Import RDS module from cg-provision

We need to make changes to this module, and doing so in cg-provision affects all RDS instances in our system. Better to duplicate here to reduce the blast radius.
cloud-gov · Feb 21, 2020 · a4a0e56 · a4a0e56
1 parent c49ad76
commit a4a0e56
Show file tree

Hide file tree

Showing 7 changed files with 205 additions and 3 deletions.
diff --git a/ci/terraform/rds-internal.tf b/ci/terraform/rds-internal.tf
@@ -1,5 +1,5 @@
 module "rds_internal" {
-    source = "git::https://github.com/18F/cg-provision//terraform/modules/rds"
+    source = "rds_module"
     stack_description = "${var.stack_description}"
     rds_subnet_group = "${data.terraform_remote_state.vpc.rds_subnet_group}"
     /* TODO: Use database instance type from config */

diff --git a/ci/terraform/rds-shared-mysql.tf b/ci/terraform/rds-shared-mysql.tf
@@ -1,5 +1,5 @@
 module "rds_shared_mysql" {
-    source = "git::https://github.com/18F/cg-provision//terraform/modules/rds"
+    source = "rds_module"
     stack_description = "${var.stack_description}"
     rds_subnet_group = "${data.terraform_remote_state.vpc.rds_subnet_group}"
     /* TODO: Use database instance type from config */

diff --git a/ci/terraform/rds-shared-postgres.tf b/ci/terraform/rds-shared-postgres.tf
@@ -1,5 +1,5 @@
 module "rds_shared_postgres" {
-    source = "git::https://github.com/18F/cg-provision//terraform/modules/rds"
+    source = "rds_module"
     stack_description = "${var.stack_description}"
     rds_subnet_group = "${data.terraform_remote_state.vpc.rds_subnet_group}"
     /* TODO: Use database instance type from config */

diff --git a/ci/terraform/rds_module/database.tf b/ci/terraform/rds_module/database.tf
@@ -0,0 +1,42 @@
+resource "aws_db_instance" "rds_database" {
+  engine               = "${var.rds_db_engine}"
+  engine_version       = "${var.rds_db_engine_version}"
+
+  multi_az = "${var.rds_multi_az}"
+
+  lifecycle {
+    ignore_changes = ["identifier"]
+    prevent_destroy = true
+  }
+  identifier = "${var.stack_description}-${element(split("-", uuid()),4)}"
+  final_snapshot_identifier = "${var.rds_final_snapshot_identifier == "" ?
+    "final-snapshot-${var.rds_db_name}-${var.stack_description}" :
+    var.rds_final_snapshot_identifier}"
+
+  backup_retention_period = 35
+
+  auto_minor_version_upgrade = true
+
+  name = "${var.rds_db_name}"
+  allocated_storage = "${var.rds_db_size}"
+  storage_type = "${var.rds_db_storage_type}"
+  iops = "${var.rds_db_iops}"
+  instance_class = "${var.rds_instance_type}"
+
+  username = "${var.rds_username}"
+  password = "${var.rds_password}"
+
+  storage_encrypted = true
+
+  db_subnet_group_name = "${var.rds_subnet_group}"
+  vpc_security_group_ids = ["${var.rds_security_groups}"]
+  parameter_group_name = "${var.rds_db_engine == "postgres" ?
+    "${join("", aws_db_parameter_group.parameter_group_postgres.*.id)}" :
+    "${join("", aws_db_parameter_group.parameter_group_mysql.*.id)}"}"
+
+  allow_major_version_upgrade = "${var.allow_major_version_upgrade}"
+  apply_immediately = "${var.apply_immediately}"
+  tags {
+    Name = "${var.stack_description}"
+  }
+}
diff --git a/ci/terraform/rds_module/outputs.tf b/ci/terraform/rds_module/outputs.tf
@@ -0,0 +1,31 @@
+output "rds_identifier" {
+  value = "${aws_db_instance.rds_database.identifier}"
+}
+
+output "rds_name" {
+  value = "${aws_db_instance.rds_database.name}"
+}
+
+output "rds_url" {
+  value = "${aws_db_instance.rds_database.endpoint}"
+}
+
+output "rds_host" {
+  value = "${aws_db_instance.rds_database.address}"
+}
+
+output "rds_port" {
+  value = "${aws_db_instance.rds_database.port}"
+}
+
+output "rds_username" {
+  value = "${aws_db_instance.rds_database.username}"
+}
+
+output "rds_password" {
+  value = "${aws_db_instance.rds_database.password}"
+}
+
+output "rds_engine" {
+  value = "${aws_db_instance.rds_database.engine}"
+}
diff --git a/ci/terraform/rds_module/parameter_group.tf b/ci/terraform/rds_module/parameter_group.tf
@@ -0,0 +1,49 @@
+resource "aws_db_parameter_group" "parameter_group_postgres" {
+  count = "${var.rds_db_engine == "postgres" ? 1 : 0}"
+  name = "${var.rds_parameter_group_name != "" ?
+    var.rds_parameter_group_name :
+    "${replace("${var.stack_description}-${var.rds_db_name}", "/[^a-zA-Z-]+/", "-")}"}"
+  family = "${var.rds_parameter_group_family}"
+
+  parameter {
+    name  = "log_connections"
+    value = "1"
+  }
+
+  parameter {
+    name  = "log_disconnections"
+    value = "1"
+  }
+
+  parameter {
+    name  = "log_hostname"
+    value = "0"
+  }
+
+  parameter {
+    name  = "log_statement"
+    value = "ddl"
+  }
+
+  parameter {
+    name = "rds.force_ssl"
+    value = "${var.rds_force_ssl}"
+    apply_method = "pending-reboot"
+  }
+}
+
+resource "aws_db_parameter_group" "parameter_group_mysql" {
+  count = "${var.rds_db_engine == "mysql" ? 1 : 0}"
+  name = "${var.rds_parameter_group_name != "" ?
+    var.rds_parameter_group_name :
+    "${replace("${var.stack_description}-${var.rds_db_name}", "/[^a-zA-Z-]+/", "-")}"}"
+  family = "${var.rds_parameter_group_family}"
+  parameter {
+    name = "general_log"
+    value = 1
+  }
+  parameter {
+    name = "log_output"
+    value = "FILE"
+  }
+}
diff --git a/ci/terraform/rds_module/variables.tf b/ci/terraform/rds_module/variables.tf
@@ -0,0 +1,80 @@
+variable "stack_description" {}
+
+variable "rds_instance_type" {
+  default = "db.m4.large"
+}
+
+variable "rds_db_size" {
+  default = 20
+}
+
+variable "rds_db_storage_type" {
+  default = "gp2"
+}
+
+variable "rds_db_iops" {
+  default = 0
+}
+
+variable "rds_db_name" {}
+
+variable "rds_db_engine" {
+  default = "postgres"
+}
+
+variable "rds_db_engine_version" {
+  default = "9.6.15"
+}
+
+variable "rds_username" {}
+
+variable "rds_password" {}
+
+variable "rds_subnet_group" {}
+
+variable "rds_security_groups" {
+  type = "list"
+}
+
+variable "rds_force_ssl" {
+  default = 0
+}
+
+variable "rds_parameter_group_name" {
+  default = ""
+}
+
+variable "rds_parameter_group_family" {
+  default = "postgres9.6"
+}
+
+variable "rds_multi_az" {
+  default = "true"
+}
+
+variable "rds_final_snapshot_identifier" {
+  default = ""
+}
+
+# Used in combination, these two flags allow for immediate upgrade of RDS
+# instances across major versions. They should be used temporarily:
+#
+# 1. Set both to `true` and apply the configuration.
+# 1. Upgrade the DB version and apply.
+# 1. Set both to `false` and apply a third time.
+#
+# Also, please be cautious when upgrading, and follow the documented best
+# practices:
+#
+# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.PostgreSQL.html#USER_UpgradeDBInstance.PostgreSQL.MajorVersion.Process
+# https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/
+#
+variable "apply_immediately" {
+  # Even though the documentation says these default to "false", `terraform
+  # plan` shows otherwise.
+  default = ""
+}
+
+variable "allow_major_version_upgrade" {
+  default = ""
+}