luciano/terraform-aws-rds-proxy
1
0
Fork 0
mirror of https://github.com/terraform-aws-modules/terraform-aws-rds-proxy.git synced 2025-12-16 16:01:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
terraform-aws-rds-proxy/examples/postgresql-iam-instance/main.tf
jatalocks cc39e9d029
feat!: Increase Terraform and AWS provider minimum supported versions; update auth configuration schema (#17) 
Co-authored-by: Orest Kapko <orest.kapko@welltech.com>
Co-authored-by: Amitai Getzler <amitai.getzler@explorium.ai>
Co-authored-by: Orest Kapko <kapko2311@gmail.com>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
Co-authored-by: Anton Babenko <anton@antonbabenko.com>
2023-06-09 07:30:52 -04:00

200 lines
5.3 KiB
HCL
Raw Blame History

provider "aws" {
region = local.region
}
data "aws_availability_zones" "available" {}
locals {
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"
db_username = random_pet.users.id # using random here due to secrets taking at least 7 days before fully deleting from account
db_password = random_password.password.result
vpc_cidr = "10.0.0.0/16"
azs = slice(data.aws_availability_zones.available.names, 0, 3)
tags = {
Example = local.name
GithubRepo = "terraform-aws-rds-proxy"
GithubOrg = "terraform-aws-modules"
}
}
################################################################################
# RDS Proxy
################################################################################
module "rds_proxy" {
source = "../../"
name = local.name
iam_role_name = local.name
vpc_subnet_ids = module.vpc.private_subnets
vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
endpoints = {
read_write = {
name = "read-write-endpoint"
vpc_subnet_ids = module.vpc.private_subnets
vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
tags = local.tags
},
read_only = {
name = "read-only-endpoint"
vpc_subnet_ids = module.vpc.private_subnets
vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
target_role = "READ_ONLY"
tags = local.tags
}
}
auth = {
(local.db_username) = {
description = aws_secretsmanager_secret.superuser.description
secret_arn = aws_secretsmanager_secret.superuser.arn
}
}
engine_family = "POSTGRESQL"
debug_logging = true
# Target RDS instance
target_db_instance = true
db_instance_identifier = module.rds.db_instance_id
tags = local.tags
}
################################################################################
# Supporting Resources
################################################################################
resource "random_pet" "users" {
length = 2
separator = "_"
}
resource "random_password" "password" {
length = 16
special = false
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 5.0"
name = local.name
cidr = local.vpc_cidr
azs = local.azs
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)]
database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)]
tags = local.tags
}
module "rds" {
source = "terraform-aws-modules/rds/aws"
version = "~> 5.0"
username = local.db_username
password = local.db_password
# When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
iam_database_authentication_enabled = false
identifier = local.name
engine = "postgres"
engine_version = "14"
family = "postgres14" # DB parameter group
major_engine_version = "14" # DB option group
instance_class = "db.t4g.large"
allocated_storage = 20
port = 5432
apply_immediately = true
db_subnet_group_name = module.vpc.database_subnet_group
vpc_security_group_ids = [module.rds_sg.security_group_id]
multi_az = true
backup_retention_period = 0
deletion_protection = false
tags = local.tags
}
module "rds_sg" {
source = "terraform-aws-modules/security-group/aws"
version = "~> 5.0"
name = "rds"
description = "PostgreSQL RDS example security group"
vpc_id = module.vpc.vpc_id
revoke_rules_on_delete = true
ingress_with_cidr_blocks = [
{
description = "Private subnet PostgreSQL access"
rule = "postgresql-tcp"
cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
}
]
tags = local.tags
}
module "rds_proxy_sg" {
source = "terraform-aws-modules/security-group/aws"
version = "~> 5.0"
name = "rds_proxy"
description = "PostgreSQL RDS Proxy example security group"
vpc_id = module.vpc.vpc_id
revoke_rules_on_delete = true
ingress_with_cidr_blocks = [
{
description = "Private subnet PostgreSQL access"
rule = "postgresql-tcp"
cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
}
]
egress_with_cidr_blocks = [
{
description = "Database subnet PostgreSQL access"
rule = "postgresql-tcp"
cidr_blocks = join(",", module.vpc.database_subnets_cidr_blocks)
},
]
tags = local.tags
}
################################################################################
# Secrets - DB user passwords
################################################################################
data "aws_kms_alias" "secretsmanager" {
name = "alias/aws/secretsmanager"
}
resource "aws_secretsmanager_secret" "superuser" {
name = local.db_username
description = "Database superuser, ${local.db_username}, database connection values"
kms_key_id = data.aws_kms_alias.secretsmanager.id
tags = local.tags
}
resource "aws_secretsmanager_secret_version" "superuser" {
secret_id = aws_secretsmanager_secret.superuser.id
secret_string = jsonencode({
username = local.db_username
password = local.db_password
})
}
Reference in a new issue View git blame Copy permalink