-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdb.tf
91 lines (77 loc) · 3.45 KB
/
db.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
locals {
ca_cert_identifier = "rds-ca-rsa2048-g1"
}
resource "aws_db_instance" "this" {
#bridgecrew:skip=CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
identifier = local.resource_name
db_subnet_group_name = aws_db_subnet_group.this.name
parameter_group_name = aws_db_parameter_group.this.name
engine = "postgres"
engine_version = var.postgres_version
allow_major_version_upgrade = true
auto_minor_version_upgrade = true
instance_class = var.instance_class
multi_az = var.high_availability
allocated_storage = var.allocated_storage
max_allocated_storage = var.max_allocated_storage
storage_encrypted = true
storage_type = "gp2"
port = local.port
vpc_security_group_ids = [aws_security_group.this.id]
tags = local.tags
publicly_accessible = var.enable_public_access
iam_database_authentication_enabled = true
username = replace(data.ns_workspace.this.block_ref, "-", "_")
password = random_password.this.result
ca_cert_identifier = local.ca_cert_identifier
apply_immediately = true
// final_snapshot_identifier is unique to when an instance is launched
// This prevents repeated launch+destroy from creating the same final snapshot and erroring
// Changes to the name are ignored so it doesn't keep invalidating the instance
final_snapshot_identifier = "${local.resource_name}-${replace(timestamp(), ":", "-")}"
backup_retention_period = var.backup_retention_period
backup_window = "02:00-03:00"
enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
monitoring_interval = 5
monitoring_role_arn = aws_iam_role.monitoring.arn
lifecycle {
ignore_changes = [username, final_snapshot_identifier]
}
depends_on = [aws_cloudwatch_log_group.this, aws_cloudwatch_log_group.upgrade]
}
resource "aws_db_subnet_group" "this" {
name = local.resource_name
description = "Postgres db subnet group for postgres cluster"
subnet_ids = var.enable_public_access ? local.public_subnet_ids : local.private_subnet_ids
tags = local.tags
}
resource "aws_iam_role" "monitoring" {
name = "${local.resource_name}-monitoring"
assume_role_policy = data.aws_iam_policy_document.monitoring_assume.json
tags = local.tags
}
data "aws_iam_policy_document" "monitoring_assume" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["monitoring.rds.amazonaws.com"]
}
// These conditions prevent the confused deputy problem
// See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.Enabling.html#USER_Monitoring.OS.confused-deputy
condition {
test = "StringLike"
variable = "aws:SourceArn"
values = ["arn:aws:rds:${data.aws_region.this.name}:${data.aws_caller_identity.current.account_id}:db:${local.resource_name}"]
}
condition {
test = "StringEquals"
variable = "aws:SourceAccount"
values = [data.aws_caller_identity.current.account_id]
}
}
}
resource "aws_iam_role_policy_attachment" "monitoring" {
role = aws_iam_role.monitoring.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
}