diff --git a/CHANGELOG.md b/CHANGELOG.md index 9e6615a..69addda 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Tamr Terraform Template Repo +## v2.0.0 - June 30th 2021 +* Accepts a list of security groups +* Returns a list of ports used by RDS +* Removes ability for the creation of security groups + ## v1.0.0 - April 12th 2021 * Updates minimum Terraform version to 13 * Updates minimum AWS provider version to 3.36.0 diff --git a/README.md b/README.md index c5d9af1..3198376 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ This repo follows the [terraform standard module structure](https://www.terrafor Inline example implementation of the module. This is the most basic example of what it would look like to use this module. ``` module "rds_postgres" { - source = "git::https://github.com/Datatamer/terraform-aws-rds-postgres.git?ref=0.4.0" + source = "git::https://github.com/Datatamer/terraform-aws-rds-postgres.git?ref=2.0.0" postgres_name = "example_rds_postgres" parameter_group_name = "example-rds-postgres-pg" identifier_prefix = "example-rds-" @@ -29,7 +29,6 @@ This terraform module will create: * an AWS RDS Postgres instance * a database parameter group * a database subnet group -* a security group for the rds instance ## Requirements @@ -49,9 +48,9 @@ This terraform module will create: | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| ingress\_sg\_ids | List of security group IDs to allow ingress from (i.e. Spark cluster SG IDs, Tamr VM SG ID) | `list(string)` | n/a | yes | | password | The password for the master DB user. | `string` | n/a | yes | | rds\_subnet\_ids | VPC subnet IDs in subnet group | `list(string)` | n/a | yes | +| security\_group\_ids | List of security group IDs to allow ingress from (i.e. Spark cluster SG IDs, Tamr VM SG ID) | `list(string)` | n/a | yes | | subnet\_group\_name | The name of the subnet group to add the RDS instance to | `string` | n/a | yes | | vpc\_id | VPC ID for the rds security group | `string` | n/a | yes | | additional\_cidrs | Additional CIDR to connect to RDS Postgres instance | `list(string)` | `[]` | no | @@ -84,7 +83,7 @@ This terraform module will create: | rds\_hostname | n/a | | rds\_postgres\_id | ID of the of the RDS instance | | rds\_postgres\_pg\_id | ID of the RDS postgres parameter group | -| rds\_sg\_id | ID of the security group attached to the rds instance | +| rds\_security\_group\_ids | List of security group ids attached to the rds instance | | rds\_username | n/a | diff --git a/VERSION b/VERSION index 3eefcb9..227cea2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.0.0 +2.0.0 diff --git a/examples/minimal/README.md b/examples/minimal/README.md index 0e0304f..d9249cf 100644 --- a/examples/minimal/README.md +++ b/examples/minimal/README.md @@ -11,12 +11,18 @@ No provider. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| ingress\_sg\_ids | List of security group IDs to allow ingress from (i.e. Spark cluster SG IDs, Tamr VM SG ID) | `list(string)` | n/a | yes | +| ingress\_cidr\_blocks | CIDR blocks to attach to security groups for ingress | `list(string)` | n/a | yes | +| name\_prefix | A string to prepend to names of resources created by this example | `any` | n/a | yes | +| security\_group\_ids | List of security group IDs to allow ingress from (i.e. Spark cluster SG IDs, Tamr VM SG ID) | `list(string)` | n/a | yes | | subnet\_ids | List of at least 2 subnets in different AZs for DB subnet group | `list(string)` | n/a | yes | | vpc\_id | VPC ID of network. | `string` | n/a | yes | +| egress\_cidr\_blocks | CIDR blocks to attach to security groups for egress | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | ## Outputs -No output. +| Name | Description | +|------|-------------| +| ingress\_ports | List of ingress ports | +| rds | n/a | diff --git a/examples/minimal/local.tfvars b/examples/minimal/local.tfvars index e676e60..d49d87f 100644 --- a/examples/minimal/local.tfvars +++ b/examples/minimal/local.tfvars @@ -1,3 +1,5 @@ -vpc_id = "vpc-example" -subnet_ids = ["subnet-az1", "subnet-az2"] -ingress_sg_ids = ["example-spark-service-access-sg", "example-tamr-vm-sg"] +vpc_id = "vpc-example" +subnet_ids = ["subnet-az1", "subnet-az2"] +security_group_ids = ["example-spark-service-access-sg", "example-tamr-vm-sg"] +name_prefix = "test" # Replace me for a more specific prefix +ingress_cidr_blocks = ["1.2.3.0/24"] diff --git a/examples/minimal/main.tf b/examples/minimal/main.tf index af17377..36a8fc8 100644 --- a/examples/minimal/main.tf +++ b/examples/minimal/main.tf @@ -1,16 +1,32 @@ module "rds_postgres" { - # source = "git::https://github.com/Datatamer/terraform-aws-rds-postgres.git?ref=0.4.0" + # source = "git::https://github.com/Datatamer/terraform-aws-rds-postgres.git?ref=2.0.0" source = "../.." identifier_prefix = "example-rds-pg-" postgres_name = "example0" parameter_group_name = "example-rds-postgres-pg" - username = "example-tamr-master" - password = "foo" #tfsec:ignore:GEN003 + username = "exampleUsername" + password = "examplePassword" #tfsec:ignore:GEN003 vpc_id = var.vpc_id subnet_group_name = "example_subnet_group" # Network requirement: DB subnet group needs a subnet in at least two Availability Zones rds_subnet_ids = var.subnet_ids - ingress_sg_ids = var.ingress_sg_ids + security_group_ids = module.rds-postgres-sg.security_group_ids +} + +module "sg-ports" { + # source = "git::https://github.com/Datatamer/terraform-aws-rds-postgres.git//modules/rds-postgres-ports?ref=2.0.0" + source = "../../modules/rds-postgres-ports" +} + +module "rds-postgres-sg" { + source = "git::git@github.com:Datatamer/terraform-aws-security-groups.git?ref=1.0.0" + vpc_id = var.vpc_id + ingress_cidr_blocks = var.ingress_cidr_blocks + egress_cidr_blocks = var.egress_cidr_blocks + ingress_ports = module.sg-ports.ingress_ports + sg_name_prefix = var.name_prefix + egress_protocol = "all" + ingress_protocol = "tcp" } diff --git a/examples/minimal/outputs.tf b/examples/minimal/outputs.tf new file mode 100644 index 0000000..9512893 --- /dev/null +++ b/examples/minimal/outputs.tf @@ -0,0 +1,8 @@ +output "ingress_ports" { + value = module.sg-ports + description = "List of ingress ports" +} + +output "rds" { + value = module.rds_postgres +} diff --git a/examples/minimal/variables.tf b/examples/minimal/variables.tf index 2351263..e72210b 100644 --- a/examples/minimal/variables.tf +++ b/examples/minimal/variables.tf @@ -8,7 +8,22 @@ variable "subnet_ids" { description = "List of at least 2 subnets in different AZs for DB subnet group" } -variable "ingress_sg_ids" { +variable "security_group_ids" { description = "List of security group IDs to allow ingress from (i.e. Spark cluster SG IDs, Tamr VM SG ID)" type = list(string) } + +variable "name_prefix" { + description = "A string to prepend to names of resources created by this example" +} + +variable "ingress_cidr_blocks" { + description = "CIDR blocks to attach to security groups for ingress" + type = list(string) +} + +variable "egress_cidr_blocks" { + description = "CIDR blocks to attach to security groups for egress" + type = list(string) + default = ["0.0.0.0/0"] +} diff --git a/main.tf b/main.tf index decbb1e..8ae2800 100644 --- a/main.tf +++ b/main.tf @@ -10,15 +10,6 @@ resource "aws_db_subnet_group" "rds_postgres_subnet_group" { subnet_ids = var.rds_subnet_ids } -module "rds_sg" { - source = "./modules/rds-postgres-sg" - ingress_sg_ids = var.ingress_sg_ids - vpc_id = var.vpc_id - security_group_name = var.security_group_name - additional_cidrs = var.additional_cidrs - additional_tags = var.additional_tags -} - resource "aws_db_instance" "rds_postgres" { name = var.postgres_name @@ -39,7 +30,7 @@ resource "aws_db_instance" "rds_postgres" { db_subnet_group_name = aws_db_subnet_group.rds_postgres_subnet_group.name multi_az = true publicly_accessible = false - vpc_security_group_ids = [module.rds_sg.rds_sg_id] + vpc_security_group_ids = var.security_group_ids parameter_group_name = aws_db_parameter_group.rds_postgres_pg.name maintenance_window = var.maintenance_window diff --git a/modules/rds-postgres-ports/README.md b/modules/rds-postgres-ports/README.md new file mode 100644 index 0000000..cdba9b4 --- /dev/null +++ b/modules/rds-postgres-ports/README.md @@ -0,0 +1,46 @@ +# Tamr AWS RDS Postgres Ports Module +This module returns a list of ports used by the RDS Postgres Service. + +# Examples +## Basic +Inline example implementation of the module. This is the most basic example of what it would look like to use this module. +``` +module "rds_postgres" { + source = "git::https://github.com/Datatamer/terraform-aws-rds-postgres//modules/rds-postgres-ports?ref=2.0.0" +} +``` + +# Resources Created +This module creates no resources. + + +## Requirements + +No requirements. + +## Providers + +No provider. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| additional\_ports | Additional ports to add to the output of this module | `list(number)` | `[]` | no | +| ports | Ports used by RDS Postgres | `list(number)` | 
[
  5432
]
| no | + +## Outputs + +| Name | Description | +|------|-------------| +| ingress\_ports | List of ingress ports | + + + +# References +This repo is based on: +* [terraform standard module structure](https://www.terraform.io/docs/modules/index.html#standard-module-structure) +* [templated terraform module](https://github.com/tmknom/template-terraform-module) + +# License +Apache 2 Licensed. See LICENSE for full details. diff --git a/modules/rds-postgres-ports/outputs.tf b/modules/rds-postgres-ports/outputs.tf new file mode 100644 index 0000000..f5dbe82 --- /dev/null +++ b/modules/rds-postgres-ports/outputs.tf @@ -0,0 +1,7 @@ +output "ingress_ports" { + value = concat( + var.ports, + var.additional_ports, + ) + description = "List of ingress ports" +} diff --git a/modules/rds-postgres-ports/variables.tf b/modules/rds-postgres-ports/variables.tf new file mode 100644 index 0000000..459414a --- /dev/null +++ b/modules/rds-postgres-ports/variables.tf @@ -0,0 +1,13 @@ +variable "ports" { + type = list(number) + description = "Ports used by RDS Postgres" + default = [ + 5432 + ] +} + +variable "additional_ports" { + type = list(number) + description = "Additional ports to add to the output of this module" + default = [] +} diff --git a/modules/rds-postgres-sg/README.md b/modules/rds-postgres-sg/README.md deleted file mode 100644 index 622d1f2..0000000 --- a/modules/rds-postgres-sg/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# Tamr AWS RDS Security Groups Terraform Module -This terraform module creates the security group and the security group rules for the AWS RDS instance - -# Example -``` -module "rds_sg" { - source = "git::https://github.com/Datatamer/terraform-aws-rds-postgres.git//modules/rds-postgres-sg?ref=0.4.0" - ingress_sg_ids = ["sg-examplesparksecuritygroup1", "sg-examplesparksecuritygroup2", "sg-exampletamrvmsecuritygroup"] - vpc_id = "vpc-examplevpcid" - security_group_name = "examplerdssecuritygroup" - additional_cidrs = ["1.2.3.4/32"] -} -``` - -# Resources Created -This terraform module will create: -* a security group for the RDS instance -* security group rules if additional CIDRs are provided - - -## Requirements - -| Name | Version | -|------|---------| -| terraform | >= 0.12 | -| aws | >= 2.45.0 | - -## Providers - -| Name | Version | -|------|---------| -| aws | >= 2.45.0 | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| ingress\_sg\_ids | List of security group IDs to allow ingress from (i.e. Spark cluster SG IDs, Tamr VM SG ID) | `list(string)` | n/a | yes | -| vpc\_id | VPC ID for the rds security group | `string` | n/a | yes | -| additional\_cidrs | Additional CIDR to connect to RDS Postgres instance | `list(string)` | `[]` | no | -| additional\_tags | Additional tags to set on the RDS instance | `map(string)` | `{}` | no | -| security\_group\_name | Name for the security group for the rds instance | `string` | `"tamr_rds_sg"` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| rds\_sg\_id | n/a | - - diff --git a/modules/rds-postgres-sg/main.tf b/modules/rds-postgres-sg/main.tf deleted file mode 100644 index cb1b12a..0000000 --- a/modules/rds-postgres-sg/main.tf +++ /dev/null @@ -1,28 +0,0 @@ -resource "aws_security_group" "rds_postgres_sg" { - name = var.security_group_name - description = "VPC Security group that will be attached to the RDS Postgres instance" - vpc_id = var.vpc_id - tags = var.additional_tags -} - -resource "aws_security_group_rule" "pg_ingress" { - description = "Ingress rule to Postgres DB instance." - count = length(var.ingress_sg_ids) - from_port = 5432 - protocol = "tcp" - security_group_id = aws_security_group.rds_postgres_sg.id - to_port = 5432 - type = "ingress" - source_security_group_id = var.ingress_sg_ids[count.index] -} - -resource "aws_security_group_rule" "additional_cidrs" { - description = "Rule for ingress from additional CIDRs to Postgres" - count = length(var.additional_cidrs) == 0 ? 0 : 1 - from_port = 5432 - protocol = "tcp" - security_group_id = aws_security_group.rds_postgres_sg.id - to_port = 5432 - type = "ingress" - cidr_blocks = var.additional_cidrs -} diff --git a/modules/rds-postgres-sg/outputs.tf b/modules/rds-postgres-sg/outputs.tf deleted file mode 100644 index 15bacf7..0000000 --- a/modules/rds-postgres-sg/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "rds_sg_id" { - value = aws_security_group.rds_postgres_sg.id -} diff --git a/modules/rds-postgres-sg/variables.tf b/modules/rds-postgres-sg/variables.tf deleted file mode 100644 index bd4dd72..0000000 --- a/modules/rds-postgres-sg/variables.tf +++ /dev/null @@ -1,27 +0,0 @@ -variable "security_group_name" { - description = "Name for the security group for the rds instance" - type = string - default = "tamr_rds_sg" -} - -variable "ingress_sg_ids" { - description = "List of security group IDs to allow ingress from (i.e. Spark cluster SG IDs, Tamr VM SG ID)" - type = list(string) -} - -variable "vpc_id" { - description = "VPC ID for the rds security group" - type = string -} - -variable "additional_cidrs" { - description = "Additional CIDR to connect to RDS Postgres instance" - type = list(string) - default = [] -} - -variable "additional_tags" { - description = "Additional tags to set on the RDS instance" - type = map(string) - default = {} -} diff --git a/modules/rds-postgres-sg/versions.tf b/modules/rds-postgres-sg/versions.tf deleted file mode 100644 index 86921ea..0000000 --- a/modules/rds-postgres-sg/versions.tf +++ /dev/null @@ -1,6 +0,0 @@ -terraform { - required_version = ">= 0.12" - required_providers { - aws = ">= 2.45.0" - } -} diff --git a/outputs.tf b/outputs.tf index 0b5a6fc..45a7d00 100644 --- a/outputs.tf +++ b/outputs.tf @@ -8,9 +8,9 @@ output "rds_postgres_id" { description = "ID of the of the RDS instance" } -output "rds_sg_id" { - value = module.rds_sg.rds_sg_id - description = "ID of the security group attached to the rds instance" +output "rds_security_group_ids" { + value = var.security_group_ids + description = "List of security group ids attached to the rds instance" } output "rds_hostname" { diff --git a/variables.tf b/variables.tf index 6794118..2d25dad 100644 --- a/variables.tf +++ b/variables.tf @@ -115,8 +115,8 @@ variable "security_group_name" { default = "tamr_rds_sg" } -variable "ingress_sg_ids" { - description = "List of security group IDs to allow ingress from (i.e. Spark cluster SG IDs, Tamr VM SG ID)" +variable "security_group_ids" { + description = "List of security group IDs to associate" type = list(string) }