From 8d2c8c131b0270ee3ae0c0821cb7dd9e763999f2 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Thu, 25 Jan 2024 15:28:26 +0530 Subject: [PATCH] =?UTF-8?q?Feat:=20=F0=9F=9A=80=20=20Pull=20from=20master?= =?UTF-8?q?=20branch=20and=20create=20new=20release.=20(#9)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [fix/docdb_structure]Fix: Removed the default secuirty group created with document module and restructure the module. * [fix/docdb_structure]Fix: Removed the default secuirty group created with document module and restructure the module. * [fix/docdb_structure]Fix: Removed the default secuirty group created with document module and restructure the module. * [fix/docdb_structure]Fix: Removed the default secuirty group created with document module and restructure the module. * [fix/docdb_structure]Fix: Removed the default secuirty group created with document module and restructure the module. * [fix/docdb_structure]Fix: Ignored the tfsec warning for kms key * [fix/docdb_structure]Fix: Ignored the tfsec warning for kms key * [fix/docdb_structure]Fix: Ignored the tfsec warning for kms key * [fix/docdb_structure]Feat:ignored the tfsec warning for kms key and update the security group with description * [fix/docdb_structure]Fix: Restructure and fix the documentDB terraform module. * feat: introduce certeficiate authority for cluster instance * feat: fixed tf checks * fix: ran terraform format * fix: add enable variable * fix: fixed lints * fix: fixed lints --------- Co-authored-by: Anmol Nagpal Co-authored-by: Anmol Nagpal --- README.md | 33 +++++++++++------- README.yaml | 33 +++++++++++------- example/basic/main.tf | 9 ++--- example/basic/variable.tf | 8 ++--- example/secured/main.tf | 68 +++++++++++++++++-------------------- example/secured/variable.tf | 16 ++++----- example/secured/versions.tf | 2 +- main.tf | 68 +++++++++++++++++++------------------ outputs.tf | 10 +++--- variables.tf | 63 +++++++++++++++++----------------- versions.tf | 4 +++ 11 files changed, 167 insertions(+), 147 deletions(-) diff --git a/README.md b/README.md index 1b97771..9cd9468 100644 --- a/README.md +++ b/README.md @@ -84,8 +84,10 @@ module "documentdb" { database_name = "rds" environment = "test" label_order = ["environment", "name"] - master_password = "test123456" + master_username = "db-user" + master_password = "gfbaJpP00W0m413Bc1fe" instance_class = "db.t3.medium" + cluster_family = "docdb5.0" cluster_size = 1 } @@ -94,17 +96,24 @@ module "documentdb" { ```hcl module "documentdb" { source = "clouddrove/terraform-aws-documentdb/aws" - vpc_id = module.vpc.vpc_id - subnet_list = module.subnets.private_subnet_id - database_name = "rds" - environment = "test" - label_order = ["environment", "name"] - skip_final_snapshot = false - storage_encrypted = true - kms_key_id = module.kms_key.key_arn - tls_enabled = true - instance_class = "db.t3.medium" - cluster_size = 1 + name = "documentdb" + environment = "test" + label_order = ["environment", "name"] + vpc_id = module.vpc.vpc_id + subnet_list = module.subnets.private_subnet_id + vpc_security_group_ids = [module.security_group-documentdb.security_group_ids] + database_name = "test" + master_username = "db-user" + master_password = "QfbaJpP00W0m413Bw1fe" + skip_final_snapshot = false + storage_encrypted = true + kms_key_id = module.kms_key.key_arn + tls_enabled = true + instance_class = "db.t3.medium" + cluster_family = "docdb5.0" + cluster_size = 2 + deletion_protection = true + preferred_backup_window = "07:00-07:30" } ``` diff --git a/README.yaml b/README.yaml index 32e47b4..8dca6d5 100644 --- a/README.yaml +++ b/README.yaml @@ -50,8 +50,10 @@ usage: |- database_name = "rds" environment = "test" label_order = ["environment", "name"] - master_password = "test123456" + master_username = "db-user" + master_password = "gfbaJpP00W0m413Bc1fe" instance_class = "db.t3.medium" + cluster_family = "docdb5.0" cluster_size = 1 } @@ -60,17 +62,24 @@ usage: |- ```hcl module "documentdb" { source = "clouddrove/terraform-aws-documentdb/aws" - vpc_id = module.vpc.vpc_id - subnet_list = module.subnets.private_subnet_id - database_name = "rds" - environment = "test" - label_order = ["environment", "name"] - skip_final_snapshot = false - storage_encrypted = true - kms_key_id = module.kms_key.key_arn - tls_enabled = true - instance_class = "db.t3.medium" - cluster_size = 1 + name = "documentdb" + environment = "test" + label_order = ["environment", "name"] + vpc_id = module.vpc.vpc_id + subnet_list = module.subnets.private_subnet_id + vpc_security_group_ids = [module.security_group-documentdb.security_group_ids] + database_name = "test" + master_username = "db-user" + master_password = "QfbaJpP00W0m413Bw1fe" + skip_final_snapshot = false + storage_encrypted = true + kms_key_id = module.kms_key.key_arn + tls_enabled = true + instance_class = "db.t3.medium" + cluster_family = "docdb5.0" + cluster_size = 2 + deletion_protection = true + preferred_backup_window = "07:00-07:30" } ``` \ No newline at end of file diff --git a/example/basic/main.tf b/example/basic/main.tf index 958b081..26cdc8c 100644 --- a/example/basic/main.tf +++ b/example/basic/main.tf @@ -1,5 +1,5 @@ provider "aws" { - region = "eu-west-1" + region = "us-east-1" } module "vpc" { @@ -33,11 +33,12 @@ module "subnets" { module "documentdb" { source = "../../" - database_name = "rds" + enable = true environment = "test" - vpc_id = module.vpc.vpc_id - subnet_list = module.subnets.private_subnet_id label_order = ["environment", "name"] + subnet_list = module.subnets.private_subnet_id + database_name = "test-db" + master_username = "test" master_password = var.master_password instance_class = var.instance_class cluster_size = var.cluster_size diff --git a/example/basic/variable.tf b/example/basic/variable.tf index 8ac3140..7ca58be 100644 --- a/example/basic/variable.tf +++ b/example/basic/variable.tf @@ -1,17 +1,17 @@ variable "master_password" { type = string - default = "test123456" - description = "" + default = "QfbaJpP00W0m413Bw1fe" + description = "Master password for documentDB." } variable "instance_class" { type = string default = "db.t3.medium" - description = "" + description = "Instance class for DocumentDB Cluster." } variable "cluster_size" { type = number default = 1 - description = "" + description = "cluster size of DocumentDB." } \ No newline at end of file diff --git a/example/secured/main.tf b/example/secured/main.tf index 5bd9f5c..e87ab78 100644 --- a/example/secured/main.tf +++ b/example/secured/main.tf @@ -1,6 +1,6 @@ provider "aws" { - region = "eu-west-1" + region = "us-east-1" } module "vpc" { @@ -19,7 +19,7 @@ module "subnets" { version = "2.0.1" name = "subnets" - environment = "sandbox" + environment = "test" label_order = ["environment", "name"] nat_gateway_enabled = true @@ -63,42 +63,38 @@ data "aws_iam_policy_document" "kms" { } -data "aws_iam_policy_document" "default" { - statement { - effect = "Allow" - actions = ["sts:AssumeRole"] - principals { - type = "Service" - identifiers = ["ec2.amazonaws.com"] - } - } -} +module "security_group-documentdb" { + source = "clouddrove/security-group/aws" + version = "1.3.0" + + name = "documentdb" + environment = "test" + protocol = "tcp" + label_order = ["environment", "name"] + vpc_id = module.vpc.vpc_id + allowed_ip = ["172.16.0.0/16"] + description = "Instance default security group" + allowed_ports = [27017] -data "aws_iam_policy_document" "iam-policy" { - statement { - actions = [ - "ssm:UpdateInstanceInformation", - "ssmmessages:CreateControlChannel", - "ssmmessages:CreateDataChannel", - "ssmmessages:OpenControlChannel", - "ssmmessages:OpenDataChannel"] - effect = "Allow" - resources = ["*"] - } } module "documentdb" { - source = "../../" - database_name = "rds" - environment = "test" - label_order = ["environment", "name"] - vpc_id = module.vpc.vpc_id - subnet_list = module.subnets.private_subnet_id - skip_final_snapshot = var.skip_final_snapshot - storage_encrypted = var.storage_encrypted - kms_key_id = module.kms_key.key_arn - tls_enabled = var.tls_enabled - instance_class = var.instance_class - cluster_size = var.cluster_size - deletion_protection = true + source = "../../" + enable = true + name = "documentdb" + environment = "test" + label_order = ["environment", "name"] + subnet_list = module.subnets.private_subnet_id + vpc_security_group_ids = [module.security_group-documentdb.security_group_ids] + database_name = "test" + skip_final_snapshot = var.skip_final_snapshot + storage_encrypted = var.storage_encrypted + kms_key_id = module.kms_key.key_arn + tls_enabled = var.tls_enabled + instance_class = var.instance_class + cluster_family = "docdb5.0" + cluster_size = var.cluster_size + deletion_protection = true + preferred_backup_window = "07:00-07:30" + ca_cert_identifier = "rds-ca-rsa2048-g1" } \ No newline at end of file diff --git a/example/secured/variable.tf b/example/secured/variable.tf index 51fa454..286ae13 100644 --- a/example/secured/variable.tf +++ b/example/secured/variable.tf @@ -1,29 +1,29 @@ variable "skip_final_snapshot" { type = bool + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted." default = false - description = "" } variable "storage_encrypted" { type = bool + description = "Specifies whether the DB cluster is encrypted." default = true - description = "" } variable "tls_enabled" { type = bool default = true - description = "" + description = "When true than cluster using TLS for communication." } variable "instance_class" { type = string default = "db.t3.medium" - description = "" + description = "The instance class to use. For more details, see https://docs.aws.amazon.com/documentdb/latest/developerguide/db-instance-classes.html#db-instance-class-specs ." } variable "cluster_size" { - type = number - default = 1 - description = "" -} + type = string + default = "1" + description = "Number of DB instances to create in the cluster" +} \ No newline at end of file diff --git a/example/secured/versions.tf b/example/secured/versions.tf index 7c8e3b6..02c0868 100644 --- a/example/secured/versions.tf +++ b/example/secured/versions.tf @@ -5,7 +5,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.31.0" + version = ">= 5.30" } } } diff --git a/main.tf b/main.tf index 327147f..8758d3a 100644 --- a/main.tf +++ b/main.tf @@ -1,10 +1,10 @@ -#Module : Label -#Description : This terraform module is designed to generate consistent label names and tags -# for resources. You can use terraform-labels to implement a strict naming -# convention. +##----------------------------------------------------------------------------- +## label Module. +##----------------------------------------------------------------------------- module "labels" { source = "clouddrove/labels/aws" version = "1.3.0" + enabled = var.enable name = var.name repository = var.repository environment = var.environment @@ -12,35 +12,22 @@ module "labels" { label_order = var.label_order } -#Module : DocumentDB -#Description : This terraform module is designed to create DocumentDB -resource "aws_security_group" "this" { - name = "security_group-allow_all_documentdb-${var.database_name}" - description = "Allow inbound traffic" - - vpc_id = var.vpc_id - - ingress { - from_port = var.port - to_port = var.port - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } -} +##----------------------------------------------------------------------------- +## Random password genrator +##----------------------------------------------------------------------------- resource "random_password" "master" { - count = length(var.master_password) == 0 ? 1 : 0 + count = var.enable && length(var.master_password) == 0 ? 1 : 0 length = 15 special = false } + +##----------------------------------------------------------------------------- +## AWS Document DB Cluster. +##----------------------------------------------------------------------------- + resource "aws_docdb_cluster" "this" { + count = var.enable ? 1 : 0 cluster_identifier = var.database_name master_username = var.master_username master_password = length(var.master_password) == 0 ? random_password.master[0].result : var.master_password @@ -51,35 +38,50 @@ resource "aws_docdb_cluster" "this" { apply_immediately = var.apply_immediately deletion_protection = var.deletion_protection storage_encrypted = var.storage_encrypted - kms_key_id = var.kms_key_id + kms_key_id = var.kms_key_id #tfsec:ignore:aws-documentdb-encryption-customer-key snapshot_identifier = var.snapshot_identifier - vpc_security_group_ids = [aws_security_group.this.id] - db_subnet_group_name = aws_docdb_subnet_group.this.name - db_cluster_parameter_group_name = aws_docdb_cluster_parameter_group.this.name + vpc_security_group_ids = var.vpc_security_group_ids + db_subnet_group_name = aws_docdb_subnet_group.this[0].name + db_cluster_parameter_group_name = aws_docdb_cluster_parameter_group.this[0].name engine = var.engine engine_version = var.engine_version enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports tags = module.labels.tags } +##----------------------------------------------------------------------------- +## AWS Document DB instance. +##----------------------------------------------------------------------------- + resource "aws_docdb_cluster_instance" "this" { - count = var.cluster_size + count = var.enable ? var.cluster_size : 0 identifier = "${var.database_name}-${count.index + 1}" - cluster_identifier = join("", aws_docdb_cluster.this.*.id) + cluster_identifier = aws_docdb_cluster.this[0].id apply_immediately = var.apply_immediately instance_class = var.instance_class tags = module.labels.tags engine = var.engine + ca_cert_identifier = var.ca_cert_identifier } +##----------------------------------------------------------------------------- +## AWS Document DB Subnet Group. +##----------------------------------------------------------------------------- + resource "aws_docdb_subnet_group" "this" { + count = var.enable ? 1 : 0 name = "subnet-group-${var.database_name}" description = "Allowed subnets for DB cluster instances." subnet_ids = var.subnet_list tags = module.labels.tags } +##----------------------------------------------------------------------------- +## AWS Document DB cluster parameter Group. +##----------------------------------------------------------------------------- + resource "aws_docdb_cluster_parameter_group" "this" { + count = var.enable ? 1 : 0 name = "parameter-group-${var.database_name}" description = "DB cluster parameter group." family = var.cluster_family diff --git a/outputs.tf b/outputs.tf index ce46185..b8b3caa 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,5 +1,5 @@ output "master_username" { - value = aws_docdb_cluster.this.*.master_username + value = try(aws_docdb_cluster.this[0].master_username, null) description = "Username for the master DB user." sensitive = true } @@ -11,21 +11,21 @@ output "master_password" { } output "cluster_name" { - value = aws_docdb_cluster.this.*.cluster_identifier + value = try(aws_docdb_cluster.this[0].cluster_identifier, null) description = "Cluster Identifier." } output "arn" { - value = aws_docdb_cluster.this.*.arn + value = try(aws_docdb_cluster.this[0].arn, null) description = "Amazon Resource Name (ARN) of the cluster." } output "writer_endpoint" { - value = aws_docdb_cluster.this.*.endpoint + value = try(aws_docdb_cluster.this[0].endpoint, null) description = "Endpoint of the DocumentDB cluster." } output "reader_endpoint" { - value = aws_docdb_cluster.this.*.reader_endpoint + value = try(aws_docdb_cluster.this[0].reader_endpoint, null) description = "A read-only endpoint of the DocumentDB cluster, automatically load-balanced across replicas." } \ No newline at end of file diff --git a/variables.tf b/variables.tf index d2dbc0b..f70f2a6 100644 --- a/variables.tf +++ b/variables.tf @@ -1,8 +1,6 @@ -variable "port" { - description = "Open port in sg for db communication." - type = number - default = 27017 -} +##----------------------------------------------------------------------------- +## AWS Document DB Variables. +##----------------------------------------------------------------------------- variable "master_password" { description = "(Required unless a snapshot_identifier is provided) Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file." @@ -34,21 +32,21 @@ variable "preferred_backup_window" { } variable "skip_final_snapshot" { - type = string + type = bool description = "Determines whether a final DB snapshot is created before the DB cluster is deleted." - default = "false" + default = false } variable "apply_immediately" { - type = string + type = bool description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window." - default = "true" + default = true } variable "storage_encrypted" { - type = string + type = bool description = "Specifies whether the DB cluster is encrypted." - default = "false" + default = true } variable "kms_key_id" { @@ -63,11 +61,6 @@ variable "snapshot_identifier" { description = "Specifies whether or not to create this cluster from a snapshot. You can use either the name or ARN when specifying a DB cluster snapshot, or the ARN when specifying a DB snapshot." } -variable "vpc_id" { - description = "ID of the VPC to deploy database into." - type = string -} - variable "subnet_list" { description = "List of subnet IDs database instances should deploy into." type = list(string) @@ -76,7 +69,7 @@ variable "subnet_list" { variable "cluster_family" { type = string - default = "docdb4.0" + default = "docdb5.0" description = "The family of the DocumentDB cluster parameter group. For more details, see https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-parameter-group-create.html ." } @@ -96,7 +89,7 @@ variable "engine_version" { variable "enabled_cloudwatch_logs_exports" { type = list(string) description = "List of log types to export to cloudwatch. The following log types are supported: audit, error, general, slowquery." - default = [] + default = ["audit", "audit", "profiler"] } variable "instance_class" { @@ -117,9 +110,27 @@ variable "tls_enabled" { description = "When true than cluster using TLS for communication." } +variable "vpc_security_group_ids" { + type = set(string) + default = null +} + +variable "ca_cert_identifier" { + type = string + default = null + description = "The identifier of the certificate authority (CA) certificate for the DB instance." +} + +##----------------------------------------------------------------------------- +## Labels variables +##----------------------------------------------------------------------------- + +variable "enable" { + type = bool + default = true + description = "Flag to control the documentDB creation." +} -#Module : LABEL -#Description : Terraform label module variables. variable "name" { type = string default = "" @@ -150,18 +161,6 @@ variable "managedby" { description = "ManagedBy, eg 'CloudDrove'" } -variable "attributes" { - type = list(any) - default = [] - description = "Additional attributes (e.g. `1`)." -} - -# variable "tags" { -# type = map(string) -# default = {} -# description = "Additional tags (e.g. map(`BusinessUnit`,`XYZ`)." -# } - variable "deletion_protection" { type = bool default = null diff --git a/versions.tf b/versions.tf index 7c8e3b6..0219dd6 100644 --- a/versions.tf +++ b/versions.tf @@ -7,5 +7,9 @@ terraform { source = "hashicorp/aws" version = ">= 5.31.0" } + random = { + source = "hashicorp/random" + version = ">= 3.5.0" + } } }