1 | string | `0` | ** Required if 'db_storage_type' is set to io1 ** |
 | db_name | The name of the database to be created on the instance (if empty, it will be the generated random identifier) | string |  | no |
 | rds_name | Name of the RDS  | string | if not present a name will be generated | no  |
-| force_ssl | Enforce SSL connections | boolean | `true` | no |
 | performance_insights_enabled | Enable performance insights in RDS | boolean | `false` | no |
 | snapshot_identifier | Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console. | string | | no |
 | providers | provider (and region) creating the resources |  arrays of string | default provider | no |
 | rds_family | rds configuration version | string | `postgres10` | no  |
-| apply_method | Indicates when to apply parameter updates | string | `immediate` | no  |
 | ca_cert_identifier | Specifies the identifier of the CA certificate for the DB instance | string | `rds-ca-2019` | no  |
+| db_parameter | Parameter block with name, value and apply_method | list | [ { name = "rds.force_ssl", value = "1", apply_method = "immediate" }]  | yes  |
+| replicate_source_db | Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate. | string | <source DB db_identifier> | no  
+| skip_final_snapshot | If false(default) all DB are taken a final snapshot unless the db instance is created from snapshot itself or a read replica." | string | `false` | no  
 
 
 ### Tags
diff --git a/example/rds.tf b/example/rds.tf
index 5fd741f..5e73f7f 100644
--- a/example/rds.tf
+++ b/example/rds.tf
@@ -21,7 +21,7 @@ variable "cluster_state_bucket" {
 # Make sure you restart your pods which use this RDS secret to avoid any down time.
 
 module "example_team_rds" {
-  source               = "github.com/ministryofjustice/cloud-platform-terraform-rds-instance?ref=5.4"
+  source               = "github.com/ministryofjustice/cloud-platform-terraform-rds-instance?ref=5.5"
   cluster_name         = var.cluster_name
   cluster_state_bucket = var.cluster_state_bucket
   team_name            = "example-repo"
@@ -55,6 +55,17 @@ module "example_team_rds" {
   #   }
   # ]
 
+  # Set below values if you want to create read replica db instance
+
+  # Set the database_name of the source db
+  # db_name = module.example_team_rds.database_name
+
+  # If specifies, this resource is a Replicate database. Set the db_identifier of the source db 
+  # replicate_source_db         = module.example_team_rds.db_identifier
+
+  # Set to true for replica database. No backups or snapshots are created for read replica
+  # skip_final_snapshot         = "true"
+  # db_backup_retention_period  = 0
 
   # use "allow_major_version_upgrade" when upgrading the major version of an engine
   allow_major_version_upgrade = "true"
diff --git a/variables.tf b/variables.tf
index 6272dce..b0d1891 100644
--- a/variables.tf
+++ b/variables.tf
@@ -47,7 +47,7 @@ variable "db_engine" {
 
 variable "db_engine_version" {
   description = "The engine version to use e.g. 10"
-  default     = "10"
+  default     = "10.11"
 }
 
 variable "db_instance_class" {
@@ -116,6 +116,6 @@ variable "replicate_source_db" {
 
 variable "skip_final_snapshot" {
   type        = string
-  description = "If false(default) all DB are taken a final snapshot unless the db instance is created from snapshot itself or a read replica."
+  description = "if false(default), a DB snapshot is created before the DB instance is deleted, using the value from final_snapshot_identifier. If true no DBSnapshot is created"
   default     = "false"
 }