Skip to content

Commit

Permalink
Merge pull request #43 from ministryofjustice/tf-012upgrade-rds
Browse files Browse the repository at this point in the history
Upgrade RDS module to terraform 0.12
  • Loading branch information
vijay-veeranki authored Nov 27, 2019
2 parents f8bbbc2 + 57b1f0a commit 461b010
Show file tree
Hide file tree
Showing 7 changed files with 102 additions and 88 deletions.
4 changes: 3 additions & 1 deletion example/main.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
terraform {
backend "s3" {}
backend "s3" {
}
}

provider "aws" {
Expand All @@ -15,3 +16,4 @@ provider "aws" {
alias = "ireland"
region = "eu-west-1"
}

36 changes: 19 additions & 17 deletions example/rds.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,11 @@
*
*/

variable "cluster_name" {}
variable "cluster_name" {
}

variable "cluster_state_bucket" {}
variable "cluster_state_bucket" {
}

/*
* Make sure that you use the latest version of the module by changing the
Expand All @@ -15,9 +17,9 @@ variable "cluster_state_bucket" {}
*
*/
module "example_team_rds" {
source = "github.com/ministryofjustice/cloud-platform-terraform-rds-instance?ref=4.8"
cluster_name = "${var.cluster_name}"
cluster_state_bucket = "${var.cluster_state_bucket}"
source = "github.com/ministryofjustice/cloud-platform-terraform-rds-instance?ref=5.0"
cluster_name = var.cluster_name
cluster_state_bucket = var.cluster_state_bucket
team_name = "example-repo"
business-unit = "example-bu"
application = "exampleapp"
Expand All @@ -41,7 +43,7 @@ module "example_team_rds" {

providers = {
# Can be either "aws.london" or "aws.ireland"
aws = "aws.london"
aws = aws.london
}
}

Expand All @@ -51,20 +53,20 @@ resource "kubernetes_secret" "example_team_rds" {
namespace = "my-namespace"
}

data {
rds_instance_endpoint = "${module.example_team_rds.rds_instance_endpoint}"
database_name = "${module.example_team_rds.database_name}"
database_username = "${module.example_team_rds.database_username}"
database_password = "${module.example_team_rds.database_password}"
rds_instance_address = "${module.example_team_rds.rds_instance_address}"
access_key_id = "${module.example_team_rds.access_key_id}"
secret_access_key = "${module.example_team_rds.secret_access_key}"

/* You can replace all of the above with the following, if you prefer to
data = {
rds_instance_endpoint = module.example_team_rds.rds_instance_endpoint
database_name = module.example_team_rds.database_name
database_username = module.example_team_rds.database_username
database_password = module.example_team_rds.database_password
rds_instance_address = module.example_team_rds.rds_instance_address
access_key_id = module.example_team_rds.access_key_id
secret_access_key = module.example_team_rds.secret_access_key
}
/* You can replace all of the above with the following, if you prefer to
* use a single database URL value in your application code:
*
* url = "postgres://${module.example_team_rds.database_username}:${module.example_team_rds.database_password}@${module.example_team_rds.rds_instance_endpoint}/${module.example_team_rds.database_name}"
*
*/
}
}

4 changes: 4 additions & 0 deletions example/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}
119 changes: 60 additions & 59 deletions main.tf
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
data "aws_caller_identity" "current" {}

data "aws_region" "current" {}

data "terraform_remote_state" "cluster" {
backend = "s3"

config {
bucket = "${var.cluster_state_bucket}"
config = {
bucket = var.cluster_state_bucket
region = "eu-west-1"
key = "cloud-platform/${var.cluster_name}/terraform.tfstate"
}
Expand All @@ -17,7 +18,7 @@ resource "random_id" "id" {

locals {
identifier = "cloud-platform-${random_id.id.hex}"
db_name = "${var.db_name != "" ? var.db_name : "db${random_id.id.hex}"}"
db_name = var.db_name != "" ? var.db_name : "db${random_id.id.hex}"
}

resource "random_string" "username" {
Expand All @@ -31,41 +32,41 @@ resource "random_string" "password" {
}

resource "aws_kms_key" "kms" {
description = "${local.identifier}"

tags {
business-unit = "${var.business-unit}"
application = "${var.application}"
is-production = "${var.is-production}"
environment-name = "${var.environment-name}"
owner = "${var.team_name}"
infrastructure-support = "${var.infrastructure-support}"
description = local.identifier

tags = {
business-unit = var.business-unit
application = var.application
is-production = var.is-production
environment-name = var.environment-name
owner = var.team_name
infrastructure-support = var.infrastructure-support
}
}

resource "aws_kms_alias" "alias" {
name = "alias/${local.identifier}"
target_key_id = "${aws_kms_key.kms.key_id}"
target_key_id = aws_kms_key.kms.key_id
}

resource "aws_db_subnet_group" "db_subnet" {
name = "${local.identifier}"
subnet_ids = ["${data.terraform_remote_state.cluster.internal_subnets_ids}"]

tags {
business-unit = "${var.business-unit}"
application = "${var.application}"
is-production = "${var.is-production}"
environment-name = "${var.environment-name}"
owner = "${var.team_name}"
infrastructure-support = "${var.infrastructure-support}"
name = local.identifier
subnet_ids = data.terraform_remote_state.cluster.outputs.internal_subnets_ids

tags = {
business-unit = var.business-unit
application = var.application
is-production = var.is-production
environment-name = var.environment-name
owner = var.team_name
infrastructure-support = var.infrastructure-support
}
}

resource "aws_security_group" "rds-sg" {
name = "${local.identifier}"
name = local.identifier
description = "Allow all inbound traffic"
vpc_id = "${data.terraform_remote_state.cluster.vpc_id}"
vpc_id = data.terraform_remote_state.cluster.outputs.vpc_id

// We cannot use `${aws_db_instance.rds.port}` here because it creates a
// cyclic dependency. Rather than resorting to `aws_security_group_rule` which
Expand All @@ -75,59 +76,59 @@ resource "aws_security_group" "rds-sg" {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["${data.terraform_remote_state.cluster.internal_subnets}"]
cidr_blocks = data.terraform_remote_state.cluster.outputs.internal_subnets
}

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["${data.terraform_remote_state.cluster.internal_subnets}"]
cidr_blocks = data.terraform_remote_state.cluster.outputs.internal_subnets
}
}

resource "aws_db_instance" "rds" {
identifier = "${local.identifier}"
identifier = local.identifier
final_snapshot_identifier = "${local.identifier}-finalsnapshot"
allocated_storage = "${var.db_allocated_storage}"
allocated_storage = var.db_allocated_storage
apply_immediately = true
engine = "${var.db_engine}"
engine_version = "${var.db_engine_version}"
instance_class = "${var.db_instance_class}"
name = "${local.db_name}"
engine = var.db_engine
engine_version = var.db_engine_version
instance_class = var.db_instance_class
name = local.db_name
username = "cp${random_string.username.result}"
password = "${random_string.password.result}"
backup_retention_period = "${var.db_backup_retention_period}"
storage_type = "${var.db_iops == 0 ? "gp2" : "io1" }"
iops = "${var.db_iops}"
password = random_string.password.result
backup_retention_period = var.db_backup_retention_period
storage_type = var.db_iops == 0 ? "gp2" : "io1"
iops = var.db_iops
storage_encrypted = true
db_subnet_group_name = "${aws_db_subnet_group.db_subnet.name}"
vpc_security_group_ids = ["${aws_security_group.rds-sg.id }"]
kms_key_id = "${aws_kms_key.kms.arn}"
db_subnet_group_name = aws_db_subnet_group.db_subnet.name
vpc_security_group_ids = [aws_security_group.rds-sg.id]
kms_key_id = aws_kms_key.kms.arn
multi_az = true
copy_tags_to_snapshot = true
snapshot_identifier = "${var.snapshot_identifier}"
allow_major_version_upgrade = "${var.allow_major_version_upgrade}"
parameter_group_name = "${aws_db_parameter_group.custom_parameters.name}"

tags {
business-unit = "${var.business-unit}"
application = "${var.application}"
is-production = "${var.is-production}"
environment-name = "${var.environment-name}"
owner = "${var.team_name}"
infrastructure-support = "${var.infrastructure-support}"
snapshot_identifier = var.snapshot_identifier
allow_major_version_upgrade = var.allow_major_version_upgrade
parameter_group_name = aws_db_parameter_group.custom_parameters.name

tags = {
business-unit = var.business-unit
application = var.application
is-production = var.is-production
environment-name = var.environment-name
owner = var.team_name
infrastructure-support = var.infrastructure-support
}
}

resource "aws_db_parameter_group" "custom_parameters" {
name = "${local.identifier}"
family = "${var.rds_family}"
name = local.identifier
family = var.rds_family

parameter {
name = "rds.force_ssl"
value = "${var.force_ssl ? 1 : 0}"
apply_method = "${var.apply_method}"
value = var.force_ssl ? 1 : 0
apply_method = var.apply_method
}
}

Expand All @@ -137,7 +138,7 @@ resource "aws_iam_user" "user" {
}

resource "aws_iam_access_key" "user" {
user = "${aws_iam_user.user.name}"
user = aws_iam_user.user.name
}

data "aws_iam_policy_document" "policy" {
Expand All @@ -154,14 +155,14 @@ data "aws_iam_policy_document" "policy" {
]

resources = [
"${aws_db_instance.rds.arn}",
aws_db_instance.rds.arn,
"arn:aws:rds:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:snapshot:*",
]
}
}

resource "aws_iam_user_policy" "policy" {
name = "rds-snapshots-read-write"
policy = "${data.aws_iam_policy_document.policy.json}"
user = "${aws_iam_user.user.name}"
policy = data.aws_iam_policy_document.policy.json
user = aws_iam_user.user.name
}
18 changes: 9 additions & 9 deletions output.tf
Original file line number Diff line number Diff line change
@@ -1,39 +1,39 @@
output "rds_instance_endpoint" {
description = "The connection endpoint in address:port format"
value = "${aws_db_instance.rds.endpoint}"
value = aws_db_instance.rds.endpoint
}

output "rds_instance_address" {
description = "The hostname of the RDS instance"
value = "${aws_db_instance.rds.address}"
value = aws_db_instance.rds.address
}

output "rds_instance_port" {
description = "The database port"
value = "${aws_db_instance.rds.port}"
value = aws_db_instance.rds.port
}

output "database_name" {
description = "Name of the database"
value = "${aws_db_instance.rds.name}"
value = aws_db_instance.rds.name
}

output "database_username" {
description = "Database Username"
value = "${aws_db_instance.rds.username}"
value = aws_db_instance.rds.username
}

output "database_password" {
description = "Database Password"
value = "${aws_db_instance.rds.password}"
value = aws_db_instance.rds.password
}

output "access_key_id" {
description = "Access key id for RDS IAM user"
value = "${aws_iam_access_key.user.id}"
value = aws_iam_access_key.user.id
}

output "secret_access_key" {
description = "Secret key for RDS IAM user"
value = "${aws_iam_access_key.user.secret}"
}
value = aws_iam_access_key.user.secret
}
5 changes: 3 additions & 2 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,8 @@ variable "db_backup_retention_period" {

variable "db_iops" {
description = "The amount of provisioned IOPS. Setting this to a value other than 0 implies a storage_type of io1"
default = "0"
default = 0
type = number
}

variable "db_name" {
Expand All @@ -83,4 +84,4 @@ variable "rds_family" {
variable "apply_method" {
description = "Indicates when to apply parameter updates, some engines can't apply some parameters without a reboot, so set to pending-reboot"
default = "immediate"
}
}
4 changes: 4 additions & 0 deletions versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}

0 comments on commit 461b010

Please sign in to comment.