fix: use new VPC in docdb

terraform/README.md

@@ -18,15 +18,13 @@ Now you can apply the changes:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
-| <a name="requirement_assert"></a> [assert](#requirement\_assert) | ~> 0.0.1 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 3.27 |
 | <a name="requirement_grafana"></a> [grafana](#requirement\_grafana) | ~> 1.24 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_assert"></a> [assert](#provider\_assert) | ~> 0.0.1 |
 | <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 3.27 |
 
 ## Modules
@@ -35,25 +33,23 @@ Now you can apply the changes:
 |------|--------|---------|
 | <a name="module_dns"></a> [dns](#module\_dns) | github.com/WalletConnect/terraform-modules/modules/dns | n/a |
 | <a name="module_ecs"></a> [ecs](#module\_ecs) | ./ecs | n/a |
-| <a name="module_keystore-docdb"></a> [keystore-docdb](#module\_keystore-docdb) | ./docdb | n/a |
+| <a name="module_keystore"></a> [keystore](#module\_keystore) | ./doc_db | n/a |
 | <a name="module_o11y"></a> [o11y](#module\_o11y) | ./monitoring | n/a |
 | <a name="module_tags"></a> [tags](#module\_tags) | github.com/WalletConnect/terraform-modules/modules/tags | n/a |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.0.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_prometheus_workspace.prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_workspace) | resource |
-| [assert_test.workspace](https://registry.terraform.io/providers/bwoznicki/assert/latest/docs/data-sources/test) | data source |
 | [aws_ecr_repository.repository](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_repository) | data source |
-| [aws_subnets.private_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
-| [aws_subnets.public_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
-| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_azs"></a> [azs](#input\_azs) | AWS availability zones to deploy to | `list(string)` | <pre>[<br>  "eu-central-1a",<br>  "eu-central-1b",<br>  "eu-central-1c"<br>]</pre> | no |
 | <a name="input_grafana_endpoint"></a> [grafana\_endpoint](#input\_grafana\_endpoint) | The endpoint of the Grafana instance | `string` | n/a | yes |
 | <a name="input_image_version"></a> [image\_version](#input\_image\_version) | The version of the image to deploy | `string` | n/a | yes |
 | <a name="input_keystore_docdb_primary_instance_class"></a> [keystore\_docdb\_primary\_instance\_class](#input\_keystore\_docdb\_primary\_instance\_class) | The instance class of the primary docdb instances | `string` | n/a | yes |

terraform/docdb/README.md → terraform/doc_db/README.md

@@ -20,23 +20,21 @@ Creates a DocumentDB cluster with auto-scaled read replicas.
 
 ## Modules
 
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_docdb-autoscaling"></a> [docdb-autoscaling](#module\_docdb-autoscaling) | github.com/theuves/docdb-autoscaling | 06de20e170853b515cc6ae986ceb5941f7b34f5e |
+No modules.
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [aws_docdb_cluster.docdb_primary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster) | resource |
+| [aws_docdb_cluster.docdb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster) | resource |
 | [aws_docdb_cluster_instance.docdb_instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster_instance) | resource |
 | [aws_docdb_cluster_instance.docdb_replica_instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster_instance) | resource |
 | [aws_docdb_subnet_group.private_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_subnet_group) | resource |
-| [aws_kms_key.docdb_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_secretsmanager_secret.master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
 | [aws_secretsmanager_secret_version.master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [aws_security_group.service_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [random_password.master_password](https://registry.terraform.io/providers/hashicorp/random/3.4.3/docs/resources/password) | resource |
+| [aws_kms_key.docdb_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 
 ## Inputs
 

terraform/doc_db/autoscaling.tf

@@ -0,0 +1,19 @@
+#tfsec:ignore:aws-lambda-enable-tracing
+#tfsec:ignore:aws-sns-enable-topic-encryption
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
+#module "docdb-autoscaling" {
+#  source             = "github.com/theuves/docdb-autoscaling?ref=06de20e170853b515cc6ae986ceb5941f7b34f5e"
+#  cluster_identifier = aws_docdb_cluster.docdb_primary.id
+#  name               = "${var.environment}-${var.app_name}-docdb-autoscaling"
+#  min_capacity       = 0
+#  max_capacity       = 6
+#
+#  scaling_policy = [
+#    {
+#      metric_name = "CPUUtilization"
+#      target      = 80
+#      statistic   = "Average"
+#      cooldown    = 300
+#    }
+#  ]
+#}

terraform/docdb/main.tf → terraform/doc_db/main.tf

@@ -1,6 +1,5 @@
 locals {
-  name_prefix     = replace("${var.environment}-${var.app_name}-${var.mongo_name}", "_", "-")
-  master_password = aws_secretsmanager_secret_version.master_password.secret_string
+  name_prefix = replace("${var.environment}-${var.app_name}-${var.mongo_name}", "_", "-")
 }
 
 resource "random_password" "master_password" {
@@ -18,19 +17,21 @@ resource "aws_secretsmanager_secret_version" "master_password" {
   secret_string = random_password.master_password.result
 }
 
-resource "aws_kms_key" "docdb_encryption" {
-  enable_key_rotation = true
+data "aws_kms_key" "docdb_encryption" {
+  key_id = "alias/aws/rds"
 }
 
-resource "aws_docdb_cluster" "docdb_primary" {
-  cluster_identifier              = "${local.name_prefix}-primary-cluster"
+resource "aws_docdb_cluster" "docdb" {
+  #  cluster_identifier              = "${local.name_prefix}-primary-cluster"
+  cluster_identifier              = "prod-keyserver-keystore-primary-cluster"
   master_username                 = "keyserver"
-  master_password                 = local.master_password
+  master_password                 = aws_secretsmanager_secret_version.master_password.secret_string
   port                            = 27017
   db_subnet_group_name            = aws_docdb_subnet_group.private_subnets.name
   storage_encrypted               = true
-  kms_key_id                      = aws_kms_key.docdb_encryption.arn
+  kms_key_id                      = data.aws_kms_key.docdb_encryption.arn
   enabled_cloudwatch_logs_exports = ["audit"]
+  deletion_protection             = true
 
   vpc_security_group_ids = [
     aws_security_group.service_security_group.id
@@ -42,7 +43,7 @@ resource "aws_docdb_cluster" "docdb_primary" {
 resource "aws_docdb_cluster_instance" "docdb_instances" {
   count              = var.primary_instances
   identifier         = "${local.name_prefix}-primary-instance-${count.index}"
-  cluster_identifier = aws_docdb_cluster.docdb_primary.id
+  cluster_identifier = aws_docdb_cluster.docdb.id
   instance_class     = var.primary_instance_class
   promotion_tier     = 0
 }
@@ -51,19 +52,19 @@ resource "aws_docdb_cluster_instance" "docdb_instances" {
 resource "aws_docdb_cluster_instance" "docdb_replica_instances" {
   count              = var.replica_instances
   identifier         = "${local.name_prefix}-replica-instance-${count.index}"
-  cluster_identifier = aws_docdb_cluster.docdb_primary.id
+  cluster_identifier = aws_docdb_cluster.docdb.id
   instance_class     = var.replica_instance_class
   promotion_tier     = 1
 }
 
-
 resource "aws_docdb_subnet_group" "private_subnets" {
-  name       = "${local.name_prefix}-private-subnet-group"
+  #  name       = "${local.name_prefix}-private-subnet-group"
+  name       = "prod-keyserver-remove-me-keystore-docdb-private-subnet-group"
   subnet_ids = var.private_subnet_ids
 }
 
 resource "aws_security_group" "service_security_group" {
-  name        = "${local.name_prefix}-service"
+  name        = local.name_prefix
   description = "Allow ingress from the application"
   vpc_id      = var.vpc_id
 

terraform/doc_db/outputs.tf

@@ -0,0 +1,29 @@
+output "endpoint" {
+  description = "The connection endpoint"
+  value       = aws_docdb_cluster.docdb.endpoint
+}
+
+output "username" {
+  description = "The master username"
+  value       = aws_docdb_cluster.docdb.master_username
+}
+
+output "password" {
+  description = "The master password"
+  value       = aws_docdb_cluster.docdb.master_password
+}
+
+output "port" {
+  description = "The connection port"
+  value       = aws_docdb_cluster.docdb.port
+}
+
+output "connection_url" {
+  description = "The connection url"
+  value       = "mongodb://${aws_docdb_cluster.docdb.master_username}:${aws_docdb_cluster.docdb.master_password}@${aws_docdb_cluster.docdb.endpoint}:${aws_docdb_cluster.docdb.port}/${var.default_database}?tls=true&tlsCaFile=rds-combined-ca-bundle.pem&tlsAllowInvalidCertificates=true&replicaSet=rs0&readPreference=secondaryPreferred&retryWrites=false&minPoolSize=32&maxPoolSize=256&maxIdleTimeMS=30000&connectTimeoutMS=30000"
+}
+
+output "cluster_id" {
+  description = "The cluster identifier"
+  value       = aws_docdb_cluster.docdb.cluster_identifier
+}

terraform/main.tf

@@ -50,7 +50,6 @@ module "vpc" {
   one_nat_gateway_per_az = false
 }
 
-
 # ECS Cluster, Task, Service, and Load Balancer for our app
 module "ecs" {
   source = "./ecs"
@@ -70,11 +69,12 @@ module "ecs" {
   private_subnet_ids          = module.vpc.private_subnets
   allowed_ingress_cidr_blocks = [module.vpc.vpc_cidr_block]
 
-  persistent_keystore_mongo_addr = module.keystore_docdb.connection_url
+  persistent_keystore_mongo_addr = module.keystore.connection_url
 }
 
-module "keystore_docdb" {
-  source = "./docdb"
+
+module "keystore" {
+  source = "./doc_db"
 
   app_name                    = local.app_name
   mongo_name                  = "keystore-docdb"
@@ -98,7 +98,7 @@ module "o11y" {
   ecs_service_name        = module.ecs.service_name
   target_group            = module.ecs.target_group_arn
   load_balancer           = module.ecs.load_balancer_arn_suffix
-  docdb_cluster_id        = module.keystore_docdb.cluster_id
+  docdb_cluster_id        = module.keystore.cluster_id
 }
 
 resource "aws_prometheus_workspace" "prometheus" {