mirror of
https://github.com/terraform-aws-modules/terraform-aws-rds-proxy.git
synced 2025-12-16 16:01:11 +00:00
200 lines
5.3 KiB
HCL
200 lines
5.3 KiB
HCL
provider "aws" {
|
|
region = local.region
|
|
}
|
|
|
|
data "aws_availability_zones" "available" {}
|
|
|
|
locals {
|
|
name = "ex-${basename(path.cwd)}"
|
|
region = "eu-west-1"
|
|
|
|
db_username = random_pet.users.id # using random here due to secrets taking at least 7 days before fully deleting from account
|
|
db_password = random_password.password.result
|
|
|
|
vpc_cidr = "10.0.0.0/16"
|
|
azs = slice(data.aws_availability_zones.available.names, 0, 3)
|
|
|
|
tags = {
|
|
Example = local.name
|
|
GithubRepo = "terraform-aws-rds-proxy"
|
|
GithubOrg = "terraform-aws-modules"
|
|
}
|
|
}
|
|
|
|
################################################################################
|
|
# RDS Proxy
|
|
################################################################################
|
|
|
|
module "rds_proxy" {
|
|
source = "../../"
|
|
|
|
name = local.name
|
|
iam_role_name = local.name
|
|
vpc_subnet_ids = module.vpc.private_subnets
|
|
vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
|
|
|
|
endpoints = {
|
|
read_write = {
|
|
name = "read-write-endpoint"
|
|
vpc_subnet_ids = module.vpc.private_subnets
|
|
vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
|
|
tags = local.tags
|
|
},
|
|
read_only = {
|
|
name = "read-only-endpoint"
|
|
vpc_subnet_ids = module.vpc.private_subnets
|
|
vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
|
|
target_role = "READ_ONLY"
|
|
tags = local.tags
|
|
}
|
|
}
|
|
|
|
auth = {
|
|
(local.db_username) = {
|
|
description = aws_secretsmanager_secret.superuser.description
|
|
secret_arn = aws_secretsmanager_secret.superuser.arn
|
|
}
|
|
}
|
|
|
|
engine_family = "MYSQL"
|
|
debug_logging = true
|
|
|
|
# Target RDS instance
|
|
target_db_instance = true
|
|
db_instance_identifier = module.rds.db_instance_identifier
|
|
|
|
tags = local.tags
|
|
}
|
|
|
|
################################################################################
|
|
# Supporting Resources
|
|
################################################################################
|
|
|
|
resource "random_pet" "users" {
|
|
length = 2
|
|
separator = "_"
|
|
}
|
|
|
|
resource "random_password" "password" {
|
|
length = 16
|
|
special = false
|
|
}
|
|
|
|
module "vpc" {
|
|
source = "terraform-aws-modules/vpc/aws"
|
|
version = "~> 6.0"
|
|
|
|
name = local.name
|
|
cidr = local.vpc_cidr
|
|
|
|
azs = local.azs
|
|
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
|
|
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)]
|
|
database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)]
|
|
|
|
tags = local.tags
|
|
}
|
|
|
|
module "rds" {
|
|
source = "terraform-aws-modules/rds/aws"
|
|
version = "~> 6.0"
|
|
|
|
username = local.db_username
|
|
password = local.db_password
|
|
|
|
# When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
|
|
iam_database_authentication_enabled = false
|
|
|
|
identifier = local.name
|
|
engine = "mysql"
|
|
engine_version = "8.0"
|
|
family = "mysql8.0" # DB parameter group
|
|
major_engine_version = "8.0" # DB option group
|
|
instance_class = "db.t4g.large"
|
|
allocated_storage = 20
|
|
port = 3306
|
|
apply_immediately = true
|
|
|
|
db_subnet_group_name = module.vpc.database_subnet_group
|
|
vpc_security_group_ids = [module.rds_sg.security_group_id]
|
|
multi_az = true
|
|
|
|
backup_retention_period = 0
|
|
deletion_protection = false
|
|
|
|
tags = local.tags
|
|
}
|
|
|
|
module "rds_sg" {
|
|
source = "terraform-aws-modules/security-group/aws"
|
|
version = "~> 5.0"
|
|
|
|
name = "rds"
|
|
description = "MySQL RDS example security group"
|
|
vpc_id = module.vpc.vpc_id
|
|
|
|
revoke_rules_on_delete = true
|
|
|
|
ingress_with_cidr_blocks = [
|
|
{
|
|
description = "Private subnet MySQL access"
|
|
rule = "mysql-tcp"
|
|
cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
|
|
}
|
|
]
|
|
|
|
tags = local.tags
|
|
}
|
|
|
|
module "rds_proxy_sg" {
|
|
source = "terraform-aws-modules/security-group/aws"
|
|
version = "~> 5.0"
|
|
|
|
name = "${local.name}-proxy"
|
|
description = "PostgreSQL RDS Proxy example security group"
|
|
vpc_id = module.vpc.vpc_id
|
|
|
|
revoke_rules_on_delete = true
|
|
|
|
ingress_with_cidr_blocks = [
|
|
{
|
|
description = "Private subnet MySQL access"
|
|
rule = "mysql-tcp"
|
|
cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
|
|
}
|
|
]
|
|
|
|
egress_with_cidr_blocks = [
|
|
{
|
|
description = "Database subnet MySQL access"
|
|
rule = "mysql-tcp"
|
|
cidr_blocks = join(",", module.vpc.database_subnets_cidr_blocks)
|
|
},
|
|
]
|
|
|
|
tags = local.tags
|
|
}
|
|
|
|
################################################################################
|
|
# Secrets - DB user passwords
|
|
################################################################################
|
|
|
|
data "aws_kms_alias" "secretsmanager" {
|
|
name = "alias/aws/secretsmanager"
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret" "superuser" {
|
|
name = local.db_username
|
|
description = "Database superuser, ${local.db_username}, database connection values"
|
|
kms_key_id = data.aws_kms_alias.secretsmanager.id
|
|
|
|
tags = local.tags
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret_version" "superuser" {
|
|
secret_id = aws_secretsmanager_secret.superuser.id
|
|
secret_string = jsonencode({
|
|
username = local.db_username
|
|
password = local.db_password
|
|
})
|
|
}
|