From 1c474b52189a6e0831aa4f36dc92e5ede87d14b4 Mon Sep 17 00:00:00 2001 From: Jay Nathani Date: Wed, 1 Apr 2020 15:47:47 -0400 Subject: [PATCH 1/2] Added security groups module for RDS. Also removed cruft minimal example --- .gitignore | 3 +++ README.md | 31 ++++++++++++++---------- examples/local.tfvars | 1 + examples/main.tf | 14 +++++++++++ examples/minimal/.gitignore | 1 - examples/minimal/main.tf | 3 --- examples/minimal/outputs.tf | 8 ------- examples/minimal/providers.tf | 2 -- examples/variables.tf | 26 +++++++++++++++++++++ main.tf | 20 +++++++++++----- modules/rds-postgres-sg/README.md | 32 +++++++++++++++++++++++++ modules/rds-postgres-sg/main.tf | 35 ++++++++++++++++++++++++++++ modules/rds-postgres-sg/outputs.tf | 3 +++ modules/rds-postgres-sg/variables.tf | 32 +++++++++++++++++++++++++ outputs.tf | 9 +++++++ variables.tf | 32 +++++++++++++++++++++---- 16 files changed, 215 insertions(+), 37 deletions(-) create mode 100644 examples/local.tfvars create mode 100644 examples/main.tf delete mode 100644 examples/minimal/.gitignore delete mode 100644 examples/minimal/main.tf delete mode 100644 examples/minimal/outputs.tf delete mode 100644 examples/minimal/providers.tf create mode 100644 examples/variables.tf create mode 100644 modules/rds-postgres-sg/README.md create mode 100644 modules/rds-postgres-sg/main.tf create mode 100644 modules/rds-postgres-sg/outputs.tf create mode 100644 modules/rds-postgres-sg/variables.tf diff --git a/.gitignore b/.gitignore index 7a3e2fd..4bb20d3 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,6 @@ override.tf.json # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan # example: *tfplan* + +# IDE files +**/.idea/* diff --git a/README.md b/README.md index 0cf9342..8053df6 100644 --- a/README.md +++ b/README.md @@ -7,16 +7,18 @@ This repo follows the [terraform standard module structure](https://www.terrafor Inline example implementation of the module. This is the most basic example of what it would look like to use this module. ``` module "rds_postgres" { - source = "git::https://github.com/Datatamer/terraform-rds-postgres?ref=0.1.0" - postgres_name = "tamr_rds_db" - parameter_group_name = "tamr-rds-postgres-pg" - identifier_prefix = "tamr-rds-" + source = "git::https://github.com/Datatamer/terraform-rds-postgres.git?ref=0.1.0" + postgres_name = "example_rds_postgres" + parameter_group_name = "example-rds-postgres-pg" + identifier_prefix = "example-rds-" - username = "tamr" - password = "8characterpassword" + username = "exampleUsername" + password = "examplePassword" - subnet_name = "rds_private" - vpc_security_group_ids = [] + subnet_name = "example_subnet" + spark_cluster_sg_ids = ["sg-examplesecuritygroup1", "sg-examplesecuritygroup2"] + tamr_vm_sg_id = "sg-exampletamrsecuritygroup" + vpc_id = "vpc-examplevpcnetworkid" } ``` @@ -24,11 +26,14 @@ module "rds_postgres" { This terraform module will create: * an AWS RDS Postgres instance * database parameter group +* A security group for the rds instance # Variables ## Inputs -* `vpc_security_group_ids` (required): List of VPC security groups to associate * `password` (required): The postgres password +* `tamr_vm_sg_id` (required): Security group id attached to the tamr vm +* `spark_cluster_sg_id` (required): Security group is attached to the ec2 instances of EMR Spark +* `vpc_id` (required): VPC ID for the rds security group * `username` (optional): The postgres username * `postgres_name` (optional): The name of the postgres instance * `parameter_group_name` (optional): The name of the rds parameter group @@ -45,10 +50,13 @@ This terraform module will create: * `apply_immediately` (optional): Apply immediately, do not set this to true for production * `copy_tags_to_snapshot` (optional): Copy tags to snapshots * `additional_tags` (optional): Tags to set on the RDS instance +* `security_group_name` (optional): Name for the security group for the rds instance +* `additional_cidrs` (optional): Additional CIDR to connect to RDS Postgres instance ## Outputs * `rds_postgres_pg_id`: ID of the RDS postgres parameter group * `rds_postgres_id`: ID of the of the RDS instance +* `rds_sg_id`: ID of the security group attached to the RDS instance # References * AWS RDS: https://aws.amazon.com/rds/features/ @@ -56,9 +64,8 @@ This terraform module will create: # Development ## Releasing new versions -* Update version contained in `VERSION` -* Document changes in `CHANGELOG.md` -* Create a tag in github for the commit associated with the version +* Updated version contained in `VERSION` +* Documented changes in `CHANGELOG.md` # License Apache 2 Licensed. See LICENSE for full details. diff --git a/examples/local.tfvars b/examples/local.tfvars new file mode 100644 index 0000000..1efdbec --- /dev/null +++ b/examples/local.tfvars @@ -0,0 +1 @@ +postgres_db_name = "example_postgres_db" diff --git a/examples/main.tf b/examples/main.tf new file mode 100644 index 0000000..856ea19 --- /dev/null +++ b/examples/main.tf @@ -0,0 +1,14 @@ +module "rds_postgres" { + source = "git::https://github.com/Datatamer/terraform-rds-postgres.git?ref=0.1.0" + postgres_name = "example_rds_postgres" + parameter_group_name = "example-rds-postgres-pg" + identifier_prefix = "example-rds-" + + username = "exampleUsername" + password = "examplePassword" + + subnet_name = "example_subnet" + spark_cluster_sg_ids = ["sg-examplesecuritygroup1", "sg-examplesecuritygroup2"] + tamr_vm_sg_id = "sg-exampletamrsecuritygroup" + vpc_id = "vpc-examplevpcnetworkid" +} diff --git a/examples/minimal/.gitignore b/examples/minimal/.gitignore deleted file mode 100644 index 49d1ef2..0000000 --- a/examples/minimal/.gitignore +++ /dev/null @@ -1 +0,0 @@ -terraform.tfstate* diff --git a/examples/minimal/main.tf b/examples/minimal/main.tf deleted file mode 100644 index 9960fff..0000000 --- a/examples/minimal/main.tf +++ /dev/null @@ -1,3 +0,0 @@ -module "minimal" { - source = "../../" -} diff --git a/examples/minimal/outputs.tf b/examples/minimal/outputs.tf deleted file mode 100644 index 5bd1580..0000000 --- a/examples/minimal/outputs.tf +++ /dev/null @@ -1,8 +0,0 @@ -output "null_resource_id" { - value = "${module.minimal.null_resource_id}" - description = "An arbitrary value that changes each time the resource is replaced." -} -output "example_value" { - value = "${module.minimal.example_value}" - description = "Example variable." -} diff --git a/examples/minimal/providers.tf b/examples/minimal/providers.tf deleted file mode 100644 index e213a51..0000000 --- a/examples/minimal/providers.tf +++ /dev/null @@ -1,2 +0,0 @@ -provider "null" {} - diff --git a/examples/variables.tf b/examples/variables.tf new file mode 100644 index 0000000..1f3e2a6 --- /dev/null +++ b/examples/variables.tf @@ -0,0 +1,26 @@ +variable "postgres_db_name" { + type = string + description = "Name of the postgres db" +} + +variable "parameter_group_name" { + type = string + description = "Name of the parameter group" +} + +variable "identifier_prefix" { + type = string + description = "Identifier prefix for the resources" +} + +variable "pg_username" { + type = string + description = "Username for postgres" +} + +variable "pg_password" { + type = string + description = "Password for postgres" +} + + diff --git a/main.tf b/main.tf index 84d0f6d..3bead72 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,18 @@ resource "aws_db_parameter_group" "rds_postgres_pg" { name = var.parameter_group_name family = "postgres9.6" - description = "RDS default parameter group" + description = "TAMR RDS parameter group" + tags = var.additional_tags +} + +module "rds_sg" { + source = "./modules/rds-postgres-sg" + spark_cluster_sg_ids = var.spark_cluster_sg_ids + tamr_vm_sg_id = var.tamr_vm_sg_id + vpc_id = var.vpc_id + security_group_name = var.security_group_name + additional_cidrs = var.additional_cidrs + additional_tags = var.additional_tags } resource "aws_db_instance" "rds_postgres" { @@ -23,7 +34,7 @@ resource "aws_db_instance" "rds_postgres" { db_subnet_group_name = var.subnet_name multi_az = true publicly_accessible = false - vpc_security_group_ids = var.vpc_security_group_ids + vpc_security_group_ids = module.rds_sg.rds_sg_id parameter_group_name = aws_db_parameter_group.rds_postgres_pg.name maintenance_window = var.maintenance_window @@ -34,10 +45,7 @@ resource "aws_db_instance" "rds_postgres" { apply_immediately = var.apply_immediately copy_tags_to_snapshot = var.copy_tags_to_snapshot - tags = merge( - {"Name": var.postgres_name}, - var.additional_tags, - ) + tags = var.additional_tags lifecycle { ignore_changes = [password] diff --git a/modules/rds-postgres-sg/README.md b/modules/rds-postgres-sg/README.md new file mode 100644 index 0000000..a25d59f --- /dev/null +++ b/modules/rds-postgres-sg/README.md @@ -0,0 +1,32 @@ +# Tamr AWS RDS Security Groups Terraform Module +This terraform module creates the security group and the security group rules for the AWS RDS instance + +# Example +``` +module "rds_sg" { + source = "./modules/rds-postgres-sg" + spark_cluster_sg_ids = ["sg-examplesparksecuritygroup1", "sg-examplesparksecuritygroup2"] + tamr_vm_sg_id = "sg-exampletamrvmsecuritygroup" + vpc_id = "vpc-examplevpcid" + security_group_name = "examplerdssecuritygroup" + additional_cidrs = ["1.2.3.4/32"] +} +``` + +# Variables +## Inputs: +* `tamr_vm_sg_id` (required): Security group id attached to the tamr vm +* `spark_cluster_sg_ids` (required): List of Security groups attached to the ec2 instances of EMR Spark +* `vpc_id` (required): VPC ID for the rds security group +* `security_group_name` (optional): Name for the security group for the rds instance +* `additional_cidrs` (optional): List of additional CIDR to connect to RDS Postgres instance +* `additional_tags` (optional): Tags to set on the RDS instance security group + +## Outputs: +* `rds_sg_id`: ID of the security group attached to the RDS instance + +# AWS Resources created +This terraform module creates 1 Security Group: +* A security group for the RDS instance + +This terraform module also creates Security Group Rules. The number of Security Group rules vary depending on the additional CIDRs provided. diff --git a/modules/rds-postgres-sg/main.tf b/modules/rds-postgres-sg/main.tf new file mode 100644 index 0000000..d57f1cb --- /dev/null +++ b/modules/rds-postgres-sg/main.tf @@ -0,0 +1,35 @@ +resource "aws_security_group" "rds_postgres_sg" { + name = var.security_group_name + description = "VPC Security group that will be attached to the RDS Postgres instance" + vpc_id = var.vpc_id + tags = var.additional_tags +} + +resource "aws_security_group_rule" "tamr_vm" { + from_port = 5432 + protocol = "tcp" + security_group_id = aws_security_group.rds_postgres_sg.id + to_port = 5432 + type = "ingress" + source_security_group_id = var.tamr_vm_sg_id +} + +resource "aws_security_group_rule" "spark_cluster" { + count = length(var.spark_cluster_sg_ids) + from_port = 5432 + protocol = "tcp" + security_group_id = aws_security_group.rds_postgres_sg.id + to_port = 5432 + type = "ingress" + source_security_group_id = var.spark_cluster_sg_ids[count.index] +} + +resource "aws_security_group_rule" "additional_cidrs" { + count = length(var.additional_cidrs) == 0 ? 0 : 1 + from_port = 5432 + protocol = "tcp" + security_group_id = aws_security_group.rds_postgres_sg.id + to_port = 5432 + type = "ingress" + cidr_blocks = var.additional_cidrs +} diff --git a/modules/rds-postgres-sg/outputs.tf b/modules/rds-postgres-sg/outputs.tf new file mode 100644 index 0000000..15bacf7 --- /dev/null +++ b/modules/rds-postgres-sg/outputs.tf @@ -0,0 +1,3 @@ +output "rds_sg_id" { + value = aws_security_group.rds_postgres_sg.id +} diff --git a/modules/rds-postgres-sg/variables.tf b/modules/rds-postgres-sg/variables.tf new file mode 100644 index 0000000..02cdc4c --- /dev/null +++ b/modules/rds-postgres-sg/variables.tf @@ -0,0 +1,32 @@ +variable "security_group_name" { + description = "Name for the security group for the rds instance" + type = string + default = "tamr_rds_sg" +} + +variable "tamr_vm_sg_id" { + description = "Security group id attached to the tamr vm" + type = string +} + +variable "spark_cluster_sg_ids" { + description = "Security group is attached to the ec2 instances of EMR Spark" + type = list(string) +} + +variable "vpc_id" { + description = "VPC ID for the rds security group" + type = string +} + +variable "additional_cidrs" { + description = "Additional CIDR to connect to RDS Postgres instance" + type = list(string) + default = [] +} + +variable "additional_tags" { + description = "Additional tags to set on the RDS instance" + type = map + default = {} +} diff --git a/outputs.tf b/outputs.tf index 056e71e..adc79a8 100644 --- a/outputs.tf +++ b/outputs.tf @@ -7,3 +7,12 @@ output "rds_postgres_id" { value = aws_db_instance.rds_postgres.id description = "ID of the of the RDS instance" } + +output "rds_sg_id" { + value = module.rds_sg.rds_sg_id + description = "ID of the security group attached to the rds instance" +} + +output "rds_hostname" { + value = aws_db_instance.rds_postgres.address +} diff --git a/variables.tf b/variables.tf index 837f694..0e3aa91 100644 --- a/variables.tf +++ b/variables.tf @@ -87,11 +87,6 @@ variable "subnet_name" { default = null } -variable "vpc_security_group_ids" { - description = "List of VPC security groups to associate" - type = list -} - variable "copy_tags_to_snapshot" { description = "Copy tags to snapshots" type = bool @@ -103,3 +98,30 @@ variable "additional_tags" { type = map default = {} } + +variable "security_group_name" { + description = "Name for the security group for the rds instance" + type = string + default = "tamr_rds_sg" +} + +variable "tamr_vm_sg_id" { + description = "Security group id attached to the tamr vm" + type = string +} + +variable "spark_cluster_sg_ids" { + description = "Security group is attached to the ec2 instances of EMR Spark" + type = list(string) +} + +variable "vpc_id" { + description = "VPC ID for the rds security group" + type = string +} + +variable "additional_cidrs" { + description = "Additional CIDR to connect to RDS Postgres instance" + type = list(string) + default = [] +} From 878e0dc4057ed13fe8c6f7ac523126503685f590 Mon Sep 17 00:00:00 2001 From: Jay Nathani Date: Mon, 6 Apr 2020 10:43:10 -0400 Subject: [PATCH 2/2] Update description in the README --- README.md | 2 +- main.tf | 2 +- modules/rds-postgres-sg/variables.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8053df6..526df8b 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Tamr AWS RDS Terraform Module -This terraform module creates an AWS RDS postgres instance. +This terraform module creates an AWS RDS postgres instance that will be used by TAMR. This repo follows the [terraform standard module structure](https://www.terraform.io/docs/modules/index.html#standard-module-structure). # Examples diff --git a/main.tf b/main.tf index 3bead72..297b518 100644 --- a/main.tf +++ b/main.tf @@ -34,7 +34,7 @@ resource "aws_db_instance" "rds_postgres" { db_subnet_group_name = var.subnet_name multi_az = true publicly_accessible = false - vpc_security_group_ids = module.rds_sg.rds_sg_id + vpc_security_group_ids = [module.rds_sg.rds_sg_id] parameter_group_name = aws_db_parameter_group.rds_postgres_pg.name maintenance_window = var.maintenance_window diff --git a/modules/rds-postgres-sg/variables.tf b/modules/rds-postgres-sg/variables.tf index 02cdc4c..9a68a39 100644 --- a/modules/rds-postgres-sg/variables.tf +++ b/modules/rds-postgres-sg/variables.tf @@ -10,7 +10,7 @@ variable "tamr_vm_sg_id" { } variable "spark_cluster_sg_ids" { - description = "Security group is attached to the ec2 instances of EMR Spark" + description = "List of Security groups attached to the ec2 instances of EMR Spark" type = list(string) }