diff --git a/.github/images/bridgecrew.svg b/.github/images/bridgecrew.svg
index 13f0347..ce2873d 100644
--- a/.github/images/bridgecrew.svg
+++ b/.github/images/bridgecrew.svg
@@ -1 +1 @@
-
\ No newline at end of file
+
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
new file mode 100644
index 0000000..31986cd
--- /dev/null
+++ b/.github/workflows/pre-commit.yml
@@ -0,0 +1,78 @@
+name: pre-commit
+
+on:
+ pull_request:
+ branches:
+ - main
+ - master
+
+env:
+ TERRAFORM_DOCS_VERSION: v0.16.0
+
+jobs:
+ collectInputs:
+ name: Collect workflow inputs
+ runs-on: ubuntu-latest
+ outputs:
+ directories: ${{ steps.dirs.outputs.directories }}
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Get root directories
+ id: dirs
+ uses: clowdhaus/terraform-composite-actions/directories@v1.3.0
+
+ preCommitMinVersions:
+ name: Min TF pre-commit
+ needs: collectInputs
+ runs-on: ubuntu-latest
+ strategy:
+ matrix:
+ directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Terraform min/max versions
+ id: minMax
+ uses: clowdhaus/terraform-min-max@v1.0.3
+ with:
+ directory: ${{ matrix.directory }}
+
+ - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
+ # Run only validate pre-commit check on min version supported
+ if: ${{ matrix.directory != '.' }}
+ uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+ with:
+ terraform-version: ${{ steps.minMax.outputs.minVersion }}
+ args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
+
+ - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
+ # Run only validate pre-commit check on min version supported
+ if: ${{ matrix.directory == '.' }}
+ uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+ with:
+ terraform-version: ${{ steps.minMax.outputs.minVersion }}
+ args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)'
+
+ preCommitMaxVersion:
+ name: Max TF pre-commit
+ runs-on: ubuntu-latest
+ needs: collectInputs
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+ with:
+ ref: ${{ github.event.pull_request.head.ref }}
+ repository: ${{github.event.pull_request.head.repo.full_name}}
+
+ - name: Terraform min/max versions
+ id: minMax
+ uses: clowdhaus/terraform-min-max@v1.0.3
+
+ - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
+ uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+ with:
+ terraform-version: ${{ steps.minMax.outputs.maxVersion }}
+ terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
diff --git a/.github/workflows/semantic-releaser.yml b/.github/workflows/semantic-releaser.yml
index 6e685a0..b4e8784 100644
--- a/.github/workflows/semantic-releaser.yml
+++ b/.github/workflows/semantic-releaser.yml
@@ -1,4 +1,4 @@
-name: Release
+name: release
on:
push:
@@ -10,7 +10,7 @@ on:
jobs:
release:
- name: Release
+ name: release
runs-on: ubuntu-latest
steps:
- name: Checkout
@@ -26,5 +26,5 @@ jobs:
- name: Release
env:
- GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }}
+ GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE }}
run: npx semantic-release
diff --git a/.github/workflows/static-checks.yml b/.github/workflows/static-checks.yml
deleted file mode 100644
index 270110b..0000000
--- a/.github/workflows/static-checks.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-name: static-checks
-
-on:
- pull_request:
-
-jobs:
- versionExtract:
- name: Get min/max versions
- runs-on: ubuntu-latest
-
- steps:
- - name: Checkout
- uses: actions/checkout@v2
-
- - name: Terraform min/max versions
- id: minMax
- uses: clowdhaus/terraform-min-max@main
- outputs:
- minVersion: ${{ steps.minMax.outputs.minVersion }}
- maxVersion: ${{ steps.minMax.outputs.maxVersion }}
-
- versionEvaluate:
- name: Evaluate Terraform versions
- runs-on: ubuntu-latest
- needs: versionExtract
- strategy:
- fail-fast: false
- matrix:
- version:
- - ${{ needs.versionExtract.outputs.minVersion }}
- - ${{ needs.versionExtract.outputs.maxVersion }}
- directory:
- - examples/mysql_iam_cluster
- - examples/mysql_iam_instance
- - examples/postgresql_iam_cluster
- - examples/postgresql_iam_instance
-
- steps:
- - name: Checkout
- uses: actions/checkout@v2
-
- - name: Install Terraform v${{ matrix.version }}
- uses: hashicorp/setup-terraform@v1
- with:
- terraform_version: ${{ matrix.version }}
-
- - name: Init & validate v${{ matrix.version }}
- run: |
- cd ${{ matrix.directory }}
- terraform init
- terraform validate
-
- - name: tflint
- uses: reviewdog/action-tflint@master
- with:
- github_token: ${{ secrets.GITHUB_TOKEN }}
- working_directory: ${{ matrix.directory }}
- fail_on_error: 'true'
- filter_mode: 'nofilter'
- flags: '--module'
-
- format:
- name: Check code format
- runs-on: ubuntu-latest
- needs: versionExtract
-
- steps:
- - name: Checkout
- uses: actions/checkout@v2
-
- - name: Install Terraform v${{ needs.versionExtract.outputs.maxVersion }}
- uses: hashicorp/setup-terraform@v1
- with:
- terraform_version: ${{ needs.versionExtract.outputs.maxVersion }}
-
- - name: Check Terraform format changes
- run: terraform fmt --recursive -check=true
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 12f60a3..3bc131b 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,10 +1,15 @@
repos:
- - repo: git://github.com/antonbabenko/pre-commit-terraform
- rev: v1.51.0
+ - repo: https://github.com/antonbabenko/pre-commit-terraform
+ rev: v1.55.0
hooks:
- id: terraform_fmt
- id: terraform_docs
- - repo: git://github.com/pre-commit/pre-commit-hooks
+ args:
+ - '--args=--lockfile=false'
+ - id: terraform_validate
+ - id: terraform_tflint
+ - repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.0.1
hooks:
- - id: check-merge-conflict
\ No newline at end of file
+ - id: check-merge-conflict
+ - id: end-of-file-fixer
diff --git a/examples/mysql_iam_cluster/README.md b/examples/mysql_iam_cluster/README.md
index 570e151..8c13127 100644
--- a/examples/mysql_iam_cluster/README.md
+++ b/examples/mysql_iam_cluster/README.md
@@ -37,38 +37,29 @@ An EC2 instance configuration has been provided for use in validating the exampl
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.59.0 |
-| [random](#provider\_random) | 3.1.0 |
+| [aws](#provider\_aws) | >= 3.38 |
+| [random](#provider\_random) | n/a |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
-| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
-| [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 4 |
+| [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 6.0 |
| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
-| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
-| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |
+| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
## Resources
| Name | Type |
|------|------|
| [aws_db_parameter_group.aurora_db_mysql57_parameter_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group) | resource |
-| [aws_iam_instance_profile.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
-| [aws_iam_role.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_role_policy_attachment.ec2_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_rds_cluster_parameter_group.aurora_cluster_mysql57_parameter_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_parameter_group) | resource |
| [aws_secretsmanager_secret.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
| [aws_secretsmanager_secret_version.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [random_pet.users](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
-| [aws_ami.ubuntu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.ec2_test_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_kms_alias.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
@@ -95,9 +86,6 @@ No inputs.
| [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
| [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-| [superuser\_db\_password\_connect](#output\_superuser\_db\_password\_connect) | Connect to database using superuser with username/password directly to database |
-| [superuser\_proxy\_iam\_connect](#output\_superuser\_proxy\_iam\_connect) | Connect to RDS Proxy using IAM auth via token generated |
-| [superuser\_proxy\_iam\_token](#output\_superuser\_proxy\_iam\_token) | Gerate connection token for connecting to RDS Proxy with IAM auth |
Apache-2.0 Licensed. See [LICENSE](../../LICENSE).
diff --git a/examples/mysql_iam_cluster/main.tf b/examples/mysql_iam_cluster/main.tf
index 4832e7d..64a812d 100644
--- a/examples/mysql_iam_cluster/main.tf
+++ b/examples/mysql_iam_cluster/main.tf
@@ -38,7 +38,7 @@ resource "random_password" "password" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
- version = "~> 3"
+ version = "~> 3.0"
name = local.name
cidr = "10.0.0.0/18"
@@ -69,20 +69,21 @@ module "vpc" {
module "rds" {
source = "terraform-aws-modules/rds-aurora/aws"
- version = "~> 4"
+ version = "~> 6.0"
- name = local.name
- database_name = local.db_name
- username = local.db_username
- password = local.db_password
+ name = local.name
+ database_name = local.db_name
+ master_username = local.db_username
+ master_password = local.db_password
# When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
iam_database_authentication_enabled = false
- engine = "aurora-mysql"
- engine_version = "5.7"
- replica_count = 1
- instance_type = "db.t3.medium"
+ engine = "aurora-mysql"
+ engine_version = "5.7.12"
+ instance_class = "db.r6g.large"
+ instances = { 1 = {}, 2 = {} }
+
storage_encrypted = true
apply_immediately = true
skip_final_snapshot = true
@@ -97,6 +98,7 @@ module "rds" {
vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
db_subnet_group_name = local.name # Created by VPC module
+ create_db_subnet_group = false
db_parameter_group_name = aws_db_parameter_group.aurora_db_mysql57_parameter_group.id
db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.aurora_cluster_mysql57_parameter_group.id
@@ -119,117 +121,6 @@ resource "aws_rds_cluster_parameter_group" "aurora_cluster_mysql57_parameter_gro
tags = local.tags
}
-################################################################################
-# Test Resources
-################################################################################
-
-resource "aws_iam_instance_profile" "ec2_test" {
- name_prefix = local.name
- role = aws_iam_role.ec2_test.name
-
- tags = local.tags
-}
-
-data "aws_iam_policy_document" "ec2_test_assume" {
- statement {
- actions = ["sts:AssumeRole"]
- principals {
- type = "Service"
- identifiers = ["ec2.amazonaws.com"]
- }
- }
-}
-
-resource "aws_iam_role" "ec2_test" {
- name_prefix = local.name
- force_detach_policies = true
- assume_role_policy = data.aws_iam_policy_document.ec2_test_assume.json
-
- tags = local.tags
-}
-
-data "aws_iam_policy_document" "ec2_test" {
- statement {
- actions = ["rds-db:connect"]
- resources = ["${local.db_iam_connect_prefix}/${local.db_username}"]
- }
-}
-
-resource "aws_iam_role_policy" "ec2_test" {
- name_prefix = local.name
- role = aws_iam_role.ec2_test.id
- policy = data.aws_iam_policy_document.ec2_test.json
-}
-
-resource "aws_iam_role_policy_attachment" "ec2_ssm" {
- role = aws_iam_role.ec2_test.name
- policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
-}
-
-data "aws_ami" "ubuntu" {
- most_recent = true
- owners = ["679593333241"]
-
- filter {
- name = "name"
- values = ["ubuntu-minimal/images/hvm-ssd/ubuntu-focal-20.04-*"]
- }
-
- filter {
- name = "virtualization-type"
- values = ["hvm"]
- }
-}
-
-module "ec2_sg" {
- source = "terraform-aws-modules/security-group/aws"
- version = "~> 4"
-
- name = "ec2"
- description = "EC2 RDS Proxy example security group"
- vpc_id = module.vpc.vpc_id
-
- egress_rules = ["all-all"]
-
- tags = local.tags
-}
-
-module "ec2_instance" {
- source = "terraform-aws-modules/ec2-instance/aws"
- version = "~> 3"
-
- name = local.name
-
- monitoring = true
- ebs_optimized = true
- metadata_options = {
- http_endpoint = "disabled"
- }
- root_block_device = [
- {
- encrypted = true
- }
- ]
-
- iam_instance_profile = aws_iam_instance_profile.ec2_test.name
- user_data = <<-EOT
- #!/usr/bin/env bash
-
- mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
-
- apt update
- apt install awscli mysql-server -y
-
- EOT
-
- ami = data.aws_ami.ubuntu.id
- instance_type = "t3.micro"
- vpc_security_group_ids = [module.ec2_sg.security_group_id]
- subnet_id = element(module.vpc.private_subnets, 0)
-
- tags = local.tags
-}
-
################################################################################
# Secrets - DB user passwords
################################################################################
@@ -260,7 +151,7 @@ resource "aws_secretsmanager_secret_version" "superuser" {
module "rds_proxy_sg" {
source = "terraform-aws-modules/security-group/aws"
- version = "~> 4"
+ version = "~> 4.0"
name = "rds_proxy"
description = "PostgreSQL RDS Proxy example security group"
@@ -322,13 +213,13 @@ module "rds_proxy" {
}
engine_family = "MYSQL"
- db_host = module.rds.rds_cluster_endpoint
- db_name = module.rds.rds_cluster_database_name
+ db_host = module.rds.cluster_endpoint
+ db_name = module.rds.cluster_database_name
debug_logging = true
# Target Aurora cluster
target_db_cluster = true
- db_cluster_identifier = module.rds.rds_cluster_id
+ db_cluster_identifier = module.rds.cluster_id
tags = local.tags
}
diff --git a/examples/mysql_iam_cluster/outputs.tf b/examples/mysql_iam_cluster/outputs.tf
index 27b5466..3d97324 100644
--- a/examples/mysql_iam_cluster/outputs.tf
+++ b/examples/mysql_iam_cluster/outputs.tf
@@ -77,20 +77,3 @@ output "log_group_arn" {
description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
value = module.rds_proxy.log_group_arn
}
-
-# For aiding in testing & verification
-output "superuser_db_password_connect" {
- description = "Connect to database using superuser with username/password directly to database"
- value = "mysql --host=${module.rds.rds_cluster_endpoint} --user=${local.db_username} --password=${local.db_password} ${module.rds.rds_cluster_database_name}"
- sensitive = true
-}
-
-output "superuser_proxy_iam_token" {
- description = "Gerate connection token for connecting to RDS Proxy with IAM auth"
- value = "TOKEN=$(aws rds generate-db-auth-token --hostname ${module.rds_proxy.proxy_endpoint} --port 3306 --region ${local.region} --username ${local.db_username})"
-}
-
-output "superuser_proxy_iam_connect" {
- description = "Connect to RDS Proxy using IAM auth via token generated"
- value = "mysql --host=${module.rds_proxy.proxy_endpoint} --user=${local.db_username} --password=$TOKEN ${module.rds.rds_cluster_database_name} --ssl-ca=/home/ssm-user/AmazonRootCA1.pem --enable-cleartext-plugin"
-}
diff --git a/examples/mysql_iam_instance/README.md b/examples/mysql_iam_instance/README.md
index 4d38367..363ba2d 100644
--- a/examples/mysql_iam_instance/README.md
+++ b/examples/mysql_iam_instance/README.md
@@ -37,37 +37,28 @@ An EC2 instance configuration has been provided for use in validating the exampl
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.59.0 |
-| [random](#provider\_random) | 3.1.0 |
+| [aws](#provider\_aws) | >= 3.38 |
+| [random](#provider\_random) | n/a |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
-| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
-| [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3 |
+| [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3.0 |
| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
-| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
-| [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
-| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |
+| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
## Resources
| Name | Type |
|------|------|
-| [aws_iam_instance_profile.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
-| [aws_iam_role.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_role_policy_attachment.ec2_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_secretsmanager_secret.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
| [aws_secretsmanager_secret_version.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [random_pet.users](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
-| [aws_ami.ubuntu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.ec2_test_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_kms_alias.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
@@ -94,9 +85,6 @@ No inputs.
| [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
| [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-| [superuser\_db\_password\_connect](#output\_superuser\_db\_password\_connect) | Connect to database using superuser with username/password directly to database |
-| [superuser\_proxy\_iam\_connect](#output\_superuser\_proxy\_iam\_connect) | Connect to RDS Proxy using IAM auth via token generated |
-| [superuser\_proxy\_iam\_token](#output\_superuser\_proxy\_iam\_token) | Gerate connection token for connecting to RDS Proxy with IAM auth |
Apache-2.0 Licensed. See [LICENSE](../../LICENSE).
diff --git a/examples/mysql_iam_instance/main.tf b/examples/mysql_iam_instance/main.tf
index 5e7ee5e..64b52f2 100644
--- a/examples/mysql_iam_instance/main.tf
+++ b/examples/mysql_iam_instance/main.tf
@@ -38,7 +38,7 @@ resource "random_password" "password" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
- version = "~> 3"
+ version = "~> 3.0"
name = local.name
cidr = "10.0.0.0/18"
@@ -69,7 +69,7 @@ module "vpc" {
module "rds_sg" {
source = "terraform-aws-modules/security-group/aws"
- version = "~> 4"
+ version = "~> 4.0"
name = "rds"
description = "MySQL RDS example security group"
@@ -90,7 +90,7 @@ module "rds_sg" {
module "rds" {
source = "terraform-aws-modules/rds/aws"
- version = "~> 3"
+ version = "~> 3.0"
name = local.db_name
username = local.db_username
@@ -126,117 +126,6 @@ module "rds" {
tags = local.tags
}
-################################################################################
-# Test Resources
-################################################################################
-
-resource "aws_iam_instance_profile" "ec2_test" {
- name_prefix = local.name
- role = aws_iam_role.ec2_test.name
-
- tags = local.tags
-}
-
-data "aws_iam_policy_document" "ec2_test_assume" {
- statement {
- actions = ["sts:AssumeRole"]
- principals {
- type = "Service"
- identifiers = ["ec2.amazonaws.com"]
- }
- }
-}
-
-resource "aws_iam_role" "ec2_test" {
- name_prefix = local.name
- force_detach_policies = true
- assume_role_policy = data.aws_iam_policy_document.ec2_test_assume.json
-
- tags = local.tags
-}
-
-data "aws_iam_policy_document" "ec2_test" {
- statement {
- actions = ["rds-db:connect"]
- resources = ["${local.db_iam_connect_prefix}/${local.db_username}"]
- }
-}
-
-resource "aws_iam_role_policy" "ec2_test" {
- name_prefix = local.name
- role = aws_iam_role.ec2_test.id
- policy = data.aws_iam_policy_document.ec2_test.json
-}
-
-resource "aws_iam_role_policy_attachment" "ec2_ssm" {
- role = aws_iam_role.ec2_test.name
- policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
-}
-
-data "aws_ami" "ubuntu" {
- most_recent = true
- owners = ["679593333241"]
-
- filter {
- name = "name"
- values = ["ubuntu-minimal/images/hvm-ssd/ubuntu-focal-20.04-*"]
- }
-
- filter {
- name = "virtualization-type"
- values = ["hvm"]
- }
-}
-
-module "ec2_sg" {
- source = "terraform-aws-modules/security-group/aws"
- version = "~> 4"
-
- name = "ec2"
- description = "EC2 RDS Proxy example security group"
- vpc_id = module.vpc.vpc_id
-
- egress_rules = ["all-all"]
-
- tags = local.tags
-}
-
-module "ec2_instance" {
- source = "terraform-aws-modules/ec2-instance/aws"
- version = "~> 3"
-
- name = local.name
-
- monitoring = true
- ebs_optimized = true
- metadata_options = {
- http_endpoint = "disabled"
- }
- root_block_device = [
- {
- encrypted = true
- }
- ]
-
- iam_instance_profile = aws_iam_instance_profile.ec2_test.name
- user_data = <<-EOT
- #!/usr/bin/env bash
-
- mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
-
- apt update
- apt install awscli mysql-server -y
-
- EOT
-
- ami = data.aws_ami.ubuntu.id
- instance_type = "t3.micro"
- vpc_security_group_ids = [module.ec2_sg.security_group_id]
- subnet_id = element(module.vpc.private_subnets, 0)
-
- tags = local.tags
-}
-
################################################################################
# Secrets - DB user passwords
################################################################################
@@ -267,7 +156,7 @@ resource "aws_secretsmanager_secret_version" "superuser" {
module "rds_proxy_sg" {
source = "terraform-aws-modules/security-group/aws"
- version = "~> 4"
+ version = "~> 4.0"
name = "rds_proxy"
description = "MySQL RDS Proxy example security group"
diff --git a/examples/mysql_iam_instance/outputs.tf b/examples/mysql_iam_instance/outputs.tf
index b553416..3d97324 100644
--- a/examples/mysql_iam_instance/outputs.tf
+++ b/examples/mysql_iam_instance/outputs.tf
@@ -77,20 +77,3 @@ output "log_group_arn" {
description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
value = module.rds_proxy.log_group_arn
}
-
-# For aiding in testing & verification
-output "superuser_db_password_connect" {
- description = "Connect to database using superuser with username/password directly to database"
- value = "mysql --host=${module.rds.db_instance_address} --user=${local.db_username} --password=${local.db_password} ${module.rds.db_instance_name}"
- sensitive = true
-}
-
-output "superuser_proxy_iam_token" {
- description = "Gerate connection token for connecting to RDS Proxy with IAM auth"
- value = "TOKEN=$(aws rds generate-db-auth-token --hostname ${module.rds_proxy.proxy_endpoint} --port 3306 --region ${local.region} --username ${local.db_username})"
-}
-
-output "superuser_proxy_iam_connect" {
- description = "Connect to RDS Proxy using IAM auth via token generated"
- value = "mysql --host=${module.rds_proxy.proxy_endpoint} --user=${local.db_username} --password=$TOKEN ${module.rds.db_instance_name} --ssl-ca=/home/ssm-user/AmazonRootCA1.pem --enable-cleartext-plugin"
-}
diff --git a/examples/postgresql_iam_cluster/README.md b/examples/postgresql_iam_cluster/README.md
index 1103396..764caf0 100644
--- a/examples/postgresql_iam_cluster/README.md
+++ b/examples/postgresql_iam_cluster/README.md
@@ -37,38 +37,29 @@ An EC2 instance configuration has been provided for use in validating the exampl
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.59.0 |
-| [random](#provider\_random) | 3.1.0 |
+| [aws](#provider\_aws) | >= 3.38 |
+| [random](#provider\_random) | n/a |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
-| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
-| [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 5 |
+| [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 6.0 |
| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
-| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
-| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |
+| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
## Resources
| Name | Type |
|------|------|
| [aws_db_parameter_group.aurora_db_postgres11_parameter_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group) | resource |
-| [aws_iam_instance_profile.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
-| [aws_iam_role.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_role_policy_attachment.ec2_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_rds_cluster_parameter_group.aurora_cluster_postgres11_parameter_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_parameter_group) | resource |
| [aws_secretsmanager_secret.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
| [aws_secretsmanager_secret_version.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [random_pet.users](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
-| [aws_ami.ubuntu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.ec2_test_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_kms_alias.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
@@ -95,9 +86,6 @@ No inputs.
| [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
| [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-| [superuser\_db\_password\_connect](#output\_superuser\_db\_password\_connect) | Connect to database using superuser with username/password directly to database |
-| [superuser\_proxy\_iam\_connect](#output\_superuser\_proxy\_iam\_connect) | Connect to RDS Proxy using IAM auth via token generated |
-| [superuser\_proxy\_iam\_token](#output\_superuser\_proxy\_iam\_token) | Gerate connection token for connecting to RDS Proxy with IAM auth |
Apache-2.0 Licensed. See [LICENSE](../../LICENSE).
diff --git a/examples/postgresql_iam_cluster/main.tf b/examples/postgresql_iam_cluster/main.tf
index 854ac1d..e2b3bf9 100644
--- a/examples/postgresql_iam_cluster/main.tf
+++ b/examples/postgresql_iam_cluster/main.tf
@@ -38,7 +38,7 @@ resource "random_password" "password" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
- version = "~> 3"
+ version = "~> 3.0"
name = local.name
cidr = "10.0.0.0/18"
@@ -69,20 +69,21 @@ module "vpc" {
module "rds" {
source = "terraform-aws-modules/rds-aurora/aws"
- version = "~> 5"
+ version = "~> 6.0"
- name = local.name
- database_name = local.db_name
- username = local.db_username
- password = local.db_password
+ name = local.name
+ database_name = local.db_name
+ master_username = local.db_username
+ master_password = local.db_password
# When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
iam_database_authentication_enabled = false
- engine = "aurora-postgresql"
- engine_version = "11.9"
- replica_count = 1
- instance_type = "db.t3.medium"
+ engine = "aurora-postgresql"
+ engine_version = "11.12"
+ instance_class = "db.r6g.large"
+ instances = { 1 = {}, 2 = {} }
+
storage_encrypted = true
apply_immediately = true
skip_final_snapshot = true
@@ -97,6 +98,7 @@ module "rds" {
vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
db_subnet_group_name = local.name # Created by VPC module
+ create_db_subnet_group = false
db_parameter_group_name = aws_db_parameter_group.aurora_db_postgres11_parameter_group.id
db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.aurora_cluster_postgres11_parameter_group.id
@@ -119,117 +121,6 @@ resource "aws_rds_cluster_parameter_group" "aurora_cluster_postgres11_parameter_
tags = local.tags
}
-################################################################################
-# Test Resources
-################################################################################
-
-resource "aws_iam_instance_profile" "ec2_test" {
- name_prefix = local.name
- role = aws_iam_role.ec2_test.name
-
- tags = local.tags
-}
-
-data "aws_iam_policy_document" "ec2_test_assume" {
- statement {
- actions = ["sts:AssumeRole"]
- principals {
- type = "Service"
- identifiers = ["ec2.amazonaws.com"]
- }
- }
-}
-
-resource "aws_iam_role" "ec2_test" {
- name_prefix = local.name
- force_detach_policies = true
- assume_role_policy = data.aws_iam_policy_document.ec2_test_assume.json
-
- tags = local.tags
-}
-
-data "aws_iam_policy_document" "ec2_test" {
- statement {
- actions = ["rds-db:connect"]
- resources = ["${local.db_iam_connect_prefix}/${local.db_username}"]
- }
-}
-
-resource "aws_iam_role_policy" "ec2_test" {
- name_prefix = local.name
- role = aws_iam_role.ec2_test.id
- policy = data.aws_iam_policy_document.ec2_test.json
-}
-
-resource "aws_iam_role_policy_attachment" "ec2_ssm" {
- role = aws_iam_role.ec2_test.name
- policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
-}
-
-data "aws_ami" "ubuntu" {
- most_recent = true
- owners = ["679593333241"]
-
- filter {
- name = "name"
- values = ["ubuntu-minimal/images/hvm-ssd/ubuntu-focal-20.04-*"]
- }
-
- filter {
- name = "virtualization-type"
- values = ["hvm"]
- }
-}
-
-module "ec2_sg" {
- source = "terraform-aws-modules/security-group/aws"
- version = "~> 4"
-
- name = "ec2"
- description = "EC2 RDS Proxy example security group"
- vpc_id = module.vpc.vpc_id
-
- egress_rules = ["all-all"]
-
- tags = local.tags
-}
-
-module "ec2_instance" {
- source = "terraform-aws-modules/ec2-instance/aws"
- version = "~> 3"
-
- name = local.name
-
- monitoring = true
- ebs_optimized = true
- metadata_options = {
- http_endpoint = "disabled"
- }
- root_block_device = [
- {
- encrypted = true
- }
- ]
-
- iam_instance_profile = aws_iam_instance_profile.ec2_test.name
- user_data = <<-EOT
- #!/usr/bin/env bash
-
- mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
-
- apt update
- apt install awscli postgresql-client -y
-
- EOT
-
- ami = data.aws_ami.ubuntu.id
- instance_type = "t3.micro"
- vpc_security_group_ids = [module.ec2_sg.security_group_id]
- subnet_id = element(module.vpc.private_subnets, 0)
-
- tags = local.tags
-}
-
################################################################################
# Secrets - DB user passwords
################################################################################
@@ -260,7 +151,7 @@ resource "aws_secretsmanager_secret_version" "superuser" {
module "rds_proxy_sg" {
source = "terraform-aws-modules/security-group/aws"
- version = "~> 4"
+ version = "~> 4.0"
name = "rds_proxy"
description = "PostgreSQL RDS Proxy example security group"
@@ -322,13 +213,13 @@ module "rds_proxy" {
}
engine_family = "POSTGRESQL"
- db_host = module.rds.rds_cluster_endpoint
- db_name = module.rds.rds_cluster_database_name
+ db_host = module.rds.cluster_endpoint
+ db_name = module.rds.cluster_database_name
debug_logging = true
# Target Aurora cluster
target_db_cluster = true
- db_cluster_identifier = module.rds.rds_cluster_id
+ db_cluster_identifier = module.rds.cluster_id
tags = local.tags
}
diff --git a/examples/postgresql_iam_cluster/outputs.tf b/examples/postgresql_iam_cluster/outputs.tf
index 53ec99c..3d97324 100644
--- a/examples/postgresql_iam_cluster/outputs.tf
+++ b/examples/postgresql_iam_cluster/outputs.tf
@@ -77,20 +77,3 @@ output "log_group_arn" {
description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
value = module.rds_proxy.log_group_arn
}
-
-# For aiding in testing & verification
-output "superuser_db_password_connect" {
- description = "Connect to database using superuser with username/password directly to database"
- value = "PGPASSWORD=${local.db_password} psql -h ${module.rds.rds_cluster_endpoint} -p 5432 -d ${module.rds.rds_cluster_database_name} -U ${local.db_username} --set=sslmode=require"
- sensitive = true
-}
-
-output "superuser_proxy_iam_token" {
- description = "Gerate connection token for connecting to RDS Proxy with IAM auth"
- value = "TOKEN=$(aws rds generate-db-auth-token --hostname ${module.rds_proxy.proxy_endpoint} --port 5432 --region ${local.region} --username ${local.db_username})"
-}
-
-output "superuser_proxy_iam_connect" {
- description = "Connect to RDS Proxy using IAM auth via token generated"
- value = "psql \"host=${module.rds_proxy.proxy_endpoint} port=5432 sslmode=verify-full sslrootcert=/home/ssm-user/AmazonRootCA1.pem dbname=${module.rds.rds_cluster_database_name} user=${local.db_username} password=$TOKEN\""
-}
diff --git a/examples/postgresql_iam_instance/README.md b/examples/postgresql_iam_instance/README.md
index b81878f..40cad3c 100644
--- a/examples/postgresql_iam_instance/README.md
+++ b/examples/postgresql_iam_instance/README.md
@@ -37,37 +37,28 @@ An EC2 instance configuration has been provided for use in validating the exampl
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.59.0 |
-| [random](#provider\_random) | 3.1.0 |
+| [aws](#provider\_aws) | >= 3.38 |
+| [random](#provider\_random) | n/a |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
-| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
-| [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3 |
+| [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3.0 |
| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
-| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
-| [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
-| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |
+| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
## Resources
| Name | Type |
|------|------|
-| [aws_iam_instance_profile.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
-| [aws_iam_role.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_role_policy_attachment.ec2_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_secretsmanager_secret.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
| [aws_secretsmanager_secret_version.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [random_pet.users](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
-| [aws_ami.ubuntu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.ec2_test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.ec2_test_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_kms_alias.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
@@ -94,9 +85,6 @@ No inputs.
| [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
| [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-| [superuser\_db\_password\_connect](#output\_superuser\_db\_password\_connect) | Connect to database using superuser with username/password directly to database |
-| [superuser\_proxy\_iam\_connect](#output\_superuser\_proxy\_iam\_connect) | Connect to RDS Proxy using IAM auth via token generated |
-| [superuser\_proxy\_iam\_token](#output\_superuser\_proxy\_iam\_token) | Gerate connection token for connecting to RDS Proxy with IAM auth |
Apache-2.0 Licensed. See [LICENSE](../../LICENSE).
diff --git a/examples/postgresql_iam_instance/main.tf b/examples/postgresql_iam_instance/main.tf
index cf9f823..826040a 100644
--- a/examples/postgresql_iam_instance/main.tf
+++ b/examples/postgresql_iam_instance/main.tf
@@ -38,7 +38,7 @@ resource "random_password" "password" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
- version = "~> 3"
+ version = "~> 3.0"
name = local.name
cidr = "10.0.0.0/18"
@@ -69,7 +69,7 @@ module "vpc" {
module "rds_sg" {
source = "terraform-aws-modules/security-group/aws"
- version = "~> 4"
+ version = "~> 4.0"
name = "rds"
description = "PostgreSQL RDS example security group"
@@ -90,7 +90,7 @@ module "rds_sg" {
module "rds" {
source = "terraform-aws-modules/rds/aws"
- version = "~> 3"
+ version = "~> 3.0"
name = local.db_name
username = local.db_username
@@ -101,7 +101,7 @@ module "rds" {
identifier = local.name
engine = "postgres"
- engine_version = "11.9"
+ engine_version = "11.12"
family = "postgres11"
major_engine_version = "11"
port = 5432
@@ -126,117 +126,6 @@ module "rds" {
tags = local.tags
}
-################################################################################
-# Test Resources
-################################################################################
-
-resource "aws_iam_instance_profile" "ec2_test" {
- name_prefix = local.name
- role = aws_iam_role.ec2_test.name
-
- tags = local.tags
-}
-
-data "aws_iam_policy_document" "ec2_test_assume" {
- statement {
- actions = ["sts:AssumeRole"]
- principals {
- type = "Service"
- identifiers = ["ec2.amazonaws.com"]
- }
- }
-}
-
-resource "aws_iam_role" "ec2_test" {
- name_prefix = local.name
- force_detach_policies = true
- assume_role_policy = data.aws_iam_policy_document.ec2_test_assume.json
-
- tags = local.tags
-}
-
-data "aws_iam_policy_document" "ec2_test" {
- statement {
- actions = ["rds-db:connect"]
- resources = ["${local.db_iam_connect_prefix}/${local.db_username}"]
- }
-}
-
-resource "aws_iam_role_policy" "ec2_test" {
- name_prefix = local.name
- role = aws_iam_role.ec2_test.id
- policy = data.aws_iam_policy_document.ec2_test.json
-}
-
-resource "aws_iam_role_policy_attachment" "ec2_ssm" {
- role = aws_iam_role.ec2_test.name
- policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
-}
-
-data "aws_ami" "ubuntu" {
- most_recent = true
- owners = ["679593333241"]
-
- filter {
- name = "name"
- values = ["ubuntu-minimal/images/hvm-ssd/ubuntu-focal-20.04-*"]
- }
-
- filter {
- name = "virtualization-type"
- values = ["hvm"]
- }
-}
-
-module "ec2_sg" {
- source = "terraform-aws-modules/security-group/aws"
- version = "~> 4"
-
- name = "ec2"
- description = "EC2 RDS Proxy example security group"
- vpc_id = module.vpc.vpc_id
-
- egress_rules = ["all-all"]
-
- tags = local.tags
-}
-
-module "ec2_instance" {
- source = "terraform-aws-modules/ec2-instance/aws"
- version = "~> 3"
-
- name = local.name
-
- monitoring = true
- ebs_optimized = true
- metadata_options = {
- http_endpoint = "disabled"
- }
- root_block_device = [
- {
- encrypted = true
- }
- ]
-
- iam_instance_profile = aws_iam_instance_profile.ec2_test.name
- user_data = <<-EOT
- #!/usr/bin/env bash
-
- mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
-
- apt update
- apt install awscli postgresql -y
-
- EOT
-
- ami = data.aws_ami.ubuntu.id
- instance_type = "t3.micro"
- vpc_security_group_ids = [module.ec2_sg.security_group_id]
- subnet_id = element(module.vpc.private_subnets, 0)
-
- tags = local.tags
-}
-
################################################################################
# Secrets - DB user passwords
################################################################################
@@ -267,7 +156,7 @@ resource "aws_secretsmanager_secret_version" "superuser" {
module "rds_proxy_sg" {
source = "terraform-aws-modules/security-group/aws"
- version = "~> 4"
+ version = "~> 4.0"
name = "rds_proxy"
description = "PostgreSQL RDS Proxy example security group"
diff --git a/examples/postgresql_iam_instance/outputs.tf b/examples/postgresql_iam_instance/outputs.tf
index 94db34d..3d97324 100644
--- a/examples/postgresql_iam_instance/outputs.tf
+++ b/examples/postgresql_iam_instance/outputs.tf
@@ -77,20 +77,3 @@ output "log_group_arn" {
description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
value = module.rds_proxy.log_group_arn
}
-
-# For aiding in testing & verification
-output "superuser_db_password_connect" {
- description = "Connect to database using superuser with username/password directly to database"
- value = "PGPASSWORD=${local.db_password} psql -h ${module.rds.db_instance_address} -p 5432 -d ${module.rds.db_instance_name} -U ${local.db_username} --set=sslmode=require"
- sensitive = true
-}
-
-output "superuser_proxy_iam_token" {
- description = "Gerate connection token for connecting to RDS Proxy with IAM auth"
- value = "TOKEN=$(aws rds generate-db-auth-token --hostname ${module.rds_proxy.proxy_endpoint} --port 5432 --region ${local.region} --username ${local.db_username})"
-}
-
-output "superuser_proxy_iam_connect" {
- description = "Connect to RDS Proxy using IAM auth via token generated"
- value = "psql \"host=${module.rds_proxy.proxy_endpoint} port=5432 sslmode=verify-full sslrootcert=/home/ssm-user/AmazonRootCA1.pem dbname=${module.rds.db_instance_name} user=${local.db_username} password=$TOKEN\""
-}