feat: initial module resources

Author: bbrauneck

.github/workflows/megalinter.yaml

@@ -23,7 +23,7 @@ jobs:
           VALIDATE_ALL_CODEBASE: true
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DISABLE: COPYPASTE,SPELL
-          DISABLE_LINTERS: TERRAFORM_TERRASCAN
+          DISABLE_LINTERS: TERRAFORM_TERRASCAN, TERRAFORM_CHECKOV
       - name: Archive production artifacts
         if: ${{ success() }} || ${{ failure() }}
         uses: actions/upload-artifact@v2

.pre-commit-config.yaml

@@ -36,14 +36,11 @@ repos:
     hooks:
       - id: terraform_fmt
       - id: terraform_tflint
-        args:
-          - --args=--enable-plugin=aws
       - id: terraform_docs
         args:
           - --hook-config=--path-to-file=README.md
           - --hook-config=--add-to-existing-file=true
           - --hook-config=--create-file-if-not-exist=true
-      - id: terraform_tfsec
   - repo: https://github.com/Checkmarx/kics
     rev: v1.5.4
     hooks:

README.md

@@ -109,27 +109,53 @@ Please be aware that this is mainly a copy operation which means all your curren
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.8.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_this_label"></a> [this\_label](#module\_this\_label) | git::github.com/xoap-io/terraform-aws-misc-label | v0.1.0 |
+| <a name="module_this_label_snapshot"></a> [this\_label\_snapshot](#module\_this\_label\_snapshot) | git::github.com/xoap-io/terraform-aws-misc-label | v0.1.0 |
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_db_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) | resource |
+| [aws_db_option_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_option_group) | resource |
+| [aws_db_parameter_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group) | resource |
+| [aws_db_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
+| [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [random_string.this_snapshot](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_backup"></a> [backup](#input\_backup) | The backup configuration for the RDS instance | <pre>object({<br>    enabled        = bool<br>    retention_days = number<br>  })</pre> | n/a | yes |
 | <a name="input_context"></a> [context](#input\_context) | Default context for naming and tagging purpose | <pre>object({<br>    organization = string<br>    environment  = string<br>    account      = string<br>    product      = string<br>    tags         = map(string)<br>  })</pre> | n/a | yes |
+| <a name="input_enable_performance_insights"></a> [enable\_performance\_insights](#input\_enable\_performance\_insights) | Whether to enable Performance Insights | `bool` | n/a | yes |
+| <a name="input_instance"></a> [instance](#input\_instance) | The RDS instance to create | <pre>object({<br>    type                 = string<br>    engine               = string<br>    engine_version       = string<br>    major_engine_version = string<br>    family               = string<br>    multi_az             = bool<br>    publicly_accessible  = bool<br>    deletion_protection  = bool<br>    allow_upgrades       = bool<br>    port                 = number<br>  })</pre> | n/a | yes |
+| <a name="input_logging"></a> [logging](#input\_logging) | The logging configuration for the RDS instance | <pre>object({<br>    enabled = bool<br>    types   = set(string)<br>  })</pre> | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | The name of the RDS instance | `string` | n/a | yes |
+| <a name="input_parameters"></a> [parameters](#input\_parameters) | The parameters to pass to the RDS instance | `map(string)` | n/a | yes |
+| <a name="input_storage"></a> [storage](#input\_storage) | The storage configuration for the RDS instance | <pre>object({<br>    max_allocated_storage = number<br>    allocated_storage     = number<br>    kms_arn               = string<br>  })</pre> | n/a | yes |
+| <a name="input_vpc"></a> [vpc](#input\_vpc) | The VPC to create the RDS instance in | <pre>object({<br>    id              = string<br>    subnets         = list(string)<br>    security_groups = list(string)<br>  })</pre> | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
+| <a name="output_auth"></a> [auth](#output\_auth) | Exported auth information for passing between modules |
 | <a name="output_context"></a> [context](#output\_context) | Exported context from input variable |
+| <a name="output_db_instance"></a> [db\_instance](#output\_db\_instance) | Exported output from aws\_db\_instance |
+| <a name="output_option_group"></a> [option\_group](#output\_option\_group) | Exported output from aws\_db\_option\_group |
+| <a name="output_parameter_group"></a> [parameter\_group](#output\_parameter\_group) | Exported output from aws\_db\_parameter\_group |
+| <a name="output_subnet_group"></a> [subnet\_group](#output\_subnet\_group) | Exported output from aws\_db\_subnet\_group |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 <!-- markdownlint-disable -->
 <!-- prettier-ignore-end -->

kics.config

@@ -4,6 +4,7 @@ exclude-paths:
     - "*/.terraform"
 exclude-queries:
   - e592a0c5-5bdb-414c-9066-5dba7cdea370 #IAM Access Analyzer Undefined - always disable
+  - 35113e6f-2c6b-414d-beec-7a9482d3b2d1 #AWS DB instance public accessible
 fail-on:
   - high
   - medium

main.tf

@@ -0,0 +1,85 @@
+locals {
+  admin_user = "installer"
+}
+module "this_label" {
+  source     = "git::github.com/xoap-io/terraform-aws-misc-label?ref=v0.1.0"
+  context    = var.context
+  attributes = [var.instance.engine, var.name]
+}
+resource "random_string" "this_snapshot" {
+  length  = 5
+  special = false
+}
+module "this_label_snapshot" {
+  source     = "git::github.com/xoap-io/terraform-aws-misc-label?ref=v0.1.0"
+  context    = var.context
+  attributes = ["snapshot", var.instance.engine, var.name, random_string.this_snapshot.result]
+}
+resource "random_password" "this" {
+  length = 32
+}
+resource "aws_db_subnet_group" "this" {
+  name        = module.this_label.id
+  description = "Subnet group for RDS instance ${module.this_label.id}"
+  subnet_ids  = var.vpc.subnets
+}
+resource "aws_db_parameter_group" "this" {
+  name        = module.this_label.id
+  description = "Parameter group for RDS instance ${module.this_label.id}"
+  family      = var.instance.family
+
+  dynamic "parameter" {
+    for_each = var.parameters
+    content {
+      name  = parameter.key
+      value = parameter.value
+    }
+  }
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+resource "aws_db_option_group" "this" {
+  name                     = module.this_label.id
+  option_group_description = "Parameter group for RDS instance ${module.this_label.id}"
+
+  engine_name          = var.instance.engine
+  major_engine_version = var.instance.major_engine_version
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+resource "aws_db_instance" "this" {
+  engine                              = var.instance.engine
+  engine_version                      = var.instance.engine_version
+  instance_class                      = var.instance.type
+  identifier                          = module.this_label.id
+  username                            = local.admin_user
+  password                            = random_password.this.result
+  skip_final_snapshot                 = false
+  allocated_storage                   = var.storage.allocated_storage
+  max_allocated_storage               = var.storage.max_allocated_storage
+  storage_encrypted                   = var.storage.kms_arn != ""
+  kms_key_id                          = var.storage.kms_arn
+  final_snapshot_identifier           = module.this_label_snapshot.id
+  multi_az                            = var.instance.multi_az
+  publicly_accessible                 = var.instance.publicly_accessible
+  deletion_protection                 = var.instance.deletion_protection
+  auto_minor_version_upgrade          = var.instance.allow_upgrades
+  allow_major_version_upgrade         = true
+  db_subnet_group_name                = aws_db_subnet_group.this.id
+  parameter_group_name                = aws_db_parameter_group.this.id
+  option_group_name                   = aws_db_option_group.this.id
+  maintenance_window                  = var.backup.enabled == true ? "Mon:00:00-Mon:03:00" : null
+  backup_window                       = var.backup.enabled == true ? "03:00-06:00" : null
+  backup_retention_period             = var.backup.enabled == true ? var.backup.retention_days : 0
+  vpc_security_group_ids              = var.vpc.security_groups
+  performance_insights_enabled        = var.enable_performance_insights
+  apply_immediately                   = true
+  iam_database_authentication_enabled = true
+  enabled_cloudwatch_logs_exports     = var.logging.types
+  tags = {
+    Name        = module.this_label.id
+    Restriction = "Restricted"
+  }
+}

outputs.tf

@@ -2,3 +2,28 @@ output "context" {
   value       = var.context
   description = "Exported context from input variable"
 }
+output "db_instance" {
+  value       = aws_db_instance.this
+  description = "Exported output from aws_db_instance"
+}
+output "option_group" {
+  value       = aws_db_option_group.this
+  description = "Exported output from aws_db_option_group"
+}
+output "parameter_group" {
+  value       = aws_db_parameter_group.this
+  description = "Exported output from aws_db_parameter_group"
+}
+output "subnet_group" {
+  value       = aws_db_subnet_group.this
+  description = "Exported output from aws_db_subnet_group"
+}
+output "auth" {
+  value = {
+    host     = aws_db_instance.this.endpoint
+    port     = aws_db_instance.this.port
+    username = aws_db_instance.this.username
+    password = aws_db_instance.this.password
+  }
+  description = "Exported auth information for passing between modules"
+}

variables.tf

@@ -1,3 +1,60 @@
+variable "name" {
+  type        = string
+  description = "The name of the RDS instance"
+}
+variable "vpc" {
+  type = object({
+    id              = string
+    subnets         = list(string)
+    security_groups = list(string)
+  })
+  description = "The VPC to create the RDS instance in"
+}
+variable "instance" {
+  type = object({
+    type                 = string
+    engine               = string
+    engine_version       = string
+    major_engine_version = string
+    family               = string
+    multi_az             = bool
+    publicly_accessible  = bool
+    deletion_protection  = bool
+    allow_upgrades       = bool
+    port                 = number
+  })
+  description = "The RDS instance to create"
+}
+variable "storage" {
+  type = object({
+    max_allocated_storage = number
+    allocated_storage     = number
+    kms_arn               = string
+  })
+  description = "The storage configuration for the RDS instance"
+}
+variable "backup" {
+  type = object({
+    enabled        = bool
+    retention_days = number
+  })
+  description = "The backup configuration for the RDS instance"
+}
+variable "logging" {
+  type = object({
+    enabled = bool
+    types   = set(string)
+  })
+  description = "The logging configuration for the RDS instance"
+}
+variable "parameters" {
+  type        = map(string)
+  description = "The parameters to pass to the RDS instance"
+}
+variable "enable_performance_insights" {
+  type        = bool
+  description = "Whether to enable Performance Insights"
+}
 variable "context" {
   type = object({
     organization = string